GDPR enforcement becomes stricter in the Netherlands
21 juni 2019
As you will probably know, the GDPR has been in force in the Netherlands since 25 May 2018. We have already communicated about this topic in the past. So far, the authority tasked with the supervision of compliance with the GDPR in the Netherlands, the Dutch Data Protection Authority (DPA), has played a mainly informative role. However, the DPA announced some time ago that it would no longer only provide information, but also take enforcement action. In the meantime, the first fines have been imposed on companies. This is why, for the sake of completeness, you will find an overview below of everything you can be faced with in the Netherlands with regard to the GDPR.
The ground for processing
You are only allowed to process personal data if you have a good reason to do so, you are not allowed to process more data than necessary for the purpose for which you process it (proportionality principle) and the purpose cannot be achieved without the processing operations (subsidiarity principle). But these are only the general rules. In addition, you will have to meet a number of important requirements, namely:
- duty of disclosure: you must actively inform persons of whom you process the data that you process this data;
- keeping a register of processing activities: among other things, the personal data that is being processed, the purpose of the processing operations and the retention period for the personal data are recorded in this register;
- possibly appointing a data protection officer: this is an officer who is tasked with the internal supervision of the processing of the personal data. This requirement applies for example if you process special personal data. Examples of special personal data are: data which reveal someone's race or ethnic origin or data on health, religion, etc.;
- Data Protection Impact Assessment (DPIA): sometimes an investigation has to be carried out to assess to what extent a high privacy risk exists in respect of the stored data;
- obligation to report data breaches: in the event of a data breach, you must actively report it to the DPA yourself. In fact, there is already a data breach if an email is sent to the wrong person. It is advisable to draw up a clear internal policy for this;
- duty to protect data: of course, the data must be adequately protected. Not only technically, but also by, for example, having the proper internal rules for storing and processing of the personal data in place, and observing these rules.
Rights of data subjects
In addition, it is important to consider the rights that people have if personal data of them is stored and processed. This means that, with regard to both the technical systems and the internal guidelines, you must ensure that these rights can be respected. In particular, the rights concerned here are the following:
- Right to information: everyone can enquire which data of him or her is processed and stored and why this happens;
- Right to a copy: everyone can request a copy of all data stored of him/her;
- Right to rectification: everyone can demand that incorrect data is quickly and accurately corrected;
- Right to be forgotten: everybody can demand that his or her data is erased. This must be done as soon as possible in that case. However, this data may only be erased once the statutory retention obligation has lapsed.
All in all, a lot of rules. Meeting these rules will require a considerable effort from companies. However, it is important to have everything with regard to the GDPR in good order. The fines that can be imposed by the DPA are hefty: up to 20 million euro or 4% of the worldwide turnover of a company!