Safeguarding control over personal data is an important element of the right to privacy. It is of great importance that personal data is protected, especially in the time in which we live now, in which, due to rapid technological developments and the use of the Internet, a lot of information about us seems to be available to others. At the European level, the General Data Protection Regulation, amongst others, is of great importance in this context.
The General Data Protection Regulation
On 25 May 2018, the General Data Protection Regulation (GDPR) came into force in the Netherlands and replaced the Personal Data Protection Act (PDP). The fact that disputes concerning privacy and the related processing of personal data are often cross-border in nature made it important, among other things, that the legislation also crosses borders. This is one of the important changes brought about by the GDPR: harmonisation of the privacy legislation of European countries.
The GDPR applies to all processing of personal data in the context of the activities of an establishment of the controller within the European Union, with the exception of four situations laid down in this Regulation, including the processing of personal data in the context of a personal or household activity, or the processing of personal data by competent authorities in the context of the prevention, investigation, detection or prosecution of criminal offences. The processing of personal data does not have to take place in the European Union in order to be protected by the GDPR.
Personal data
But what exactly are personal data? The concept of personal data includes all information about an identified or identifiable natural person. A person is identified or identifiable if he or she can be identified directly or indirectly on the basis of (the combination of) different data about that person.
There are different types of personal data. Important is the difference between personal data and special categories of personal data, since there are considerably more safeguards to protect special categories of personal data. These special categories of personal data include, as stated in the GDPR, "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as biometric data for the unique identification of a person, or data concerning health or data relating to a person's sexual behaviour or sexual orientation".
The GDPR states that basically everything that is done with personal data involves the processing of personal data. As a result, the scope of the GDPR is very broad. The processing of personal data is subject to a large number of conditions and justifications laid down in the GDPR.
Rights of data subjects
The rights of the person whose personal data are processed (referred to as the 'data subject') are laid down in the GDPR. The addition and strengthening of existing rights and the addition of new rights is one of the changes in legislation compared to the PDP, which has brought about major changes for all parties involved in the processing of personal data. Of great importance is the requirement of consent, to which conditions are laid down in a separate article, and the entry into force of the right to be forgotten and the right to data portability.
The right to be forgotten gives the data subject the right to request an organization to remove his or her personal data and to demand that the personal data be removed from third parties to whom the organization has sent the personal data. The right to data portability implies the right to receive his or her personal data from an organization and, if desired, to send them to an organization providing the same kind of service. Think of moving the personal data from one social media platform to another.
Drawing up a privacy statement is a legal obligation that serves to inform the person concerned about the purpose of processing his or her personal data. For example, a privacy statement can be placed on the website of an organisation that processes the personal data of visitors to the website. There is also an internal privacy statement, in which an employer informs his or her employees whether or not personal data is being processed, including the purpose of the processing.
Data breaches
Where people work, mistakes are made. And although more and more activities are being automated nowadays, it can never be ruled out that a mistake will be made. Incorrect processing of personal data is called a data breach. The GDPR requires that a data breach is reported to the Dutch Authority for Personal Data (AP) within 72 hours of its discovery. Keeping a register of data leaks is also a mandatory part of an organisation's privacy accounting.
Compliance with the GDPR is supervised by the AP. If the rules laid down in the GDPR are not complied with, a substantial fine may be imposed by the AP. In addition, the AP is an important body advising the government on issues relating to the processing of personal data.
Other legislation
In addition to the GDPR that has just been extensively discussed, other regulations also apply in the area of privacy and protection of personal data. These include the Directive on the processing of personal data by competent police and criminal law authorities (Directive 2016/680) and the e-Privacy Directive, applicable to privacy in electronic communications, for which there is currently a proposal to replace it with the e-Privacy Regulation, which will apply equally throughout the EU. The e-Privacy Directive, which is currently still in force, has been implemented in the Netherlands in the Telecommunications Act. In addition, many other laws may contain some rules regarding privacy and data processing. It is always important to see which law prevails and therefore applies to your situation.
Contact
The text above summarises the main elements of the GDPR and lists other legislation applicable to privacy. The multitude of rules on privacy and the processing of personal data makes privacy related issues very complex. If you are wondering whether your organization complies with the privacy legislation, or would like assistance in complying with this important legislation, please contact Legal Q. We will be happy to help you!