What do I need to know about the GDPR legislation?

Privacy legislation

Privacy legislation is not new. Within the European Union (EU), each member state currently still has its own privacy law. All of these national laws are based on the European Privacy Directive of 1995. In the Netherlands, the national implementation of this directive is the Personal Data Protection Act (Wbp).

As of 25 May 2018, the General Data Protection Regulation (GDPR) became applicable. This means that from that date onwards, only one privacy law applies throughout the entire EU. The Wbp no longer applies, but the basic principles of that legislation still form the core of the new GDPR. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) supervises compliance with the statutory rules for the protection of personal data.

What is the general purpose of the GDPR?

The general purpose of the General Data Protection Regulation is to protect EU citizens with regard to privacy regulations and personal data. The GDPR provides rights relating to personal data that are shared with organisations that collect, store and process such personal data.

Who does the GDPR apply to?

The GDPR applies to every organisation that collects personal data from EU citizens. An organisation does not need to be established within the EU to fall under the conditions of the GDPR. If an organisation is based outside the EU and collects personal data from within the EU, the GDPR applies to that organisation.

What is going to change?

The new GDPR tightens the rules set out in the current Personal Data Protection Act. Ultimately, much remains the same. Data minimisation, the right to be forgotten, information obligations and data processing agreements have always been part of the law, albeit sometimes under different names.
A sound privacy policy, a clear and comprehensible privacy statement, clear agreements between processors and controllers, and a procedure for data breaches all remain equally important.

Many existing rules have been considerably tightened under the new GDPR, and a number of new obligations have been added. Greater emphasis is placed on the responsibility of organisations themselves to comply with the law and to be able to demonstrate that they are doing so.

What can I do myself?

As an organisation, you can already take steps now to be ready for the GDPR. To help you with this, the Dutch Data Protection Authority has set out the 10 most important steps.

What is personal data?

The GDPR states that personal data is any information relating to an identified or identifiable natural person. There are many types of personal data. Obvious examples include a person's name, address and place of residence. However, telephone numbers and postcodes combined with house numbers also constitute personal data. Sensitive data such as a person's race, religion or health are referred to as special categories of personal data, and these are afforded extra protection by law.

What does the processing of personal data entail?

Processing refers to all operations that an organisation can carry out with personal data, from collection through to destruction. The law cites as examples of processing: the collection, recording, organisation, storage, updating, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, making available, combining, linking, restricting, erasing and destroying of data.
The law stipulates that an organisation may only process personal data where this is necessary for a specified purpose.

Processing principles

The GDPR introduces core principles that all processing of personal data must comply with:

• personal data must be processed in a lawful, fair and transparent manner;
• personal data may only be processed for a specific, explicitly defined purpose;
• only personal data that is necessary for the purpose may be processed;
• data must be accurate and up to date;
• if identification is no longer necessary for the purpose, the personal data must be deleted or anonymised; and
• personal data must be secured by means of technical and organisational measures.

Terminology: data controller / data processor

The GDPR uses the terms 'data controller' and 'data processor' in place of the terms 'controller' and 'processor' from the Wbp. The Dutch translation of the GDPR provides the following definitions:

Data controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. These are Teqa's clients who use i-Reserve as their product.

Data processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. This is us as an organisation, as the supplier of i-Reserve, and our server administrator with regard to the hosting of i-Reserve.

The data subject
This is the person whose personal data an organisation processes — in other words, the individual to whom the personal data relates. These are your customers, the end users.

Processing special categories of personal data
In addition to ordinary personal data, the law also recognises special categories of personal data. These are data so sensitive that processing them could seriously harm a person's privacy. Under the GDPR, processing special categories of personal data is prohibited unless an exception applies.

Special categories of personal data include data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health, sexual behaviour or sexual orientation. Such data may therefore only be processed under very strict conditions.

What are the most important changes for organisations?

Where the General Data Protection Regulation applies, organisations that process personal data have greater obligations.

Consent
New is the requirement that the organisation must be able to demonstrate that it has obtained valid consent from individuals to process their personal data, and that it must be just as easy for individuals to withdraw their consent as it is to give it. This must constitute an 'unambiguous' expression of intent — so no more pre-ticked boxes! The request for consent must be clear and comprehensible and presented in plain language.
As an organisation, you must ultimately be able to prove that the data subject gave their consent. The data subject has the right to withdraw consent at any time and must also be informed of this right.

