20 dec General Data Protection Regulation
The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. This regulation replaced the Privacy Directive which is embodied in Dutch national legislation by the Personal Data Protection Act (WBP). The new regulation aims to further harmonise the protection of personal data within the European Union. A European regulator will also be introduced, in addition to the national regulators.
What is the purpose of the GDPR?
The protection of natural persons when processing personal data is a basic right that is embodied in European legislation. The GDPR ensures personal data protection harmonisation within the European Union. The GDPR gives people more possibilities for standing up for themselves during the processing of their data (provided the specified conditions are met). Privacy rights are specifically strengthened and extended. People have the right:
• to inspect their data (right of inspection);
• to port data (right of data transfer);
• to rectify data (right of rectification); and
• to delete data (right to oblivion).
What does the GDPR mean for your organisation
The GDPR places greater (specific) responsibility with you, the organisation, for demonstrating that you are compliant with the privacy rules. For example, you have to be able to demonstrate that processing complies with the most important principles of processing and that you have implemented appropriate technical and organisational measures to adequately protect personal data. The GDPR specifies a number of measures for this, some of which are mandatory:
• maintaining a register of processing activities (mandatory for companies with more than 250 employees and for organisations working with structural processing of personal data. In the latter case, the number of employees is irrelevant);
• maintaining a register of data leaks that have occurred.
The GDPR provides a specific interpretation of the term ‘appropriate technical and organisational measures’ but it maintains the principle that the level of protection must be appropriate for the processing risks that are identified (the loss, change or unauthorised provision of or unauthorised access to forwarded, stored or otherwise processed data).
A special category in the GDPR is organisations that process large volumes of personal data or that process special personal data of individuals. In that case, under the GDPR, you are obliged to conduct a DPIA (Data Protection Impact Assessment) and appoint a Data Protection Officer (DPO) who is responsible for your organisation’s GDPR compliance. If it is unclear whether you are obliged to appoint a DPO then you must be able to properly substantiate why you have or have not appointed a DPO.
What does this mean in real terms?
According to Article 37 of the Regulations, the appointment of a DPO is mandatory in three situations:
1. the processing is undertaken by government organisations or government agencies, except in the case of courts in the performance of their legal duties; government bodies therefore (in brief, courts are exempt from supervision due to their legal independence).
2. the person responsible for processing or the processor is primarily charged with processing which, due to its nature, extent and/or purposes requires regular and systematic large-scale observation of the persons involved. This must therefore concern the undertaking of regular and systematic large-scale observation of the persons involved. Examples of this are detective agencies, as well as Internet companies that offer services for the very detailed monitoring of website visits (analytics);
3. the person responsible for processing or the processor is primarily charged with the large-scale processing of [special and criminal] personal data; for example, this is personal data concerning race, sexual preference or political leanings.
Permission of those involved
The GDPR obliges you to define a justification basis (Article 6). These are six different principles, which do not differ greatly from the principles we are already familiar with from the WBP. In broad terms, they mean that the processing:
1. is approved by your client via permission for one or more specific purposes;
2. is necessary for the execution of a contract to which your client is a party, or for measures to be taken on the request of the client prior to the conclusion of a contract;
3. is necessary for compliance with a legal obligation that is imposed on your organisation;
4. is necessary for the protection of the vital interests of your client or of another natural person;
5. is necessary for the fulfilment of a duty of general interest or a duty within the framework of performing public authority duties imposed on your organisation;
6. is necessary for the justified interests of your organisation or those of a third party, except when the interests or the rights and freedoms with regard to your client’s data protection outweigh these (in particular with regard to a child)).
To be allowed to process personal data you must always be able to assign one of the aforementioned options. The principle of permission is therefore only one of the possibilities. In practice, this means that you do not need to ask for permission at all. You can also conclude a contract with your clients (Principle 2) for the purchase or sale of a product or service. To be able to provide/supply this you then have to process personal data. However, make sure that you do not process any personal data that this not necessary for the performance of the contract.
If you process personal data for which you have obtained permission from those involved (Principle 1) then under the GDPR you are obliged to be able to demonstrate to the Dutch Data Protection Authority (DDPA) that you have actually obtained that permission and that it complies with the requirements of the GDPR.
The GDPR identifies two categories of breaches:
• if, as the person responsible, you fail to comply with the obligations under the GDPR then the DDPA can impose a maximum penalty of up to € 10 million or a penalty of 2% of your worldwide annual turnover in the event this is higher;
• Are you in breach of the principles or bases of the GDPR or have you breached the privacy rights of the persons involved (the people who’s data is being processed by the organisation)? In that case, the DDPA can impose a maximum penalty of up to € 20 million or a penalty of 4% of your worldwide annual turnover in the event this is higher.
Would you like more insight into the impact of GDPR on your organisation?
As you can gather, we expect that this will have a major impact on our clients. We can imagine you have many questions that are not answered in this article. Therefore, if you would like to know more about the specific impact of the GDPR on your organisation then please do not hesitate to contact our IT Auditors: Lucas Vousten, Bas Dollevoet, Koen Cornelissen, Wessel Penninx, Kevin Verdonschot and Jeroen Vervoort, who will be pleased to help you with any important questions you have about the GDPR.