New General Data Protection Regulation (AVG) in The Netherlands and EU
Since 14 April 2016 the General Data Protection Regulation (AVG) has been adopted in the Netherlands. This means that starting from 25 May 2018 only one privacy law applies throughout the whole EU, instead of different national laws.
At present, all the Member States of the European Union (EU) have their own privacy law based on the European Privacy Directive of 1995. In the Netherlands this is the Personal Data Protection Act/[Wet bescherming persoonsgegevens] (Wbp). The AVG is a regulation and is – unlike the directive – directly applicable to all EU Member States. From 25 May 2018 only one privacy law shall apply across the EU, instead of different national laws. Until that date a transition period for compliance with the new rules applies. The main questions and/or actions required are listed below.
The appointment of a data protection officer is no longer optional, but is mandatory in all cases for organisations, which are involved as part of their core business in the processing of special personal data or processing personal data on a large scale.
If you have more than 250 employees, or if you process sensitive data, you must create an internal register, in which the various processes are tracked within your organization, including their purpose, basis and any security measures taken. This registry replaces the existing obligation under the Wbp to report data processing operations to the regulatory body.
The privacy statement must include much more and more detailed information than is currently required. In addition, the declaration must be written in clear language.
Processing agreements with service providers must be far more prescriptive than is presently the case, including with respect to the use of third party providers and the technical and organisational security measures which the processor must make use of.
In the case of processing operations that are determined to be particularly high-risk it is a strict requirement to carry out a “Privacy Impact Assessment” in advance and in some cases prior authorisation is required from the Data Protection Authority.
There will be a further obligation to erase data. The use of personal data for profiling is also more strictly regulated, including cases where data is shared with other organisations. Organisations are also under an obligation to report data leaks under the AVG to the Data Protection Authority.
The enforcement capabilities of the Data Protection Authority under the AVG have been strengthened. For failure to observe regulations fines can be imposed of up to EUR 20 million or up to 4 percent of global annual turnover. These fines can be imposed not only on the person at whose request the personal data is processed, but also to the person commissioned to undertake the processing.
ABOUT THE AUTHOR: Manita Hamberg
Manita consults, negotiates and litigates in the area of corporate law, in the broad sense, including contract law and law of obligations, and in the fields of intellectual property law (IE), ICT law, employment law and debt collection.
Copyright AMS Advocaten
More information from AMS Advocaten
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.