Do you use or store personal data from employees, customers, or others? Then you must take extra measures to protect the data. This way you ensure the privacy of the people whose data you store. You should comply with the European privacy law, the General Data Protection Regulation (GDPR or Algemene Verordening Gegevensbescherming, AVG).
The GDPR applies if your business:
- is based in the EU and processes personal data. It does not matter where the actual data processing takes place;
- is established outside the EU but processes personal data because your company offers goods or services to individuals in the EU, or monitors the behaviour of individuals within the EU.
Non-EU based companies processing EU citizen's data need to appoint a representative in the EU.
Types of personal data
Personal data that identify people can only be used in certain situations. These data include:
- phone number
- citizen service number (burgerservicenummer, BSN).
What is processing of personal data?
The GDPR specifies which rules to follow with regard to data processing. Data processing entails every action you conduct with personal data. This includes manual actions and automatic actions. Whether you use all personal data or only a portion of the data, does not matter. Both are considered data processing. Processing personal data includes:
- collecting, recording, organising and structuring
- saving, updating and editing
- requesting, consulting and using
- forwarding and distributing
- aligning and combining
- filtering, deleting and destroying.
When can you use personal data?
You need a good reason to use personal data. A good reason is, for example, when your client or employee has given their consent. You can also use the information if it is necessary to carry out a service. For instance if you need a customer’s address to deliver goods.
Special categories of personal data
There are more restrictions regarding special categories of personal data. This means data that is sensitive. This may be data about a person’s health, political opinions or trade-union membership. You are not allowed to use these data, unless you have legal grounds for it. For any data from the special category, additional safeguards must be put in place to protect it.
Keeping personal data safe
You have a duty to protect any personal data you collect and store. This means:
- You may not collect or keep more personal data than strictly necessary
- Only a (very) limited number of people in your company should have access to this data
- You should not keep personal data for longer than necessary
- You may have to carry out a Data Protection Impact Assessment
Take a look at 10 steps you can take to make your business GDPR compliant.
Duty to disclose information
The GDPR stipulates that you must justify the registration and use of data in your possession. You must provide transparent information. You should also let people know:
- which personal data you intend to use
- why you use this data
- if you pass on or sell their personal information to third parties
- your own details (company name and address).
It is mandatory to include a privacy statement on your website. The privacy declaration generator (privacyverklaringgenerator, in Dutch) helps you write a text for your privacy statement.
Do I need to report processing of personal data?
Are you starting a company in the Netherlands and do you intend to process personal data? You do not need to report this to the Dutch Data Protection Authority (Dutch DPA, Autoriteit Persoonsgegevens). You need to report to the Dutch DPA and apply for a licence (in Dutch) if you intend to work with a blacklist that you want to share with for instance other businesses in your sector. You also need to do this to work with data related to criminal offences.
In some cases you are required to appoint a Data Protection Officer (DPO or Functionaris gegevensbescherming, FG). A DPO monitors how personal data is processed and informs and advises employees about their obligations regarding data processing. A DPO is also the contact person for the Dutch DPA.
Reporting theft, loss or abuse of personal data
In case of a data breach, you must notify the Dutch DPA (in Dutch) within 72 hours. If it concerns a cross-border data breach in general you should notify the DPA of the country where your company’s headquarters is situated. You must also notify the persons involved of any theft, loss or abuse of personal data for which you are responsible. The GDPR demands that businesses register and file all data leaks. If you fail to notify any data breach in time, DPA may impose a fine.