Contributed By Vondst Advocaten N V
The general requirements that apply in the Netherlands derive from the GDPR and, to a certain degree, from the Implementation Act.
According to Article 37 of the GDPR, the appointment of a DPO in the private sector is required where an organisation’s core activities involve:
The European Data Protection Board (EDPB), which consists of representatives of European DPAs and the European Data Protection Supervisor, and succeeded the Article 29 Working Party (Art29WP), has adopted a guideline on DPOs (WP 243). In this guideline, the EDPB elaborates on the criteria of mandatory designation, the position and the tasks of the DPO.
The GDPR requires an organisation to publish the contact details of the DPO and to communicate these to the AP. To notify the AP, organisations should send an email to firstname.lastname@example.org. The AP answers specific (administrative) questions of registered DPOs and sends a quarterly newsletter to DPOs.
The criteria for the lawfulness of processing are included in Article 6 of the GDPR. Apart from obtaining consent, personal (non-sensitive) data can be processed based on a number of grounds, such as the performance of a contract or for upholding legitimate interests.
The principles of ‘privacy by design’ and ‘privacy by default’ (a requirement to put appropriate technical and organisational measures, such as pseudonymisation, in place to implement the data protection principles and safeguard individual rights) have been included in Article 25 of the GDPR. Under the former Data Protection Act, the AP released guidelines on security of personal data, including privacy by design, that are still relevant in daily practice. In its guidelines, the AP encourages controllers to pay close attention to security and to implement a ‘plan-do-check-act’ cycle.
(d) Need to conduct privacy impact analyses.
Under Article 35 of the GDPR, controllers are obliged to carry out a DPIA where the processing is likely to result in a high risk to individuals. The AP has created a DPIA checklist.
First of all, controllers have to check whether their intended type of processing is on the list of processing operations that require a DPIA. On this list are processing activities such as covert research, blacklists, credit scoring, monitoring employees, communication and location data and profiling.
If the intended processing is not on the list, the second step is to assess the risk. The AP refers to the nine criteria set out by the European data protection authorities. As a rule of thumb, a controller has to perform a DPIA if the processing meets two or more of the nine criteria such as evaluation or scoring, systematic monitoring, matching or combining datasets or innovative use of data.
If the intended data processing strongly resembles a type of data processing for which a DPIA has already been performed, there is no need for a DPIA with regard to the intended data processing.
The AP has also created a checklist for data processing already existing prior to the GDPR.
The GDPR requires in Articles 13 and 14 that the data controller provides information to the data subject where personal data is collected from the data subject and where data has not been obtained from the data subject.
The implementation of privacy policies also assists organisations in meeting the principle of accountability (Article 5(2) of the GDPR). In addition, it is the controller’s responsibility to implement appropriate data protection policies, proportionate in relation to processing activities (Article 24(2) of the GDPR).
The GDPR grants data subjects a number of rights under Articles 13-22.
Based on the Implementation Act, the controller may refrain from applying the rights and obligation referred to above (excluding a number of rights in relation to automated decision-making, but including the obligation to communicate a personal data breach to the data subject in accordance with Article 34 of the GDPR), insofar as this is necessary and proportionate to safeguard amongst other things national security, public security and the enforcement of civil law claims.
The GDPR does not apply to anonymous data, as this data does not relate to an identified or identifiable individual. Pseudonymised data can be used to identify an individual and therefore the GDPR applies to the processing of pseudonymised data. Pseudonymisation, however, is an appropriate measure to ensure an appropriate level of security (Article 32(1)(a)).
Article 40 of the Implementation Act stipulates that Article 22(1) of the GDPR – regarding automated individual decision-making, including profiling – does not apply if the automated individual decision-making, other than based on profiling, is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out for reasons of public interest. If this exception applies, the controller must take appropriate measures to safeguard the data subject’s rights, freedoms and legitimate interest. If the controller is not an administrative body, the appropriate measures should in any case have been taken if the right to obtain human intervention, the data subject’s right to express his or her point of view and the right to contest the decision, have been safeguarded.
