Contributed By Vondst Advocaten N V
The general requirements that apply in the Netherlands derive from the GDPR and, to a certain degree, from the Implementation Act.
According to Article 37 of the GDPR, the appointment of a DPO in the private sector is required where an organisation’s core activities involve:
The European Data Protection Board (EDPB), which consists of representatives of European DPAs and the European Data Protection Supervisor, and succeeded the Article 29 Working Party (Art29WP), has adopted a guideline on DPOs (WP 243). In this guideline, the EDPB elaborates on the criteria of mandatory designation, the position and the tasks of the DPO.
The GDPR requires an organisation to publish the contact details of the DPO and to communicate these to the AP. To notify the AP, organisations should send an email to firstname.lastname@example.org. The AP answers specific (administrative) questions of registered DPOs and sends a quarterly newsletter to DPOs.
The criteria for the lawfulness of processing are included in Article 6 of the GDPR. Apart from obtaining consent, personal (non-sensitive) data can be processed based on a number of grounds, such as the performance of a contract or for upholding legitimate interests.
The principles of ‘privacy by design’ and ‘privacy by default’ (a requirement to put appropriate technical and organisational measures, such as pseudonymisation, in place to implement the data protection principles and safeguard individual rights) have been included in Article 25 of the GDPR. Under the former Data Protection Act, the AP released guidelines on security of personal data, including privacy by design, that are still relevant in daily practice. In its guidelines, the AP encourages controllers to pay close attention to security and to implement a ‘plan-do-check-act’ cycle.
(d) Need to conduct privacy impact analyses.
Under Article 35 of the GDPR, controllers are obliged to carry out a DPIA where the processing is likely to result in a high risk to individuals. The AP has created a DPIA checklist.
First of all, controllers have to check whether their intended type of processing is on the list of processing operations that require a DPIA. On this list are processing activities such as covert research, blacklists, credit scoring, monitoring employees, communication and location data and profiling.
If the intended processing is not on the list, the second step is to assess the risk. The AP refers to the nine criteria set out by the European data protection authorities. As a rule of thumb, a controller has to perform a DPIA if the processing meets two or more of the nine criteria such as evaluation or scoring, systematic monitoring, matching or combining datasets or innovative use of data.
If the intended data processing strongly resembles a type of data processing for which a DPIA has already been performed, there is no need for a DPIA with regard to the intended data processing.
The AP has also created a checklist for data processing already existing prior to the GDPR.
The GDPR requires in Articles 13 and 14 that the data controller provides information to the data subject where personal data is collected from the data subject and where data has not been obtained from the data subject.
The implementation of privacy policies also assists organisations in meeting the principle of accountability (Article 5(2) of the GDPR). In addition, it is the controller’s responsibility to implement appropriate data protection policies, proportionate in relation to processing activities (Article 24(2) of the GDPR).
The GDPR grants data subjects a number of rights under Articles 13-22.
Based on the Implementation Act, the controller may refrain from applying the rights and obligation referred to above (excluding a number of rights in relation to automated decision-making, but including the obligation to communicate a personal data breach to the data subject in accordance with Article 34 of the GDPR), insofar as this is necessary and proportionate to safeguard amongst other things national security, public security and the enforcement of civil law claims.
The GDPR does not apply to anonymous data, as this data does not relate to an identified or identifiable individual. Pseudonymised data can be used to identify an individual and therefore the GDPR applies to the processing of pseudonymised data. Pseudonymisation, however, is an appropriate measure to ensure an appropriate level of security (Article 32(1)(a)).
Article 40 of the Implementation Act stipulates that Article 22(1) of the GDPR – regarding automated individual decision-making, including profiling – does not apply if the automated individual decision-making, other than based on profiling, is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out for reasons of public interest. If this exception applies, the controller must take appropriate measures to safeguard the data subject’s rights, freedoms and legitimate interest. If the controller is not an administrative body, the appropriate measures should in any case have been taken if the right to obtain human intervention, the data subject’s right to express his or her point of view and the right to contest the decision, have been safeguarded.
Any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered. Under Dutch law, financial loss and other disadvantages can be compensated. Other disadvantages may include immaterial or emotional damage. Normally, damage will be calculated in monetary form.
The concept of injury and harm may also play a role in the determination of the amount of a penalty by the AP.