General Data Protection Regulation
On 27 April 2016, the final text of the General Data Protection Regulation (‘GDPR’) was adopted. This regulation sets out more − and more specific − requirements for the lawful handling of personal data. The GDPR is part of a broad package of measures set to replace the currently applicable EU data protection legislation.
For some time now, privacy and the careful handling of personal data have attracted ever-increasing interest from organizations, the media and the general public. A growing number of organizations consider proper arrangements in this field to be a competitive edge, an effective information management system indispensable and in any case they do not want to run the risk of being found wanting in this respect.
The GDPR will have direct effect in the Netherlands and accordingly, it will replace the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens or ‘Wbp’).
The positive aspect of this development is that the new regulation will put an end to the differences between the legislation in this field in the various Member States of the European Union, also because of the introduction of a ‘one-stop shop’. Particularly internationally operating organizations are expected to benefit from this.
With effect from 25 May 2018, every organization will have to comply with the requirements imposed by the GDPR. That seems a long way off but it is important to make preparations in good time.
In addition, the Netherlands has anticipated the new rules by enacting stricter legislation regarding higher penalties and the notification obligation for data breaches, which entered into force on 1 January 2016. This means that the protection of personal data should be high on the agenda of the management/executive board.
The GDPR has consequences for the way in which your organization must handle personal data and share these data with other organizations. Important changes include the following:
- Transparency: In contrast to the old legislation, transparency with regard to the data that are shared and processed constitutes an independent principle under the GDPR, and the same applies to accountability for processing operations as such. This means that organizations are under an obligation to have documents in which all aspects of the processing of personal data by the organization are described in detail.
- Accountability: In contrast to the old legislation, organizations will now have to pursue an active policy and implement measures showing that the GDPR is complied with. This means that it will no longer be sufficient only to provide information passively about the purposes and means of processing.
- Data Protection Officer: The appointment of a Data Protection Officer is no longer voluntary but compulsoryfor organizations that carry out many processing operations.
- Young people: The processing of personal data of young people below the age of 16 years for the purposes of online services is permitted only with the consent of the parents, the burden of proof for this consent lying with the organization that processes the personal data. Member States may reduce this age to 13 years.
- The right to be forgotten: the processor of personal data has a far-reaching duty to delete data and if these data are shared publicly, the recipients must also be informed about that as a rule.
- Notification obligation: Organizations are obliged to notify data breaches to the Dutch Data Protection Authority and the data subjects. Regrettably, the details of this notification obligation are slightly different from those of the notification obligation that was introduced in the Netherlands with effect from 1 January 2016 under the Dutch Personal Data Protection Act.
- Profiling: The use of personal data for profiling purposes is strictly regulated, also where data are shared for this purpose with other organizations. This requires explicit consent, which goes beyond unambiguous consent.
- Data protection by design and data protection by default: The GDPR includes more explicit provisions than the old legislation about the requirement to take technical and organizational measures designed to limit the processing of personal data to what is necessary and personal data may, as a general rule, not be shared with an unlimited number of natural persons.
- Privacy Impact Assessment (PIA): High-risk processing operations within the meaning of the GDPR must be preceded by a data protection impact assessment and in specific cases these operations even require the prior consent of the Dutch Data Protection Authority.
- Enforcement: In addition, the enforcement powers of the Data Protection Authority have increased considerably and it will in the future be able to impose penalties of up to EUR 20 million or a maximum of 4 percent of the controller’s worldwide annual turnover. These penalties may be imposed not only on the party on whose instructions the personal data are processed but also on the party entrusted with the processing of the personal data on the instructions from the controller (the processor). This means that the penalty regime will be much stricter than the regime that enter into force in the Netherlands with effect from 1 January 2016, which is not lenient either.
Organizations are struggling with the actual implementation of this complex legislation. As specialised lawyers, we are, on the one hand, well placed to determine at a strategic level what position the organization should take and subsequently what is to be expected from the organization. On the other hand, we are also in an excellent position to propose solutions in the form of model contracts, manuals, course material, etc.
To implement the necessary measures on time and within budget, we use an action plan.
Relevant to you?
Do you wonder whether you have your affairs in order legally? Are you of the opinion that the careful handling of personal data is paramount to your organization? Do you have someone who possesses the appropriate knowledge and experience? Do you consider the GDPR and the stiff penalties introduced by it to be a good opportunity to get your own house in order?
As your data protection experts, we are pleased to assist you. Thanks to our knowledge and experience, we are able to grasp the essentials quickly and determine together with you what your position is and what additional measures may be necessary.
Individual advice or workshop
Are you interested in a workshop about the consequences of the General Data Protection Regulation for your organization or do you prefer advice that is tailored to your individual needs? For a fixed fee, we will analyse your legal situation and you will receive a clear report from us. Are you curious about our methods, knowledge and references?