What should I know about (dutch) GDPR legislation?

Privacy Legislation

In the European Union (EU), each member state initially had its own privacy law. These national laws were all based on the European privacy directive of 1995. In the Netherlands, the national implementation of this directive was the Personal Data Protection Act (WBP).

Since May 25, 2018, the General Data Protection Regulation (GDPR) has been in effect. This means that from that date there is only one privacy law in the entire EU. The WBP has since ceased to apply, but the basic principles of that legislation still form the core of the GDPR. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) supervises compliance with the legal rules for the protection of personal data.

What is the general purpose of the GDPR?

The general purpose of the General Data Protection Regulation is to protect EU citizens in the field of privacy regulation and personal data. The GDPR provides rights regarding personal data shared with organizations that collect, store, and process such personal data.

Who does the GDPR apply to?

The GDPR applies to any organization that collects personal data of EU citizens. An organization does not need to be established in the EU to fall under the requirements of the GDPR. If an organization outside the EU collects personal data from within the EU, the GDPR applies to that organization as well.

What actions can I take?

As an organization, you can take steps to comply with the GDPR. The Practical GDPR page of the Dutch Data Protection Authority can help with this.

What is personal data?

The GDPR states that personal data is any information relating to an identified or identifiable natural person. There are many types of personal data. Obvious data include someone’s name, address, and place of residence. Phone numbers and postal codes with house numbers are also personal data. Sensitive data such as race, religion, or health are referred to as special categories of personal data. These are given extra protection by law.

What does processing personal data mean?

Processing refers to all actions an organization can perform with personal data, from collection to destruction. The law cites examples such as collecting, recording, organizing, storing, updating, altering, retrieving, consulting, using, disclosure by transmission, dissemination, making available, combining, linking, restricting, erasing, and destroying data.
The law stipulates that an organization may only process personal data if it is necessary for a specific purpose.

Principles of Processing

The GDPR introduced core principles that all processing of personal data must comply with:

• personal data must be processed fairly, lawfully, and transparently;
• personal data may only be processed for a specific, explicit purpose;
• only data necessary for that purpose may be processed;
• data must be accurate and kept up to date;
• if identification is no longer necessary for the purpose, personal data must be deleted or anonymized; and
• personal data must be secured through technical and organizational measures.

Terminology: Controller/Processor

The terms ‘controller’, ‘processor’ and 'data subject' are used. These have the following definitions:

Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

These are the customers of Teqa who use i-Reserve as a product.

Processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

This refers to Teqa as the organization, as the provider of i-Reserve, and our server administrator with regard to the hosting of i-Reserve.

Data subject

This is the individual whose personal data an organization processes. This is the person to whom the data relates.

These are your customers, the end users.

Processing special categories of personal data
In addition to ordinary personal data, the law also recognizes special categories of personal data. These are data so sensitive that processing them can seriously affect someone’s privacy. According to the GDPR, processing special categories of personal data is prohibited unless an exception applies.

Special categories of personal data include data about race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for unique identification, health data, sexual behavior, or sexual orientation. Such data may only be processed under very strict conditions.

What are key points of the GDPR for organizations?

Now that the General Data Protection Regulation applies, organizations processing personal data have more obligations than before.

Consent
The organization must be able to demonstrate that it has obtained valid consent from individuals to process their personal data. It must be just as easy for individuals to withdraw consent as it is to give it. This must be an ‘unambiguous’ expression of will. No pre-ticked boxes! The request for consent must be clear, understandable, and presented in plain language.
As an organization, you must ultimately be able to prove that the data subject has given consent. The data subject has the right to withdraw consent at any time and must be informed of this.

Accountability
The GDPR imposes a documentation obligation, which means that organizations must be able to demonstrate compliance with the GDPR. This includes consent, information provided, rights of data subjects, data security, minimization of processing, and agreements with processors. In other words: map out the data processing activities within the organization. Privacy statements must also comply with the GDPR, which is important: failure to have a (complete) privacy statement can result in heavy fines.

According to the GDPR, organizations must keep their own record (Dutch) of processing activities (‘processing register’) carried out under their responsibility.

Data Processing Agreement
A data processing agreement is mandatory under the GDPR and applies between the controller of the personal data and the party processing the data on their behalf (the processor). The GDPR specifies mandatory elements of this agreement, including:

• the purpose of processing;
• the type of personal data processed;
• the categories of data subjects;
• that appropriate security measures will be taken;
• that the processor cooperates with audits to ensure compliance; and
• that after processing, data is destroyed or returned to the controller.

The processor may not engage an external party to process personal data without prior written consent from the controller.

Privacy Impact Assessment (PIA)
Also called a ‘data protection impact assessment’, the PIA is an essential tool for organizations to assess or evaluate privacy risks. Using the PIA, the protection of personal data can be integrated into decision-making and balancing of interests within organizations.
The PIA records why, how, and for how long personal data will be processed. Carrying out a PIA is mandatory if the processing of personal data, particularly with new technologies, involves risks for data subjects.

