NETHERLANDS LAW AND PRACTICE Contributed by: Friederike Henke, Ingrid Cools, Philip ter Burg, IJsbrand Uljée, Suzan van de Kam and Epke Spijkerman, BUREN
goods and/or their destruction, as well as dam - ages.
ing, and a processor as the party who processes personal data on behalf of a controller. Both con - trollers and processors are subject to the rules in the GDPR. The GDPR stipulates that, in order to be able to demonstrate compliance, controllers must adopt internal policies and implement measures that satisfy the principles of data protection by design and data protection by default. The processing of personal data (including dis - closure to third parties) must be lawful, trans - parent and fair. It must be limited to specific purposes and to the data necessary for these purposes (data minimisation). Other principles are that the data must: • be accurate; • be kept secure; and • not be stored for any longer than needed (storage limitation). The GDPR also requires businesses to inform data subjects of how their data is used and to document their compliance with the GDPR. Data subjects have the right to access their personal data, to request corrections, and to have their data deleted (or restricted) under certain condi - tions. Controllers and processors must designate data protection officers (DPO’s) in the following cir - cumstances: • if they are public authorities; • if their core activities consist of the regular and systematic monitoring of data subjects on a large scale; or • if their core activities consist of process - ing sensitive personal data on a large scale
8. Data Protection 8.1 Applicable Regulations The main regulations applicable to personal data protection in the Netherlands are: • Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR); and • the Dutch GDPR Implementation Act ( Uitvoer- ingswet AVG ) of 16 May 2018. The GDPR The GDPR is a uniform and unitary data protec - tion law applicable throughout the EU and EEA, and is directly applicable in the Netherlands. It allows EU member states to enact additional implementing provisions – eg, in relation to spe - cial categories of personal data as referred to in Article 9 (1) of the GDPR, and providing for certain exemptions for scientific or historical research or statistical purposes, for authentica - tion and security purposes, etc. The Netherlands has exercised this right by introducing the GDPR Implementation Act. The GDPR defines “personal data” as any data that can be traced back to specific individuals (the data subjects), either directly or indirectly. Health data, genetic data, data about race or ethnicity, and other special categories of per - sonal data, as well as personal data relating to criminal convictions and offences, enjoy addi - tional protection. The GDPR defines a controller as the party who determines the purpose and means of process -
555 CHAMBERS.COM
Powered by FlippingBook