Data protection law
Data protection law is essential at a time when personal data is collected and shared on a massive scale. Whether you are a media company that processes personal data, or an individual whose privacy is being infringed: we can advise you. Think of GDPR compliance, data breaches, a privacy impact assessment or the right to a private life and social media.
GDPR compliance
With the introduction of the General Data Protection Regulation in 2018, organisations that collect and use personal data have been given more responsibilities. The people whose data is used have, by contrast, been given more rights. Where organisations do not comply with the rules, they can be fined. Not only large companies, but also small businesses and individuals who process personal data must comply with this.
The GDPR has six basic principles that give direction to careful and lawful use of personal data:
1. Lawfulness, fairness and transparency
You may only process personal data if you have a valid legal basis for it. The GDPR has six:
- You have the consent of the data subject.
- The processing is necessary to perform a contract.
- You are under a legal obligation to process the data.
- The processing is necessary to protect vital interests.
- You are carrying out a task in the public interest or exercising official authority.
- You have a legitimate interest in the processing.
Stricter rules apply to criminal-law data and to special categories of personal data, such as data about someone’s health, race or political opinions. Processing must, moreover, be reasonable and fit within social norms. And: data subjects have the right to know which data about them is being processed.
2. Purpose limitation
Only collect data for a purpose that is determined in advance, specific and legitimate. Do you want to use the same data later for something else? Then you need a new legal basis for that. So you do not quietly deploy data that you collected for purpose A for purpose B.
3. Data minimisation
Process as little personal data as possible. No more than what is strictly necessary for the purpose for which you collected it. More data is not an advantage here, it is a risk.
4. Accuracy
Make sure that the data you process is correct and up to date. Anyone whose data is held by your organisation may ask you to correct it if it is inaccurate. You cannot simply set that request aside.
5. Storage limitation
You do not keep data longer than is necessary for the purpose for which you collected it. For each category of personal data you set retention periods. That is not a nice-to-have, but an obligation.
6. Confidentiality and integrity
You secure the data you process properly. That means: access only for those who need it, and protection against loss, unauthorised access or damage. A clear authorisation policy is no needless luxury here.
Data breach
In a data breach, people have access to personal data without this being permitted or without this being intended. A data breach can arise, for example, through security problems, but also through mistakes such as sending an email to the wrong address or selling a computer without wiping the hard drive.
If it is likely that the data breach creates a risk for the people it affects, then, as the processor of the personal data that has been leaked, you are obliged to report a data breach within 72 hours to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP). Factors that can play a role in assessing the risk of a data breach are the following:
- the nature of the breach;
- the nature and sensitivity of the personal data and the quantity;
- the ease with which individuals can be identified;
- the seriousness of the consequences for the victims;
- characteristics of the unauthorised recipient;
- special characteristics of the individual;
- special characteristics of your organisation;
- the number of victims.
We can help with making a risk assessment and advise on whether or not a data breach must be reported to the AP. We can then also make that report. We can also advise on whether the victims of the data breach must be personally informed of it.
In addition, an organisation is obliged to draw up and keep a data breach register. All data breaches that have occurred within an organisation are recorded in it. This may concern a wrongly addressed email, the loss of a laptop full of personal data, or a hack or cyberattack.
DPIA (Data Protection Impact Assessment)
A business is obliged to carry out a Data Protection Impact Assessment when it is going to process personal data that is likely to entail a high risk for the data subjects. This may be the case with the use of new technologies or large-scale processing of personal data. A DPIA is in any event mandatory where there is large-scale processing of special categories of personal data (for example health data or criminal-law data), systematic and large-scale monitoring of publicly accessible areas, systematic and extensive profiling on which decisions are based that have legal consequences for individuals, and the use of new technologies that are likely to entail a high privacy risk.
The aim of a DPIA is for an organisation to gain insight into the possible negative consequences of a data processing operation for the privacy of the data subjects.
The basic requirements placed on a DPIA are as follows; a DPIA must in any event contain:
- a systematic description of the data processing you intend to carry out and the purposes for it.
- an assessment of the necessity and proportionality of the processing of personal data.
- an assessment of the privacy risks for the people whose personal data you want to process.
- the measures envisaged to address any risks and a description of why the processing complies with the GDPR.
We can advise on whether a DPIA must be carried out. If necessary, we can also carry out such a DPIA.
The right to a private life as a fundamental right
The Dutch Constitution sets out the right to respect for one’s private life. That means that the government and others must respect your privacy. An example of this is that someone may not simply enter your home, or a prohibition on covert camera surveillance.
In these situations it is always a matter of balancing interests. The right to privacy is weighed against other interests such as security, journalistic freedom or criminal investigation. If someone does nevertheless commit an infringement, then you can often hold the person responsible for it liable. In some cases damages can be claimed.
Social media and privacy
Social media are indispensable for makers, artists and companies. But using them brings privacy questions with it. Think of sharing photos, videos and personal data of third parties. This could lead to infringements of the portrait right or infringement of your privacy rights. We advise on limiting these risks and help with using social media lawfully and safely. See also Unlawful publication on this.
All practice areas