What should I know about the GDPR legislation?

Privacy law

Privacy legislation is not new. In the European Union (EU), each member state currently has its own privacy law. These national laws are all based on the European privacy directive from 1995. In the Netherlands, the national implementation of this directive is the Personal Data Protection Act (Wbp).

As of May 25, 2018, the General Data Protection Regulation (AVG or GDPR in English) applies. This means that from that date there will only be one privacy law in effect throughout the EU. The Wbp no longer applies, but the basic principles of that legislation still form the core of the new GDPR. The Dutch Data Protection Authority monitors compliance with the legal rules for the protection of personal data.

What is the general purpose of the GDPR?

The overall purpose of the General Data Protection Regulation is to protect EU citizens in terms of privacy regulations and personal data. The GDPR provides rights with regard to personal data that is shared with organizations that collect, store and process such personal data.

To whom does the GDPR apply?

The GDPR applies to any organization that collects personal data from EU citizens. An organization does not have to be established in the EU to fall under the terms of the GDPR. If an organization is located outside the EU and collects personal data from the EU, the GDPR applies to this organization.

What will change?

The new GDPR law tightens up rules from the current Personal Data Protection Act.
Ultimately, much remains the same. Data minimization, the right-to-be forgotten, information obligations and processor agreements have always been included in the law, albeit sometimes under different names. A good privacy policy, an understandable privacy statement, good agreements between processors and controllers and a procedure for data leaks also remain important.

Many existing rules have been significantly tightened in the new GDPR, and a number of new obligations have been added. More emphasis is being placed on the responsibility of organizations themselves to comply with the law and to be able to demonstrate that they comply with the law.

What can I do myself?

As an organization, you can take steps now to be ready for the GDPR. To help you with this, the Dutch Data Protection Authority listed the 10 most important steps.

What are personal data?

The GDPR indicates that personal data is any information about an identified or identifiable natural person. There are many types of personal data. Obvious data are a person's name, address and place of residence. But telephone numbers and postal codes with house numbers are also personal data. Sensitive data such as a person's race, religion or health are also called special personal data. These are extra protected by law.

What does processing personal data entail?

Processing means: all actions that an organization can perform with personal data, from collection to destruction.
The law mentions as examples of processing: collecting, recording, organizing, storing, updating, modifying, retrieving, consulting, using, providing by means of transmission, dissemination, making available, bringing together, linking, blocking, erasing and destruction of data. The law stipulates that an organization may only process personal data if this is necessary for a specific purpose.

Processing Principles

The GDPR introduces core principles that all processing of personal data must comply with:

• personal data must be processed in a fair, lawful and transparent manner;
• personal data may only be processed for a specific, explicitly described purpose;
• only personal data that are necessary for the purpose may be processed;
• data must be correct and current;
• if identification is no longer necessary for the purpose, the personal data must be deleted or anonymized, and;
• the personal data must be secured by means of technical and organizational measures.

Controller/processor terminology

The GDPR uses the terms 'controller' and 'processor' instead of the terms 'controller' and 'processor' from the Wbp. The following definitions are given in the Dutch translation of the GDPR:

Controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. These are Teqa's customers who purchase i-Reserve

Processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. This is us as an organization as a supplier of i-Reserve and our server administrator with regard to the hosting of i-Reserve .

The data subject
Is the person whose personal data an organization processes. This is the person to whom the personal data relates. These are your customers, the end users.

Processing special personal data
In addition to ordinary personal data, the law also recognizes special personal data. This is data that is so sensitive that its processing can seriously affect someone's privacy. According to the GDPR, the processing of special personal data is prohibited, unless an exception applies.

Special personal data are personal data about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a person, data about health, sexual behavior or sexual orientation. Such data may therefore only be processed under very strict conditions.

What are the most important changes for organizations?

If the General Data Protection Regulation applies, organizations that process personal data have more obligations.

