You are here:
20 July 2018 / article

GDPR compliance in the Benelux: let the controls begin!

The Dutch Data protection authority (Autoriteit persoonsgegevens –“AP”) recently informed the public that they were assessing the GDPR compliance level of large companies in the Netherlands. In doing so, the authority took advantage of its new powers under article 30.4 of the EU General Data Protection Regulation (“GDPR”).

GDPR compliance in the benelux let the controls begin

The AP already selected thirty companies and examined whether they were keeping an internal record of their processing activities. The AP also examined whether the record of the given companies contained accurate information regarding their data processing activities. Having an up-to-date record of processing activities is considered by the AP to be a positive element in the evaluation of companies’ willingness to comply with the GDPR. The companies subject to this control were seemingly selected at random. They are spread over the whole Dutch territory and are active in the following sectors: industry & metal, water board, construction, trade, hotel & catering, travel, communication, financial services, business services and healthcare. 

According to the GDPR, the record of processing activities must be established in written form (electronic or not) and continuously kept up-to-date. It must contain an overview of the processing activities of the company (description of the categories of data subjects, the categories of personal data, the purposes of the processing, the envisaged time limits for erasure of the different categories of personal data, the applicable security measures, transfer to their parties, etc.).

There is a limited exception to this general obligation for small companies employing fewer than 250 persons which, in principle, do not have to maintain a record of processing activities. However, the aforementioned ‘small companies’ will still have to establish and maintain such a record if one of the three following conditions is met:

  1. The processing entails a risk for the rights and freedoms of data subjects;
  2. The processing of personal data is “not occasional” (in this respect, the AP considers that processing structural data, such as employees’ data, must be considered as not occasional); or
  3. The processing includes sensitive personal data (e.g. data relating to racial or ethnic origin, religious or philosophical beliefs, health, political opinions, union trade membership, as well as criminal data). 

The AP is one of the first data protection authorities to conduct such a control in the EU. It shows that the AP has decided to play a more proactive role in assisting companies on the road to GDPR compliance, an approach that may also be followed by other European data protection authorities. 

In any case, more than two years after the adoption of the GDPR (on 27 April 2016), and almost two months after its effective application date (25 May 2018), it is now really time for companies to be able to show that they have done their homework, starting with a proper ‘data flow mapping exercise’ and the internal recording thereof.



Energy Team achieves once again top-tier rankings in the Legal 500 EMEA

Energy Team achieves once again top-tier rankings in the Legal 500 EMEA

The Legal 500 EMEA international independent ranking directory on law firms published its annual guide on 10 April 2019. Our Belgian Energy Team has again been... read more
Loyens & Loeff in Legal 500 rankings 2019

Top scores Loyens & Loeff in Legal 500 rankings 2019

Loyens & Loeff continued its excellent rankings in the Legal 500 2019. read more
Members Belgian Data Protection Authority (finally) appointed

Members Belgian Data Protection Authority (finally) appointed

On 28 March 2019, the members of the Executive Committee of the Belgian Data Protection Authority have been appointed by the Belgian Parliament in plenary meeting.... read more
Stay informed

Don't miss out. Stay up to date about our latest news and events.

Subscribe