PLEASE NOTE:
Requesting consent for recording personal data is not always necessary — for example, as long as the data recorded is limited to what is necessary for the performance of the agreement entered into. In other cases, you must request consent. To find out what applies in your situation, you can find more information here.

Administrative obligation
The GDPR imposes a documentation obligation, which means that it must be possible to demonstrate that the organisation is acting in accordance with the GDPR. This includes consent, information provided, the rights of data subjects, data security, minimisation of processing activities and agreements with processors. In short: map out the data processing activities within your organisation. Many organisations will need to update their privacy statement, and this should not be underestimated — failing to have a (complete) privacy statement will carry a substantial fine.

Once the GDPR applies, the Wbp obligation to register data processing activities with the supervisory authority will lapse. Instead, organisations must maintain their own register of processing activities ('processing register') that take place under their responsibility.

Data processing agreement
Entering into a data processing agreement is nothing new in itself, as it is already required under the Wbp. Under the GDPR it will be referred to as a data processing agreement, and it applies between the party responsible for the personal data and the party that processes the personal data on their behalf (previously known as the processor, now referred to as the data processor). However, what is new is that the GDPR specifies a number of mandatory elements of this agreement, including:

• the purpose of the processing;
• the type of personal data being processed;
• the categories of data subjects;
• that appropriate security measures will be taken;
• that the processor will cooperate with audits to verify compliance with all obligations; and
• the destruction or return of personal data to the controller upon completion of the processing.

Going forward, the processor will no longer be permitted to engage a third party to process personal data without the prior written consent of the controller.

Privacy Impact Assessment (PIA)
In Dutch referred to as a 'gegevensbeschermingseffectbeoordeling' (data protection impact assessment), the PIA is an indispensable tool for organisations to estimate or evaluate the privacy impact. By using a PIA, the protection of personal data can be incorporated in a structured manner into the weighing of interests and decision-making within organisations.

The PIA records why, in what manner and for how long personal data is processed. Carrying out a Privacy Impact Assessment is mandatory when the processing of personal data — in particular through the use of new technologies — poses risks to data subjects.

Data breach notification obligation
This is already familiar from Dutch law: the obligation to report data breaches. This has also been included in the GDPR and remains largely unchanged. However, the GDPR does impose stricter requirements on your own recording of the data breaches that have occurred within your organisation. You must document all data breaches.

Avoid unnecessary stress by thinking in advance about how you will respond if a security incident occurs. For example, as a data controller you may in certain situations be required to report a data breach to the Dutch Data Protection Authority within 72 hours. If the breach is likely to result in a high risk to the individuals whose data is affected, they must also be notified of the breach. It is therefore advisable to establish a workflow for security incidents in advance, enabling the right people to make timely decisions about the actions to be taken.

The Dutch Data Protection Authority has published policy rules on the obligation to report data breaches.

You may need a Data Protection Officer
A Data Protection Officer (DPO), or functionaris voor gegevensbescherming (FG) in Dutch, is an independent person within the organisation who advises on and reports on compliance with the GDPR. The privacy officer was not mandatory under the Wbp, but is required under the GDPR in certain situations. According to the law, a DPO is mandatory when your organisation processes sensitive personal data — such as health data — on a large scale, or when you systematically monitor individuals (physically or digitally). A DPO may be someone appointed internally, but may also be an external appointment.

Rights of the data subject
Personal data must be processed in a manner that is lawful, fair and transparent with respect to the data subject. Transparency is paramount: the data subject must be informed about what happens to their personal data. Everything must be communicated in simple, clear language.
In addition to the well-known rights of access, rectification and objection, the data subject also has the following rights under the GDPR:

• the right to be forgotten,
• the right to data portability,
• the right to restrict processing, and
• the right to object to certain types of processing. The data subject has the right at any time to object to the processing of their data for direct marketing purposes. If the data subject submits such an objection, their data may no longer be processed for marketing purposes.

