New European privacy regulations come a step closer

The Senate has today adopted a law put forward by Minister for Legal Protection Sander Dekker which implements the EU’s new General Data Protection Regulation (GDPR). This GDPR Implementation Act is designed to ensure that the transition from the old to the new scenario in the Netherlands goes as smoothly as possible. The GDPR takes effect on 25 May 2018, as does the Implementation Act.

The Implementation Act is policy neutral. This means that where the GDPR allows scope for national interpretations, the existing rules based on the Data Protection Act (Wbp) have been adopted as far as possible in their original form.

The increased exchange of personal data across the entire European Union has created a need for new legislation. New technologies mean that authorities and businesses can use personal data in their activities more than ever before, and indeed are keen to do so. Minister Dekker: ‘People need to have confidence that businesses and authorities will treat their personal data with due care. Especially given that data plays an ever greater role in our society and in the way we make money. As such, it is crucial that the rights of citizens are guaranteed and, in particular, that citizens are better able to exercise these rights effectively. That’s where the GDPR comes in.’

The processing of personal data plays an ever greater role at economic level. Consequently, in addition to the protection of personal data, the second objective of the GDPR is: to remove restrictions and to guarantee the free movement of personal data within Europe. The automated processing of personal data is not limited by national borders. Ensuring that regulations in this field vary as little as possible from one European country to another will therefore be beneficial at economic level. The key principles, obligations and rights will soon be identical for all member states. ‘Soon, Dutch companies will no longer have to deal with 28 different personal data authorities but will be able to deal with just one, the Dutch Data Protection Authority. That can only be a good thing’, says Minister Dekker.

All changes to rights and obligations will be a direct result of the GDPR. Citizens’ rights in the field of privacy will, for example, be reinforced, amongst others by the establishment of the right ‘to be forgotten’, which allows anyone to ask for their personal data to be erased. And citizens will have the right to receive their personal data in a readily transferable way from a company or organisation that has stored their data (data portability).

In addition, greater transparency and accountability is required from the government, organisations or businesses that process personal data. They must be able to demonstrate that they are acting in accordance with the GDPR (accountability) and must, for example, keep a record of their processing activities. In some cases, the GDPR also requires the appointment of a data protection officer.

Responsibility for supervising compliance with the GDPR and the GDPR Implementation Act has been vested with the Dutch Data Protection Authority. The Authority is independent in the performance of its supervision tasks.

In addition to the Dutch Data Protection Authority, the European Commission and the Ministry of Justice and Security, organisations such as the Confederation of Netherlands Industry and Employers (VNO-NCW) and the Association of Netherlands Municipalities (VNG) are involved in a wide range of information activities to familiarise controllers with the new regulations.