The EU’s General Data Protection Regulation (the “GDPR”) came into force on 25 May 2018. This means that it also applies to the Dutch business community. Organisations will therefore need, as far as possible, to be “GDPR-proof” in order to avoid high fines imposed by the Dutch Data Protection Authority (“DPA”) (up to a maximum of EUR 20 million or 4% of annual global turnover). According to a headline in the NRC Handelsblad newspaper on 19 April, despite enormous pressure from the DPA for them to ensure that their privacy rules were in order by the deadline, a lot of organisations were still not ready for the GDPR. It’s therefore really important for them to make the issue of privacy a priority. Part I of this blog discusses the main points of the GDPR, focussing in particular on the introduction of accountability and the new obligations for organisations in the context of the new Regulation. Part II discusses the role of the Works Council regarding implementation of the Regulation.
New obligations under the GDPR
The GDPR takes the place of the currently applicable (Dutch) Personal Data Protection Act [Wet bescherming persoonsgegevens, “Wbp”]. The GDPR is similar to the Wbp in many ways, but there are some slight differences. This is because the GDPR stipulates that organisations must not only ensure that the obligations laid down in the Regulation are complied with; they must also demonstrate how, specifically, that is done. This obligation of accountability plays an important role in the GDPR.
As a result of the GDPR, organisations will therefore have to take a critical look at all their departments, disciplines and work processes, and in that context will need to ask themselves where and how personal data is processed and whether that processing takes place in accordance with the GDPR.
They will then need to check what is expected of them as regards accountability, more specifically which new obligations apply to them. These include, for example, the obligation to maintain records. This requires organisations to maintain records that clarify the processing activities by specifying, inter alia, the categories of personal data being processed. Personal data is not therefore actually processed in those records themselves.
In a number of cases, the GDPR also requires a Data Protection Officer (a “DPO”) to be appointed. That person will advise on the application of the GDPR and will also be responsible for internal monitoring of compliance with the Regulation. He/she will also act as the contact for persons whose data is being processed. Organisations that are required to appoint a DPO include government authorities and public bodies, but also hospitals (where the processing of health-related data is a core activity of the organisation) and research institutes that use health-related data. But even if the GDPR does not oblige a business to appoint a DPO, it can do so voluntarily.
The GDPR also refers, among other things, to the obligation to carry out a “data protection impact assessment”, prior consultation with the DPO, the principle of “data protection by design” and “data protection by default”, requirements regarding system security, and the obligation to report data breaches.
The GDPR and the Works Council
In view of the above, a lot of organisations have been working hard on an inventory and implementation process and on writing (or rewriting) policies and rules. That also applies to HR departments, given that they process personal data on a large scale in connection with people’s employment. In the context of the GDPR, the question is whether – and if so how – the Works Council should be involved in implementation of the new Regulation. We will go into that question in greater detail in Part II of this blog. We will focus, on the one hand, on the Works Council’s right to information and its right of initiative and, on the other, on its right to advise and endorse.
If you have any questions about privacy and the Works Council, or employee participation law issues in general, please contact Carola Meyer-de Swaan. Questions about privacy and the GDPR can be directed to Danny Vesters.