The new privacy legislation is coming

The provision and storage of personal data is regulated in the Netherlands by the Wet Bescherming Persoonsgegevens (WBP). As per May 25, 2018, this Act will take place for the General Data Protection Regulation (GDPR), or as the Dutch call it: Algemene Verordening Gegevensbescherming (AVG).

With this new legislation the privacy rights of individuals are provided and extended. Organizations are given a greater responsibility to protect the personal data they process. 

This new legislation applies to all EU countries. In the Netherlands, the regulator is “Autoriteit Persoonsgegevens” (Data Protection Authority).

What are personal data?
Personal data are basically all data about an identified or identifiable natural person. The name, address and place of residence are personal data, but also telephone numbers, and postal codes are personal data. Special personal data are, for example, the race, religion or health of someone. These special personal details are protected by law.

What rights do I have?
As a person you have different rights when it comes to your personal data.

• Right of access: you always have the right to ask an organization if they have recorded personal data and, if so, what personal data they are. You do not have to give any reason for the access request. You are only entitled to your own data, not to those of another person.
• Right to forgetfulness: this right is much like the right to correction and removal as it already existed in the Wbp. This right means that an organization must correct, supplement, delete or protect personal data if the data is incorrect, incomplete or irrelevant for the purpose for which it was collected. Even if the collection is contrary to the law in another way, you may invoke this right. For example, an organization must delete the data if they no longer need it and you can withdraw the permission to use data.
  You have the right to ask an organization to correct, supplement, delete or shield the personal data. You can do this if the information is incorrect, incomplete or irrelevant for the purpose for which it was collected. Even if the collection is contrary to the law in another way, you may invoke this right.
• The right to data portability: this right means that personal data are transferable. You have the right to receive personal data that an organization has from you. For example, you can easily pass on your data to another supplier of a comparable service. The difference with the right of access is that you can be invited to view your data with this right. The right to data portability gives you the right to receive the data in a way that they can be reused for another organization.

 
What obligations do organizations have?
Organizations have an accountability. They must be able to demonstrate that they act in accordance with the GDPR. Part of this obligation is that they keep a processing register. For example, they must be able to demonstrate the legality, transparency, purpose limitation and correctness of the collection and processing of the data. In addition, organizations must be able to demonstrate that they have taken the right technical and organizational measures to protect the collected personal data.

This means that they have to perform a DPIA (data protection impact assessment). In this way the privacy risks are mapped in advance and it is indicated which measures can be taken to reduce the risks.

In addition, various organizations are obliged to appoint a data protection officer. This applies to government agencies and public organizations, organizations that monitor individuals on a large scale from their core activities (eg camera surveillance) and organizations that process special personal data where this is a core activity. From the EU, other situations may be mentioned in which an FG is mandatory.

As with the old Act, organizations still have an obligation to report data leaks and conclude processor agreements with a third party. Here, however, new requirements have been set.

More information about the protection of personal data (in the Netherlands) can be found on the website of the authority personal data.