Consent
What is new is that the organization must be able to demonstrate that it has received valid consent from people to process their personal data.
And that it should be just as easy for people to withdraw their consent as it is to give it. This must be an 'unambiguous' expression of will. So no more pre-checked boxes! The request for consent must be clear, understandable and presented in simple language. As an organization, you must ultimately be able to prove that the person concerned has given permission.

The data subject has the right to withdraw consent at any time and must be informed of this. PLEASE NOTE:
Asking permission to record personal data is not always necessary. For example, as long as the data that is recorded is limited to what is necessary for the execution of the entered into agreement. In other cases you must ask permission. To find out what applies to you, you can find more information .

Administration obligation
The GDPR imposes a documentation obligation, which means that it must be possible to demonstrate that the organization acts in accordance with the GDPR. This includes consent, information given, rights of data subjects, data security, minimization of processing and agreements with processors. So: Map the data processing in the organization. Many organizations will have to adjust their privacy statement and this is not unimportant. There will soon be a heavy fine for not having a (complete) privacy statement.

As soon as the GDPR applies, the Wbp obligation to report data processing to the supervisory authority expires. Instead, organizations must themselves keep a register of processing activities ('processing register') that take place under their responsibility.

Processing agreement
Concluding a processing agreement is nothing new in itself, because it is already mandatory under the Wbp. In line with the GDPR, this will now be called a processing agreement and will apply between the person responsible for the personal data and the party that processes the personal data for him (now known as the processor, soon to be the processor). What is new, however, is that the GDPR includes a number of mandatory parts of this agreement. agreement, including:

• the purpose of the processing;
• the type of personal data being processed;
• the categories of data subjects;
• that appropriate security measures will be taken;
• that the processor cooperates in audits to check whether the processor complies with all obligations, and;
• after processing, destruction or return of the personal data to the controller

From now on, the processor will no longer be allowed to engage an external party to process personal data without prior written permission from the controller.

Privacy impact assessment (PIA)
In Dutch a 'data protection impact assessment', the PIA is an indispensable tool for organizations to estimate or evaluate the privacy impact. By using the PIA, protection of personal data can be part of the weighing of interests and decision-making within organizations in a structured manner.

The PIA records why, how and for how long personal data is processed. Carrying out a Privacy Impact Assessment is mandatory if the processing of personal data, in particular using new technologies, entails risks for data subjects.

Data leak reporting obligation
We already know this in Dutch law: data leak reporting obligation. This has also been included in the GDPR and remains largely unchanged. The GDPR does impose stricter requirements on your own registration of data breaches that have occurred in your organization. You must document all data breaches.

Prevent stress by considering in advance how you will act if a safety risk occurs. For example, in some situations you as a controller must report a data breach to the Dutch Data Protection Authority within 72 hours. Is the breach likely to pose a high risk to the individuals to whom the data relates? Then they must also be informed of the leak. Therefore, determine in advance a workflow for security incidents, in which the right people can make a timely decision about the actions to be taken.

The Dutch Data Protection Authority has published policy rules on the obligation to report data leaks.

You may need a data protection officer.
A data protection officer (DPO), or data protection officer (FG), is an independent person within the organization who advises and reports on compliance with the GDPR. The privacy officer was not mandatory under the Wbp, but is mandatory under the GDPR in some situations. By law, this is mandatory when you process sensitive personal data such as health data on a large scale, or if you structurally observe people (physically or digitally). A FG can be someone who is appointed internally, but may also be someone who is appointed externally.

Rights of the data subject
Personal data must be processed in a manner that is lawful, fair and transparent with regard to the data subject.
Transparency is paramount: the data subject must be informed about what happens to his personal data. Everything must be communicated in simple and clear language. In addition to the well-known rights of access, correction and objection, the data subject also has the following rights under the GDPR:

• the right to be forgotten,
• the right to portability of his data (also known as: data portability),
• the right to restrict processing and
• the right to object to certain processing. The data subject has the right to object at any time to the processing of his data for direct marketing purposes. If the data subject files such an objection, his data may no longer be processed for marketing purposes.

