10 steps to comply with the GDPR in the Netherlands

Published by:
Netherlands Enterprise Agency, RVO
Netherlands Enterprise Agency, RVO
Netherlands Chamber of Commerce, KVK
Netherlands Chamber of Commerce, KVK

The General Data Protection Regulation (GDPR) consists of several rules for the (automatic) processing of personal data. This EU regulation means individuals have more rights when it comes to their personal data. And that your business must consider more rules and requirements to comply with the GDPR. Find out what is covered by the GDPR and use this checklist to make sure your business complies with the rules.

Watch this video for an example of how to apply the GDPR. The video takes an e-commerce example, but gives a sense of how all entrepreneurs can think of their customer's data and privacy.

What is the GDPR?

The GDPR is a European privacy regulation. It ensures the careful processing of personal data by businesses and organisations. For instance, you must have a good reason to process personal data. And you are not allowed to gather and use more data than is necessary. These rules apply across the European Economic Area (EEA). GDPR stands for General Data Protection Regulation. In the Netherlands, the GDPR is often referred to as the AVG or Algemene Verordening Gegevensbescherming.

Why was the GDPR introduced?

The GDPR is a set of rules that helps to better protect everybody’s right to privacy. The GDPR means entrepreneurs have to handle personal data carefully. No matter if it is the data of clients, personnel, or others. Businesses must be able to prove they abide by the GDPR when they process personal data.

What does 'processing personal data' mean?

'Processing personal data’ includes:

  • collecting
  • storing
  • using
  • forwarding
  • sharing
  • distributing
  • merging

For example, if you sell products to customers online, you collect their personal details to be able to ship their orders. Or if you send a newsletter to a distribution list, you are using personal data.

Who does the GDPR apply to?

If your business is located in the Netherlands, you need to comply with GDPR. Also if your business is in one of the EU member states or the EEA. Even if it is only a subsidiary or branch. And even if one of your customers, suppliers or any other stakeholders are residents of an EU member state, you need to comply with the GDPR.

The GDPR applies to all businesses and organisations who process personal data. Even when sending a quotation, invoice or newsletter. It does not matter if you process the data by hand or by an automated process. Nor does it make any difference if you process the data on your own behalf or someone else’s.

    The Dutch Data Protection Authority (DPA) checks that you comply with the GDPR. If they find you do not adhere to the GDPR principles, they may issue a large fine.

    File a complaint with the DPA

    Anyone who believes their personal data has been processed in a way that is not in accordance with the GDPR can file a privacy complaint with the DPA (in Dutch).

    10 steps to become GDPR compliant - what are the requirements?

    You want to comply with the GDPR, but you are not certain how to do it. Here are 10 steps to make your business in the Netherlands GDPR compliant.

    1. Get informed about the GDPR and check if you are allowed to process personal data

    Read about the GDPR, or attend an information session. Do you have staff? Involve the employees who process personal data. They can assess the impact of the GDPR on your current processes, services, and products. They can also determine what you need to do to comply with the GDPR.

    2. Check whether you may process personal data

    You are allowed to process personal data in these 6 circumstances:

    • You have permission from the person involved;
    • You need the data to fulfil an agreement. For instance, you need address details to deliver your product to your customer;
    • You need the data to meet a legal obligation;
    • You need the data to protect someone’s life or health, and you cannot ask that person for permission;
    • You need the data to execute a task in the general interest;
    • You have a justified cause for processing the data. For instance, you must process personal data in your personnel records to be able to pay wages.

    These circumstances are the legal bases (Chapter II, article 6) for processing personal data.

    Ask permission to process data

    Some data processing activities require the permission of the persons involved. Also, you have to be able to prove that the permission was given. It pays to analyse how you request, acquire, and register people’s permission to process data.

    3. Inform your customers of their rights under the GDPR

    Your customers have extensive privacy rights. You must enable them to use these rights. For instance, your customers can:

    • View, edit, and delete their data;
    • Curb or withdraw any permissions previously given by them;
    • Request their data to facilitate their move to a different company service provider. This is called data portability (in Dutch - follow the link to download the EU guidelines about this).

    Your customers can file a complaint with the DPA. The DPA is obliged to deal with every complaint.

