GDPR compliance in the Benelux: let the controls begin!

The Dutch Data protection authority (Autoriteit persoonsgegevens –“AP”) recently informed the public that they were assessing the GDPR compliance level of large companies in the Netherlands. In doing so, the authority took advantage of its new powers under article 30.4 of the EU General Data Protection Regulation (“GDPR”).

The AP already selected thirty companies and examined whether they were keeping an internal record of their processing activities. The AP also examined whether the record of the given companies contained accurate information regarding their data processing activities. Having an up-to-date record of processing activities is considered by the AP to be a positive element in the evaluation of companies’ willingness to comply with the GDPR. The companies subject to this control were seemingly selected at random. They are spread over the whole Dutch territory and are active in the following sectors: industry & metal, water board, construction, trade, hotel & catering, travel, communication, financial services, business services and healthcare. 

According to the GDPR, the record of processing activities must be established in written form (electronic or not) and continuously kept up-to-date. It must contain an overview of the processing activities of the company (description of the categories of data subjects, the categories of personal data, the purposes of the processing, the envisaged time limits for erasure of the different categories of personal data, the applicable security measures, transfer to their parties, etc.).

There is a limited exception to this general obligation for small companies employing fewer than 250 persons which, in principle, do not have to maintain a record of processing activities. However, the aforementioned ‘small companies’ will still have to establish and maintain such a record if one of the three following conditions is met:

  • The processing entails a risk for the rights and freedoms of data subjects;
  • The processing of personal data is “not occasional” (in this respect, the AP considers that processing structural data, such as employees’ data, must be considered as not occasional); or
  • The processing includes sensitive personal data (e.g. data relating to racial or ethnic origin, religious or philosophical beliefs, health, political opinions, union trade membership, as well as criminal data). 

The AP is one of the first data protection authorities to conduct such a control in the EU. It shows that the AP has decided to play a more proactive role in assisting companies on the road to GDPR compliance, an approach that may also be followed by other European data protection authorities. 

In any case, more than two years after the adoption of the GDPR (on 27 April 2016), and almost two months after its effective application date (25 May 2018), it is now really time for companies to be able to show that they have done their homework, starting with a proper ‘data flow mapping exercise’ and the internal recording thereof.