The European privacy regulation; what will change?
In the field of privacy regulation, the Personal Data Protection Act [Wet Bescherming Persoonsgegevens (WBP)] and the Data Leaks Reporting Obligation [Meldplicht datalekken] (the latter since 1 January 2016) based on this Act still applies in the Netherlands at the moment. This Act is an elaboration of the present European Data Protection Directive. As many know and already announced long ago, the General Data Protection Regulation (GDPR) [Algemene Verordening gegevensbescherming (AVG)] enters into force on 25 May 2018. This European Regulation is directly applicable in the EU member states and substitutes the European Data Protection Directive, and therefore also the Dutch Personal Data Protection Act. There are many stories as to the GDPR, and there seems to be a lot of uncertainty. Both regulations provide rules for companies that “process personal data“.
‘Processing personal data’
The definition of ‘processing personal data’ remains the same in the GDPR with regard to the present legislation. ‘Personal data’ are data from which a person’s identity can be established directly or without disproportionate effort. The ‘processing’ of personal data includes all the acts that an organization may carry out with personal data, from collecting until destroying. ‘Processing personal data’ is such a board term that is quickly the matter (whether or not intentionally).
Also the current general starting points in data processing, namely the principles of lawfulness, decency, transparency, confidentiality and efficiency, remain intact under the GDPR. In addition, it still counts that personal data may only be processed insofar as they are sufficient and useful. What is more, not more personal data may be processed than necessary and personal data must not be stored longer than necessary for purposes and means of processing.
Authorized processing of personal data
The exhaustive list included in the Dutch Personal Data Protection Act, stating the circumstances under which personal data may be processed also remains intact. Examples of such circumstances are:
- The person concerned (whose personal data are processed) has granted his or her permission for the processing of his or her personal data for one or more specific purposes;
- The processing is necessary for the performance of an agreement to which the person concerned is a party, or to take measures at the request of the person concerned before the conclusion of an agreement;
- The processing is necessary to meet a legal obligation that is vested in the controller; or
- The processing is necessary in order to protect the vital interests of the person concerned or of another natural person.
So far not much seems to change. What will change when the GDPR enters info force? Below please find a list of the most important changes.
(i) Extension of the scope
At this moment, only Dutch companies fall under the scope of the Dutch Personal Data Protection Act. From the entry into force of the GDPR on 25 May 2018, also non-European companies offering goods or services to persons within Europe fall under the European rules for privacy protection. This means a considerable extension of the scope of these rules.
(ii) Data leaks
The Data Leaks Reporting Obligation that already applies in the Netherlands at present is based on the Dutch Personal Data Protection Act, but does not arise from the European Data Protection Directive. A similar reporting obligation is included in the GDPR on the basis of which, within 72 hours after the observation of a data leak, the leak must be reported to the competent authorities (in the Netherlands, this is the Dutch Data Protection Authority), unless it is likely that the data leak does not present a risk to the rights and freedoms of persons.
(iii) Rights of persons concerned
All natural persons, whose personal data are or will be processed, acquire additional rights under the GDPR, in comparison with the Dutch Personal Data Protection Act. For example, it must remain as easy to withdraw the permission for data processing as it was to grant this permission. Furthermore, the right to the so-called “data portability” is introduced. This means that persons have the right to obtain (under certain terms) the personal data that an organization collected of them in a standard format, in order for them to pass this on to other authorities. Finally, the “right to be forgotten” is more firmly anchored in the GDPR. The right to be forgotten means that every person concerned has the right to have his or her personal data removed so that these are no longer necessary for the purposes for which they were collected, that the person concerned withdraws his or her permission for the processing or objects to the processing of his or her personal data, that the personal data were unlawfully processed (for example in violation of applicable legislations) or that the data are processed when rendering services to children under the age of 16.
(iv) Data Protection Impact Assessment (DPIA), Privacy by Design and Privacy by Default
If personal data are processed through (more) risky media, the controller is obliged to carry out a so‑called impact assessment. If it appears from this assessment that there are risks for the protection of the privacy, suitable measures must be taken in order to obviate these risks, and it must be controlled actively if these measures are adopted. According to the concepts of “Privacy by Design” and “Privacy by Default” introduced in the GDPR, organizations must be set up in such a manner that privacy aspects are an essential part of the organization’s structure. If this does not happen, the organization is liable and risks very high penalties. Part of these concepts is the obligation to keep a register in which it is documented which personal data are processed by the organization, the purposes of this data processing, which authorities receive the personal data from the organization, which security measures were taken by the organization and how long the organization wishes to store the data(1). The Dutch Data Protection Authority may request this register at any time.
The most striking change made by the GDPR is the change of the currently applicable starting point of confidentiality under which the privacy rules must complied with, to the obligation for organizations to actually prove that they complied with these obligations. If an organization is not able to do so sufficiently, it risks a penalty that could run up to € 20 million or 4% of the worldwide turnover (depends on which is higher). In view of these risks, it is very important that prior to 25 May 2018, the privacy budget of your organization is up to date.
Should the above give rise to any questions, please contact mr. M.A. (Michel) T Schroots.
(1) If the organization has less than 250 employees and does not ‘systematically’process personal data, the organization is exempted from keeping a register.