Right of access
A data subject has the right to be informed by the controller whether his/her personal data is being processed. When personal data are processed, the data subject has the right to information about this data. The data subject has, among other things, the right to information about:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients to whom the personal data are provided;
• the storage period;
• the fact that the data subject has the right to request rectification, request erasure or restriction of the data and the right to object;
• the fact that the data subject can file a complaint.

Right to rectification and right to object
A data subject has the right to obtain from the controller the correction of inaccurate personal data. This must be done without unreasonable delay. The data subject may object to certain forms of data processing, as a result of which the processing of his personal data may have to be stopped. Consider an organization that uses personal data for marketing purposes. (There is currently an absolute right to object to direct marketing. If a data subject makes use of this, you may no longer contact him or her for marketing purposes).

Right to be forgotten
In some situations, the data subject has the right to have the data deleted completely. The GDPR has added additional grounds for the latter right. the GDPR introduces the right to be forgotten. This means that the controller must erase the personal data without unreasonable delay, for example when the personal data are no longer necessary for the purposes for which they were collected or are further processed. It will also be mandatory to inform the parties with whom you have shared the data in the event of such a request. The names of these parties must therefore be shared with the data subject. The controller must take reasonable steps to delete the data, but also to delete any link, copy or reproduction.

Also check out the option to automatically anonymize in i-Reserve .

Right to data portability
The GDPR introduces the right to data portability, or portability of personal data. This means that you may receive requests from your customers to make their personal data available. This concerns all digital data that an organization processes with the consent of the data subject, plus the data necessary to execute an agreement. Search history or location data also fall under the right of portability. As an organization, you are then legally obliged to provide the data in a 'structured, common and machine-readable' format. You can prepare for this by thinking in advance about how you will make the data available. For example, via a tool that allows your customers to directly download their data in a secure manner.

If technically possible, the controller must transmit the data directly to another controller.

This can be done, for example, with an Application Programming Interface (API), which enables a connection between your system and an application and that of another party. In i-Reserve it is possible for the customer to download , the administrator to export or to forward data via an API .

Privacy by default and Privacy by design
The GDPR introduces an obligation to data protection via standard settings (Privacy by default) and via adjustable functionality (Privacy by design) within the software.

The obligation to Privacy by default means that you must take technical and organizational measures to ensure that you only process personal data that is necessary for the specific purpose you want to achieve. Where users can adjust their privacy settings themselves, these should, for example, be set to the highest level by default.

The obligation to Privacy by design means that you must ensure that personal data is protected when designing products, services and organizational processes.

Examples:

• When offering an app, do not allow users to register their location if this is not necessary;
• Do not check the box 'Yes, I want to receive offers' in advance on the website;
• If someone wants to subscribe to a newsletter, do not ask for more information than necessary.

View here what i-Reserve is doing to secure and protect personal data .

Security must be in order - and remain
so. Security of personal data is crucial. Without encryption, two-factor authentication and the ability to separate and securely erase personal information, you as an organization are taking a very high risk.

Violation and sanctions
The maximum fine per violation of the current Privacy Act (Wbp) is now 900,000 euros.
The GDPR gives national supervisory bodies more powers to sanction violations of the GDPR. The fines are hefty and can amount to 20 million euros or 4% of global annual turnover if an organization does not meet the requirements of the law. Fines that are issued in the Netherlands by the appointed supervisory authority: Dutch Data Protection Authority (AP). Looking for details? You will also find answers to frequently asked questions onautoriteitpersoonsgegevens.nl.

Cookies, spam, email, telemarketing and the GDPR
Rules for the treatment of electronic communications such as cookies, WiFi tracking, email, etc. are not laid down in the GDPR. You will find this in the ePrivacy Directive - an existing European legislation that will be updated in 2018. The ePrivacy Directive is also known as the Cookie Law. The European Union hopes to launch the amended rules together with the GDPR, in order to offer citizens more protection for their personal information. More generally, this legal text establishes the rules that organizations must follow to guarantee the confidentiality of digital communications.