Protection of personal data (GDPR)

Do you use or store personal data from employees, customers, or others? Then you must take extra measures to protect the data. This way you ensure the privacy of the people whose data you store. You must keep to the General Data Protection Regulation (GDPR or Algemene Verordening Gegevensbescherming, AVG), the European privacy law.

The GDPR applies if your business:

• is based in the EU and processes personal data. It does not matter where the actual data processing takes place;
• is established outside the EU but processes personal data because your company offers goods or services to individuals in the EU, or monitors the behaviour of individuals within the EU.

Non-EU based companies processing EU citizen's data need to appoint a representative in the EU.

What are personal data

Personal data are data that identify people. These data can only be used in certain situations. Personal data include:

• name, address, and phone number
• camera or audio recordings
• health data
• citizen service number (burgerservicenummer, BSN).

What is processing of personal data?

The GDPR specifies which rules to follow with regard to data processing. Data processing entails every action you conduct with personal data. This includes manual actions and automatic actions. Whether you use all personal data or only a part of the data, does not matter. Both are considered data processing. Processing personal data includes:

• collecting, recording, organising, and structuring
• saving, updating, and editing
• requesting, consulting, and using
• forwarding and distributing
• aligning and combining
• filtering, deleting, and destroying.

When can you use personal data?

You need a good reason to use personal data. The GDPR lists 6 of these reasons: the 6 legal bases. A good reason is, for example, when your client or employee has given their consent. You can also use the information if it is necessary to carry out a service. For instance if you need a customer’s address to deliver goods.

Special categories of personal data

There are more restrictions regarding special categories of personal data. This means data that is sensitive. This may be data about a person’s health, political opinions, or trade-union membership. You are not allowed to use these data, unless you have legal grounds for it. For any data from the special category, additional safeguards must be put in place to protect it. This also applies to data related to criminal offences

Keeping personal data safe

You have a duty to take measures to protect any personal data you collect and store. Pay attention to the following matters in your privacy policy:

• You are not allowed to collect or keep more personal data than strictly necessary.
• Only a (very) limited number of people in your company should have access to this data.
• You should not keep personal data for longer than necessary.
• You may have to carry out a Data Protection Impact Assessment. With a DPIA you assess the risks of data processing within your company, so you can take measures to minimise these risks.
• You are not allowed to keep data longer than necessary (retention period).

Duty to disclose information

The GDPR stipulates that you must justify the registration and use of data in your possession. You must provide transparent information. You should let your customers or staff know:

• which personal data you intend to use
• why you use this data
• if you pass on or sell their personal information to third parties
• your own details (company name and address).

For a complete list of information you have to provide, you can consult the official legal text of the GDPR.

It is mandatory to include a privacy statement on your website. The privacy declaration generator (privacyverklaringgenerator, in Dutch) helps you write a text for your privacy statement.

Do I need to report processing of personal data?

You do not need to report processing of personal data. However, in some cases you are required to appoint a Data Protection Officer (DPO or Functionaris gegevensbescherming, FG). A DPO monitors how personal data is processed and informs and advises employees about their obligations regarding data processing. A DPO is also the contact person for the Dutch Data Protection Authority (DUtch DPA, Autoriteit Persoonsgegevens).

You do need to report to the Dutch DPA and apply for a licence (in Dutch) if you intend to work with a blacklist that you want to share with for instance other businesses in your sector.

Share data with countries inside and outside the EEA

Do you share personal data with a party from another country? That is called transferring. Transferring personal data from the Netherlands to another country is only allowed if that country offers sufficient protection. The European Commission determines that data protection in that country is sufficient.

Do you exchange personal data with a country that is not on the list? You must make sure an appropriate safeguard is in place. You can use a model contract, a code of conduct, or draw up a corporate code for this.

Reporting theft, loss, or abuse of personal data

In case of a data breach, you must notify the Dutch DPA (in Dutch) within 72 hours. If it concerns a cross-border data breach in general you should notify the DPA of the country where your company’s headquarters is situated. You must also notify the persons involved of any theft, loss, or abuse of personal data for which you are responsible. The GDPR demands that businesses register and file all data leaks.

If you fail to notify any data breach in time, DPA may impose a fine. You must store all data breaches internally. You can find more information in the step-by-step plan for a data breach.