Privacy Regulation: new requirements on processing personal data

European legislation on privacy and processing of personal data will be rigorously revised. After the creation of the European framework in the Privacy Directive 95/46/EG (the “Privacy Directive”) two decades ago, on 27 April 2016, the European Parliament and Council of the European Union adopted the General Data Protection Regulation (the “Privacy Regulation”). The Privacy Regulation came into force on 25 May 2016 and will apply to the processing of personal data within the European Union from 25 May 2018 onwards. Hence, companies have until 25 May 2018 to comply with the Privacy Regulation. This newsflash elaborates on its requirements.

Currently: the Privacy Directive

The Privacy Directive was adopted in 1995. A directive does not have a direct effect, but instructs Member States on the requirements of their national legislation. In the Netherlands, the Privacy Directive was implemented in (amongst others) the Dutch Data Protection Act (Wet bescherming persoonsgegevens). The advantage of the range provided by the Privacy Directive is that it gives Member States a certain leeway; the disadvantage is the differences in legislation on privacy and processing of personal data within the EU.

As of May 2018: the Privacy Regulation

In 2012, the European Committee announced its intention to harmonise privacy law in the European Union by means of a regulation. Contrary to a directive, a regulation is directly applicable in all Member States. In December 2015, the Member States agreed upon the regulation’s text. In April 2016, the European Parliament and the Council of the European Union adopted the Privacy Regulation. On 25 May 2016, the Privacy Regulation came into force. To allow all parties concerned ample opportunity to comply with the new requirements, a two-year transition period was adopted. Therefore, the legal regime of the Privacy Regulation will start applying per 25 May 2018. As of that date, only one privacy law will apply in all of the EU, instead of 28 different national laws. Until that time, in the Netherlands, the Wbp stays in place.

The Dutch implementation act

On a number of important topics, the Privacy Regulation still offers its Member States some leeway to draft their own rules. Also, the regulation includes many open concepts and norms that need to be shaped and sharpened in practice: this too requires national legislation. To this extent, the Ministry of Safety and Justice made the Implementation Act for the General Data Protection Regulation available for online consultation on 9 December 2016. The purpose of the consultation is to inform citizens, companies and institutions on the preparation of the implementation act and enable them to respond to the legislative proposal. Response is possible until 20 January 2017; then, the implementation act will be processed by the Dutch House of Representatives (“Tweede Kamer”) and Senate (“Eerste Kamer”). The (draft) implementation act is of importance, because it shows how the Dutch government intends to deal with the Privacy Regulation. The clarification on the implementation act explains that the act mainly serves (i) to execute the implementation of the stipulations with regarding the Data Protection Authority; and (ii) to utilise the leeway allowed by the Privacy Regulation to the different Member States to interpret and implement the regulation. On this matter, the clarification states that the proposal assumes ‘policy neutrality’. This means existing legislation remains in effect as much as possible, except when this is contrary to the Privacy Regulation. The implementation act contains 48 provisions. A significant part of these provisions concerns the Data Protection Authority. Substantial attention is paid to “special personal data”. As soon as the final version of the implementation act is available, Ovidius will provide an update thereon.

Scope Privacy Regulation

The territorial scope of the Privacy Regulation is larger than that of the Privacy Directive. The territorial scope of the regulation has been expanded to beyond the EU, and the regulation is also applicable to processors. The Privacy Regulation applies to the processing of personal data in the context of activities of an EU based entity, either by a processing controller or processor; regardless of whether the processing actually takes place within the EU or not. The Privacy Regulation will also apply to the processing of personal data from data subjects inside the EU, when their data is processed by acontroller or processor outside the EU, and the processing relates to (i) offering goods and services to those EU data subjects, regardless if the data subject pays for the goods or services; or (ii) monitoring the behaviour of the EU data subject in the EU only. Finally, the Privacy Regulation will apply if, based on international public law, the legislation of a Member State is applicable to a non-EU-based controller. As a result of the expanded reach , companies are more likely to fall within the scope of the Privacy Regulation and all its obligations. Companies to which the Privacy Directive did not apply previously in particular have to investigate carefully whether or not they now fall within the scope of the Regulation. The substantive scope of the new Privacy Regulation is in line with the substantive scope of the Privacy Directive. Like the Privacy Directive, the Privacy Regulation applies to both completely and partially automated processing of personal data, and to non-automated processing of data (to be) included in a file. For example, the Privacy Regulation applies to companies that exchange data to outsource their payroll administration to external data hosts (iCloud, Dropbox, etc.) or to an e-mail solution. Like the Privacy Directive, the Privacy Regulation includes a few exceptions to her jurisdiction. For instance, the Privacy Regulation does not apply to data processing by a natural person for activities with exclusively personal or menial purposes. Another exception is, for example, processing data in the interest of national security.

What does the Privacy Regulation expect from you?

The Privacy Regulation emphasizes on organisations’ responsibility to abide with the law and to demonstrate their compliance to the law (‘accountability’). To this extent, the Privacy Regulation dictates a set of binding measures all companies (in their capacity of controller) must implement. Some important obligations:

  • Obligations to demonstrate compliance and to register: as of 25 May 2018, entities are no longer required to notify the national regulator when processing personal data. Instead, the obligation to demonstrate compliance will apply: every entity has to demonstrate it has taken all necessary organisational and technical measures to comply with the Privacy Regulation. Moreover, the entity has to set up a register mentioning processed personal data, and maintain this register. This register should also include the purpose and retention period of said processing.
  • Consent: in certain instances, processing personal data requires the data subject’s consent. The Privacy Regulation emphasizes on the rules on consent. For example, an entity has to be able to demonstrate that the consent was given validly. Moreover, it has to be as easy to withdraw, as it is to give one’s consent.
  • Data Protection Officer: under the Directive, it was already possible to appoint an officer to supervise the processing of personal data. This person is, among other things, responsible for inventory data processing and for recording of all reports of data processing. Moreover, the officer is the contact person for all complaints and questions in- and outside the organisation. Under the Privacy Regulation, some companies are obliged to appoint a data protection officer. This applies to, amongst others, entities that process vast amounts of special personal data (such as medical data).
  • Privacy Impact Assessment (PIA): should a company intend to apply a specific type of processing (where new technologies are being used), the company can be obliged to perform a privacy impact assessment (“PIA”) beforehand. This is the case when the processing entails a serious privacy-risk for the data subjects concerned. During the PIA the impact of the project planned is evaluated, as well as the accompanying potential risks and less risky alternatives that lead to the same results.
  • Extensive privacy statement: it is mandatory for companies to publish a privacy statement. The Privacy Regulation sets requirements to the content and form of this statement. One of the requirements includes the necessity to draft the statement in comprehensible language.

Are you ready?

It is important to prepare your company for the obligations the Privacy Regulation imposes. Ovidius is happy to help!


Follow our team and the latest news

This error message is only visible to WordPress admins

Error: No feed found.

Please go to the Instagram Feed settings page to create a feed.