    4. Keep a record of your processing activities

    You have to prove you are accountable for how you process data. To do so, you are obliged to keep a record of how and why you process personal data. This is called a processing register. The record has to contain information on where the data comes from and who you share it with. You must be able to notify the organisations you share data with of any changes or deletions of customer data.

    This register falls under what is known as accountability. You must always be able to justify how you handle data.

    5. Find out if you need to perform a Data Protection Impact Assessment (DPIA)

    Do you process data with a high privacy risk? You will need to perform a Data Protection Impact Assessment (DPIA). A DPIA is an extensive survey to chart the risks of data processing. Based on the DPIA, you can take measures to reduce the privacy risks.

    Are you unable to take risk-reducing measures? Then confer with the DPA before you start processing the personal data. The DPA will determine whether the data processing is allowed according to the GDPR, or not. You will receive written advice.

    You run a high privacy risk if you:

    • Evaluate personal aspects in a systematic and extensive manner, based on automatic processing, including profiling, and if on these evaluations you base decisions that have consequences for people;
    • Process special personal data on a large scale, or process criminal data;
    • Systematically follow people on a large scale in a public access area, for instance by using CCTV.

    View a list of processing methods that require a DPIA (in Dutch).

    6. Take privacy into account when designing new products or services

    When you devise new products or services, ensure that personal data are already well-protected in the design phase. This is referred to as ‘privacy by design’. You should not process more personal data than is necessary. This is referred to as ‘privacy by default’. Examples include:

    • An app should not record the user’s location without good cause;
    • Do not pre-check the ‘yes, I want to receive offers’ radio button on your website;
    • Do not ask for more information than necessary to record a subscription to a newsletter.

    7. Find out if you need a data protection officer

    Does your company process data on a large scale? Then you may be obliged to employ a Data Protection Officer or DPO (in Dutch). This is called a Functionaris Gegevensbescherming or FG in Dutch. A DPO is responsible for checking if your organisation acts in accordance with the GDPR. Your organisation can also appoint a DPO voluntarily. On the DPA website, you can find Guidelines on Data Protection Officers plus the FG registration form (in Dutch).

    8. Document and report data leaks

    A data leak means personal data are released that should not be. Examples are:

    • You lose a laptop, tablet, storage device, or papers that contain non-encrypted personal data;
    • You email personal data to the wrong person;
    • The personal data you process is stolen in a cyber attack;
    • Your system has been infected with ransomware, rendering the personal data inaccessible.

    You have to report every serious data leak to the DPA. Also, you must record and document every data leak in your organisation, even the internal ones that you do not have to report. View the guidelines to find out which data leaks to report. These guidelines have not been made final. You only have to notify the persons whose data are involved in the data leak, if it has serious consequences for their rights and freedoms.

    Do you process privacy-sensitive data on behalf of your clients? Then you will have the legal obligation to report any data leaks occurring during those processes to them, so they can notify the DPA.

    9. Draw up a data processor agreement

    Do you work with companies that process personal data on your behalf and which follow your instructions? Make sure you draw up a data processor agreement in accordance with GDPR Articles 28 and 29. Even if the processing company is affiliated with your company, or based abroad. A helpdesk viewing the data constitutes a form of processing. Did you have a data processor agreement under the Protection of Personal Data Act (Wbp)? Be aware that the GDPR is stricter. Most likely you will have to draw up a new agreement.

    10. Determine the supervisor for your company

    Is your organisation active in several European countries? Or do your data processing activities affect several EU member states? The GDPR requires you to deal with only one privacy supervisor, for instance, the Dutch DPA. This is called the one-stop-shop mechanism.

    Transferring personal data outside the EEA

    You are only allowed to transfer personal data to a country outside the EEA if that country observes the privacy rules. The EU has listed 14 countries as compliant. You can use this checklist for those countries.

    Do you want to exchange personal data with a country that is not on the list? The person processing the data must make an official statement that they will process the data according to the GDPR. This is called ‘an appropriate safeguard’. You can use a model contract for this (pages 7 and onwards).

    Does your organisation have branch offices in non-EEA countries? You can draw up binding corporate rules on how to deal with personal data.

    Read more about the rules and exceptions for transferring personal data outside the EEA.

    Questions relating to this article?

    Please contact the Netherlands Enterprise Agency, RVO