Right of access
A data subject has the right to obtain confirmation from the data controller as to whether or not their personal data is being processed. Where personal data is being processed, the data subject has the right to information about that data. The data subject has the right to information about, amongst other things:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients to whom the personal data has been or will be disclosed;
• the retention period;
• the fact that the data subject has the right to submit a request for rectification, erasure or restriction of the data, and the right to object; and
• the fact that the data subject has the right to lodge a complaint.

Right to rectification and right to object
A data subject has the right to obtain from the data controller the rectification of inaccurate personal data. This must be done without undue delay. The data subject may object to certain forms of data processing, as a result of which the processing of their personal data may have to cease. Consider, for example, an organisation using personal data for marketing purposes. (At present, there is already an absolute right to object in the case of direct marketing. If a data subject exercises this right, you may no longer approach them for marketing purposes.)

Right to be forgotten
In certain situations, the data subject has the right to have their data deleted entirely. The GDPR introduces the right to be forgotten and adds further grounds for exercising this right. This means that the data controller must erase personal data without undue delay — for example, when the personal data is no longer necessary for the purposes for which it was collected or otherwise processed. It also becomes mandatory, upon receipt of such a request, to inform the parties with whom the data has been shared. The names of these parties must also be communicated to the data subject. The data controller must take reasonable steps not only to delete the data, but also to erase any link, copy or reproduction.

For this purpose, also explore the option of automatically anonymising data in i-Reserve.

Right to data portability
The GDPR introduces the right to data portability, meaning that you may receive requests from your customers to make their personal data available to them. This covers all digital data that an organisation processes with the data subject's consent, as well as data necessary for the performance of an agreement. Browsing history and location data also fall within the scope of the right to data portability. As an organisation, you are then legally obliged to provide the data in a 'structured, commonly used and machine-readable' format. You can prepare for this by thinking ahead about how you will make the data available — for example, via a tool that enables your customers to download their data directly in a secure manner.

Where technically feasible, the data controller must transmit the data directly to another data controller. This can be achieved, for example, via an Application Programming Interface (API), which enables a connection between your system and an application and that of another party.

In i-Reserve, it is possible for the customer to download their own data, for the administrator to export customer data, or to transmit data via an API.

Privacy by default and Privacy by design
The GDPR introduces an obligation to implement data protection through default settings (Privacy by default) and through configurable functionality (Privacy by design) within software.

The Privacy by default obligation means that you must take technical and organisational measures to ensure that, by default, you only process personal data that is necessary for the specific purpose you wish to achieve. Where users can adjust their own privacy settings, these should, for example, be set to the highest level by default.

The Privacy by design obligation means that you must ensure the protection of personal data from the very moment you design products, services and organisational processes.

Examples:

• When offering an app, do not record users' location if this is not necessary;
• On the website, do not pre-tick the box 'Yes, I would like to receive offers';
• When someone wishes to subscribe to a newsletter, do not request more data than is necessary.

Find out here what i-Reserve does to ensure the security and protection of personal data.

Security must be in order — and remain so
The security of personal data is crucial. Without encryption, two-factor authentication and the ability to segregate and securely delete personal information, your organisation is taking an extremely significant risk.

Violations and sanctions
The maximum fine per violation under the current privacy law (Wbp) is €900,000. Under the GDPR, national supervisory authorities are granted greater powers to impose sanctions for GDPR infringements. The fines are substantial and can amount to €20 million or 4% of global annual turnover if an organisation fails to meet the requirements of the law. Fines in the Netherlands are issued by the designated supervisory authority: the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Looking for more detail? You can also find answers to frequently asked questions at autoriteitpersoonsgegevens.nl.

Cookies, spam, email, telemarketing and the GDPR
Rules governing the handling of electronic communications such as cookies, Wi-Fi tracking, email and so on are not laid down in the GDPR. You will find these in the ePrivacy Directive — an existing piece of European legislation that was updated in 2018. The ePrivacy Directive is also known as the cookie law. The European Union hoped to launch the revised rules alongside the GDPR in order to offer citizens greater protection for their personal information in one fell swoop. More broadly, this legislation sets out the rules that organisations must follow to guarantee the confidentiality of digital communications.