GDPR and privacy legislation: the details
Privacy is a hot topic nowadays. An increasing number of companies and organisations realise that data has become the new gold and gladly use the fact that data is ripe for the taking. It is obvious that this can be fully in conflict with the privacy rights of the person whose data is collected. Most organisations are familiar with the latest privacy legislation, the General Data Protection Regulation (GDPR) or 'Algemene Verordening Gegevensbescherming' (AVG) in Dutch.
Even if you are familiar with the GDPR, it is still possible that you have questions, for example for processes that have been running for years and have never been assessed legally.
GDPR and Personal Data
What exactly is mandatory under the GDPR? When does the GDPR apply? We will explain below. We can also help you with the following topics:
- Rights of stakeholders;
- The Dutch Data Protection Authority and data leaks;
- Processing agreements;
- Cookies and the new e-Privacy Regulation.
The GDPR safeguards privacy at a European level. The GDPR replaced the Personal Data Protection Act on 25 May 2018 and applies to the processing of personal data.
But what does personal data mean in the GDPR? According to the letter of the law, it concerns 'all information about an identified or identifiable natural person'. From the data, it will be clear that they relate to a specific person, the stakeholder the personal data are about. This can be directly, such as via a name, or indirectly, such as via location data or an online identifier. Moreover, there is a special set of rules for processing special personal data, such as religion, race or healthcare information.
When are personal data processed? This happens quite quickly; processing is defined as 'editing or a set of editing actions related to personal data or a set of personal data', such as collecting, storing, changing or destroying personal data.
Controller or processor?
Every organisation that processes personal data has a role according to the GDPR: controller or processor. A controller has (final) responsibility for processing actions and the personal data this entails. They are also the first point of contact for stakeholders in terms of personal data.
The processor acts by order of the controller and does not, in principle, decide how they handle personal data. They follow instructions. In general, the processor and the controller enter into a processor agreement for this.
When is the processing action lawful?
Processing personal data must take place in a sound and transparent manner based on a legal principle under the GDPR. This principle explains why the personal data can be processed. These basic principles can be found in the GDPR and without such a basis, it is not permitted to process personal data. The GDPR contains six basic principles:
- permission from the person involved for one or more specific purposes;
- required for the execution of an agreement in which the person involved is a party;
- required to meet a statutory obligation;
- required to protect the vital interests of the person involved or another natural person;
- required to perform a task in the general interest or a task in the context of the execution of public authority ordered to the controller;
- required for the protection of the justified interests of the controller or a third party (weighing of interests).
Permission from the person involved
Permission from the person involved is one of these principles. Acquiring permission is not always possible and comes with conditions: for instance, the person involved must be able to revoke their permission, and the permission is only legally valid if it has been granted willingly by the person involved. An employer cannot simply ask an employee for permission to store specific personal data, because it concerns a hierarchical relationship. The employee's permission is not considered to be granted willingly in this case.
The GDPR also sets stricter requirements to obtaining permission from minors, because the principle is that they are considered to not be able yet to understand the consequences of granting permission. Finally, there is an even stricter criterion for special personal data: permission is only legally valid if it is granted explicitly. Assuming permission by means of an unequivocal expression is no longer sufficient. Is personal data of minors used, or does it involve special personal data? Then be critical of the requirements set by the GDPR for the permission requirement and do not assume permission has been granted too quickly.
Other principles in the GDPR
Permission from the party involved is not always necessary as a basis for processing. An organisation may also have an agreement with the person involved, which then serves as the basis for the processing of data. The personal data is thus required for the execution of the agreement. For instance, an online store requires address information to deliver a product to the person involved.
An organisation can also be legally obliged to process specific personal data. There are many obligations for the processing and storing of personal data under tax law and employment law. Processing this data naturally does not require the permission of the person involved.
Advice regarding the GDPR or privacy law?
If you are not sure if your company meets the (new) requirements for the processing of personal data, or if you want to launch your product and have a check performed to see if your product meets the privacy guidelines, then JPR Advocaten has extensive expertise and knowledge in the field of GDPR and privacy legislation. We can also provide advice for the entire process. And if you are a person whose personal data is processed and you feel that your privacy is violated, then we can help you act against this. Do not hesitate to contact one of our experts.