Banner

The General Data Protection Regulation

12th of December

As from 25 May 2018, the European General Data Protection Regulation (GDPR) will take effect in Europe, and therefore in the Netherlands as well. So far, data protection has been provided for in the Netherlands under the Personal Data Protection Act.

The GDPR deviates in several respects from this Act. The most important changes are that the privacy rights of the persons whose data are stored are expanded, and that the fines for breaches are considerably higher than in current Dutch legislation.

Which data are covered in the GDPR

In the GDPR, personal data is defined as any information about an identified of identifiable natural person, e.g. name, location details, identification numbers, etc.

The GDPR distinguishes between ‘normal’ personal data and ‘special’ personal data. The latter category includes, for example, data on religion, political opinion, memberships of trade unions, genetic data, etc.

The normal personal data may be processed if all requirements of the regulation are met. The special personal data may only be processed under certain conditions, for example, if express permission has been given by the person involved.

What is additional with regard to current Dutch legislation

In the GDPR, several matters are covered in a more comprehensive way than in current Dutch legislation. For example, express permission from the person involved to process the data is always required under the GDPR. This permission must also be reproducible at a later stage, and the person involved must be able to withdraw his permission as easily as he granted it.

Besides, a person always has the right to rectify his data if they prove to be incorrect. A person always has the right to have his data deleted as well. This also means that if the data

have been transferred to another body, the processor of the data must ensure that these bodies also adjust or, as the case may be, delete these data. Apart from other points of attention, the focus should also be on sending mails to various persons in cc and bcc.

Further, the entrepreneur who processes the data will have more responsibilities. He will have to demonstrate that the proper organisational and technical measures have been taken to process the data in a correct and safe way (these measures will have to meet the requirements of the GDPR). In some situations, conducting a Privacy Impact Assessment may be obligatory, or a Data Protection Officer may have to be appointed.

Who has supervision

In the Netherlands, the Dutch Data Protection Authority (Dutch DPA) has been tasked with the supervision of compliance with the rules of the GDPR. The Dutch DPA has to be notified   in the event of a data leak (data have or may have been acquired by unauthorised third parties). If the rules of the GDPR have not been complied with, the Dutch DPA will be authorised to impose fines that may be as high as 4% of the annual global turnover of the company to a maximum amount of € 20,000,000. In addition, parties that have suffered losses may also obtain compensation through the court. In principle, there is no maximum amount for this, though such compensation will usually be much lower in the Netherlands than in countries such as the United States.

Finally

Unfortunately, there is no clear overall picture of the GDPR as yet. However, this does not mean that it is not necessary for companies to prepare for the requirements the GDPR will set. The implementation as from 25 May 2018 is a given fact, and in principle, you may be fined if you have not put your affairs in order. It remains to be seen if this is actually going to happen, especially because so much is still unclear, but it will be important to arrange everything in advance that can be arranged.