Any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered. Under Dutch law, financial loss and other disadvantages can be compensated. Other disadvantages may include immaterial or emotional damage. Normally, damage will be calculated in monetary form.
The concept of injury and harm may also play a role in the determination of the amount of a penalty by the AP.
The GDPR indicates a special category of personal data that, by its nature, merits higher protection as the context of its processing could create significant risks to fundamental rights and freedoms.
This special category of personal data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person’s sex life or sexual orientation. Personal data relating to criminal convictions and offences or related security measures is not considered a special category of personal data, but there are specific rules for processing this type of data. Data relating to criminal convictions and offences is treated in the same way as sensitive data by the AP.
In addition to the exceptions for processing this type of special category of data mentioned in the GDPR, the Implementation Act provides for a number of exceptions.
In addition to the various types of sensitive data mentioned in the GDPR, the AP also treats other data as sensitive, such as financial data, location data, behavioural data and communications data.
Although financial information as such is not qualified as sensitive data in the GDPR, information about someone’s financial details will nonetheless most probably be treated as sensitive data by the AP. The code of conduct for financial institutions, which is binding for almost all Dutch financial institutions, gives important guidance on the use of personal data, even though the formal approval of this code from the AP has lapsed.
The GDPR defines data concerning health as personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status. Health data may be processed inter alia if necessary to protect the vital interest of the data subject, for the purpose of medical diagnosis, for reasons of public interest in the area of public health and scientific purposes. The Implementation Act provides for additional exceptions for administrative bodies, pension funds and employers, for schools, institutions of rehabilitation, healthcare providers and insurers.
In 2013 the AP investigated the Nike running app and concluded that it measured how many calories the user burns, how much, how often and how intensively the user runs. The AP concluded that this type of data can be considered as health data and therefore constitutes sensitive data.
In an investigation by the AP in 2013 into smart TVs, the AP considered that personal data with regard to online viewing behaviour should be considered as sensitive data. This type of data provides a lot of information about the viewer (viewed broadcasts, rented movies, visits to and use by data subjects of apps and websites, times of switching on and off the device etc). The AP refers to ArtWP29 Opinion 13/2011 on geolocation services on smart mobile devices (WP 185).
Based on recital (47) of the GDPR, the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. Direct marketing generally refers to any form of advertising by which a natural or legal person sends direct marketing communications directly to one or more identified or identifiable end users using electronic communications services. In addition to the offering of products and services for commercial purposes, this also includes messages sent by political parties and other non-profit organisations to support the purpose of the organisation.
Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
General rules for direct marketing may be found in the GDPR. The data subject has a right to object to the processing of his or her personal data for direct marketing purposes, without any justification being necessary. Furthermore, the data subject must be informed of his or her right to object to any direct marketing communication.
The Dutch Telecommunications Act provides for an opt-in regime (which basically requires consent) for marketing via email, SMS and similar techniques. It is allowed to send unsolicited communications to customers when the contact details have been obtained in the context of the sale of a product or a service, the message relates to its own similar products or services and the customer has been given an opportunity to object, free of charge and in an easy manner. If the customer does not object to the initial collection of its electronic contact details, the customer should be given the possibility to object in each message sent.
Specific rules apply to promotional telephone calls. These rules provide for an opt-out regime, but require a mandatory check of the do-not-call register.
Workplace privacy is protected by several laws and regulations. The GDPR applies to the workplace. The right to privacy of employees in the Netherlands is furthermore recognised under the European Convention for the Protection of Human Rights. The general principles of fair employment practices of the Dutch Civil Code also protect the privacy rights of employees to some extent. The Works Council Act contains the legal framework for works council involvement in certain privacy issues.
Regulators must act in accordance with the principles of proper public administration, which inter alia means they must act fairly, proportionally, may not discriminate and should treat civilians equally. If regulators fail to comply, the Dutch courts will hold that against them.