Data breach notification obligation
This obligation already existed under Dutch law and is also included in the GDPR. The GDPR, however, sets stricter requirements for documenting data breaches within your organization. You must document all data breaches.
To avoid stress, plan in advance how to respond if a security incident occurs. As a controller, you must in some cases report a data breach to the Data Protection Authority within 72 hours. If the breach is likely to involve a high risk to the individuals concerned, they must also be informed. Establish a workflow for security incidents in advance so that the right people can make timely decisions on appropriate actions.
The Data Protection Authority provides a page on data breaches that can help with this.

You may need a Data Protection Officer
A Data Protection Officer (DPO) is an independent person within the organization who advises and reports on GDPR compliance. The GDPR requires a DPO in certain situations, for example, if you process sensitive data such as health data on a large scale, or if you systematically monitor people (physically or digitally). A DPO can be an internal staff member or an external appointee.

Rights of data subjects
Personal data must be processed in a manner that is lawful, fair, and transparent in relation to the data subject. Transparency is key: the data subject must be informed about what happens to their personal data. Everything must be communicated in simple and clear language.
In addition to the well-known rights of access, rectification, and objection, the GDPR also gives the data subject:

• the right to be forgotten,
• the right to data portability,
• the right to restrict processing, and
• the right to object to certain processing activities. The data subject has the right to object at any time to the processing of their data for direct marketing purposes. Once such an objection is made, the data may no longer be processed for marketing purposes.

Right of access
A data subject has the right to know whether their personal data is being processed. If so, they are entitled to information about that data. This includes information about:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients to whom the data is disclosed;
• the storage period;
• the fact that the data subject has the right to request rectification, erasure, restriction of processing, and the right to object;
• the fact that the data subject has the right to lodge a complaint.

Right to rectification and right to object
A data subject has the right to obtain the rectification of inaccurate personal data without undue delay. They may also object to certain forms of data processing, which may then need to be halted. For example, an organization using personal data for marketing purposes. (At present, there is already an absolute right to object to direct marketing. Once a data subject exercises this right, they may no longer be contacted for marketing purposes).

Right to be forgotten
In some situations, the data subject has the right to have their data completely erased. The GDPR provides additional grounds for this right. The controller must erase personal data without undue delay, for example, when it is no longer necessary for the purposes for which it was collected or processed. Controllers are also required to inform third parties with whom the data was shared. These parties’ names must be shared with the data subject. The controller must take reasonable steps to delete the data and erase all links, copies, or reproductions.

Also consider the option to automatically anonymize data in i-Reserve.

Right to data portability
The GDPR introduced the right to data portability. This means your customers may request access to their personal data. It applies to all digital data processed with the data subject’s consent, plus data necessary to perform a contract. Search history or location data also fall under this right. Organizations are legally required to provide the data in a ‘structured, commonly used, and machine-readable’ format. Consider how to make this data available, for example, via a tool that allows customers to securely download their data directly.
If technically feasible, the controller must transmit the data directly to another controller. This can be done, for example, via an Application Programming Interface (API), which enables a connection between your system and another party’s application.

In i-Reserve, the customer can download their data themselves, the administrator can export customer data, or data can be shared via an API.

Privacy by default and Privacy by design
The GDPR requires data protection through default settings (Privacy by default) and through design (Privacy by design) in software and organizational processes.

Privacy by default means taking technical and organizational measures to ensure that only personal data necessary for the specific purpose is processed by default. Where users can change privacy settings themselves, these should be set to the highest level by default.

Privacy by design means that data protection must be built into the design of products, services, and processes from the outset.

Examples:

• Not requiring app users to register their location if it is not necessary;
• Not pre-ticking the checkbox ‘Yes, I want to receive offers’ on a website;
• Not asking for more data than necessary when someone subscribes to a newsletter.

See also what i-Reserve does to secure and protect personal data.

Security must be in place – and maintained
Securing personal data is crucial. Without encryption, two-factor authentication, and the ability to separate and securely delete personal information, organizations take very significant risks.

Violations and sanctions
The GDPR grants national supervisory authorities greater powers to sanction violations. Fines are significant and can reach up to 20 million euros or 4% of global annual turnover if an organization does not comply. In the Netherlands, fines are imposed by the appointed supervisory authority: the Dutch Data Protection Authority (AP).

Cookies, spam, email, telemarketing, and the GDPR
Rules for electronic communication such as cookies, Wi-Fi tracking, email, etc. are not laid down in the GDPR. These are covered in the ePrivacy Directive – a European regulation. The ePrivacy Directive is also known as the Cookie Law. More generally, this legislation establishes rules organizations must follow to ensure the confidentiality of digital communications.