You are here:
20 July 2018 / article

GDPR compliance in the Benelux: let the controls begin!

The Dutch Data protection authority (Autoriteit persoonsgegevens –“AP”) recently informed the public that they were assessing the GDPR compliance level of large companies in the Netherlands. In doing so, the authority took advantage of its new powers under article 30.4 of the EU General Data Protection Regulation (“GDPR”).

GDPR compliance in the benelux let the controls begin

The AP already selected thirty companies and examined whether they were keeping an internal record of their processing activities. The AP also examined whether the record of the given companies contained accurate information regarding their data processing activities. Having an up-to-date record of processing activities is considered by the AP to be a positive element in the evaluation of companies’ willingness to comply with the GDPR. The companies subject to this control were seemingly selected at random. They are spread over the whole Dutch territory and are active in the following sectors: industry & metal, water board, construction, trade, hotel & catering, travel, communication, financial services, business services and healthcare. 

According to the GDPR, the record of processing activities must be established in written form (electronic or not) and continuously kept up-to-date. It must contain an overview of the processing activities of the company (description of the categories of data subjects, the categories of personal data, the purposes of the processing, the envisaged time limits for erasure of the different categories of personal data, the applicable security measures, transfer to their parties, etc.).

There is a limited exception to this general obligation for small companies employing fewer than 250 persons which, in principle, do not have to maintain a record of processing activities. However, the aforementioned ‘small companies’ will still have to establish and maintain such a record if one of the three following conditions is met:

  1. The processing entails a risk for the rights and freedoms of data subjects;
  2. The processing of personal data is “not occasional” (in this respect, the AP considers that processing structural data, such as employees’ data, must be considered as not occasional); or
  3. The processing includes sensitive personal data (e.g. data relating to racial or ethnic origin, religious or philosophical beliefs, health, political opinions, union trade membership, as well as criminal data). 

The AP is one of the first data protection authorities to conduct such a control in the EU. It shows that the AP has decided to play a more proactive role in assisting companies on the road to GDPR compliance, an approach that may also be followed by other European data protection authorities. 

In any case, more than two years after the adoption of the GDPR (on 27 April 2016), and almost two months after its effective application date (25 May 2018), it is now really time for companies to be able to show that they have done their homework, starting with a proper ‘data flow mapping exercise’ and the internal recording thereof.

HR Excellence Awards 2018

Two prestigious awards in one week for the Employment & Benefits team!

After winning the ‘Best Law Firm in Social Law’ award, our Employment & Benefits team shined again last night by winning the 'Best Employment Law Firm' award... read more
Loyens & Loeff wins the “Best Law Firm in Social Law” award for Belgium

Loyens & Loeff wins the 'Best Law Firm in Social Law award

We are delighted to announce that our Employment & Benefits team has won the award for the “Best Law Firm in Social Law' for the third consecutive year at the... read more
CJEU gives guidance on self-cleaning in relation to competition law infringements

CJEU gives guidance on self-cleaning in relation to competition law infringements

In a recent judgement of 24 October 2018 (n° C-124/17, Vossloh Laeis GmbH v. Stadtwerke München GmbH), the European Court of Justice (CJEU) answers two important... read more
Stay informed

Don't miss out. Stay up to date about our latest news and events.