Since 14 April 2016 the General Data Protection Regulation (AVG) has been adopted in the Netherlands. This means that starting from 25 May 2018 only one privacy law applies throughout the whole EU, instead of different national laws. Attorney Hidde Reitsma explains the most important changes and indicates what to look out for.
At present, all the Member States of the European Union (EU) have their own privacy law based on the European Privacy Directive of 1995. In the Netherlands this is the Personal Data Protection Act/[Wet bescherming persoonsgegevens] (Wbp). The AVG is a regulation and is – unlike the directive – directly applicable to all EU Member States. From 25 May 2018 only one privacy law shall apply across the EU, instead of different national laws. Until that date a transition period for compliance with the new rules applies. The main questions and/or actions required are listed below.
The appointment of a data protection officer is no longer optional, but is mandatory in all cases for organisations, which are involved as part of their core business in the processing of special personal data or processing personal data on a large scale.
If you have more than 250 employees, or if you process sensitive data, you must create an internal register, in which the various processes are tracked within your organization, including their purpose, basis and any security measures taken. This registry replaces the existing obligation under the Wbp to report data processing operations to the regulatory body.
The privacy statement must include much more and more detailed information than is currently required. In addition, the declaration must be written in clear language.
Processing agreements with service providers must be far more prescriptive than is presently the case, including with respect to the use of third party providers and the technical and organisational security measures which the processor must make use of.
In the case of processing operations that are determined to be particularly high-risk it is a strict requirement to carry out a “Privacy Impact Assessment” in advance and in some cases prior authorisation is required from the Data Protection Authority.
There will be a further obligation to erase data. The use of personal data for profiling is also more strictly regulated, including cases where data is shared with other organisations. Organisations are also under an obligation to report data leaks under the AVG to the Data Protection Authority.
The enforcement capabilities of the Data Protection Authority under the AVG have been strengthened. For failure to observe regulations fines can be imposed of up to EUR 20 million or up to 4 percent of global annual turnover. These fines can be imposed not only on the person at whose request the personal data is processed, but also to the person commissioned to undertake the processing. If you have any questions about the AVG and the changes, please feel free to contact AMS Advocaten.