Want to know more about AVG-proofing your employees’ data?
Read it in our AVG/GDPR-brochure.
GDPR, AVG, personal data, privacy officer, BOY, data integrity: In recent years the terms regarding the protection of data and personal details have been buzzing around. Obviously, your organization wants to do everything possible to comply, especially towards your own employees and your customers. But where should you start? What do those terms stand for? What is your main priority when it comes to privacy and security? Crowe Peak is your partner in privacy and helps you pave your way in the world of legislation.
Read it in our AVG/GDPR-brochure.
As the Dutch Personal Data Authority (AP) states “many companies make their money primarily with personal data. There is nothing wrong with that. But too often companies do not follow the rules when they collect, link, and use data. This happens on a large scale and often in complex and opaque systems. (…) This can lead to discrimination and exclusion of people.”
Privacy is thus a not-to-be-missed concern in your daily life and while doing business. Not only for the protection of your interests, your employees, and your customers as individuals, but also for the reliability and credibility of your organization. Privacy is a fundamental right that cannot be infringed without a valid reason or carefully designed safeguards. In addition, it has become increasingly clear in recent history that protection of personal data is also of utmost importance to ensure online security. When personal information falls into the wrong hands and/or is shared without consent, not only does it give an uncanny feeling, but there is also the real risk of identity theft and the occurrence of material and immaterial damage. This makes protecting privacy within the business community not only a legal, but in a sense a moral imperative.
Schedule your free privacy assessment with one of our specialists.
The GDPR has been implemented at the national level in all European Union member states. In the Netherlands, this was done with the Dutch General Data Protection Regulation (Dutch: Algemene Verordening Gegevensbescherming or AVG). The AVG is a replacement for the old Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens) and is identical in content to the GDPR. You can thus say that in the Netherlands the GDPR and the AVG are the same.
The rules from the GDPR/AVG therefore do not only apply within the Netherlands or to Dutch companies. Indeed, the GDPR applies to all companies and organizations that hold and process personal data of natural personal persons (individuals/people) in the European Union, even if they are located outside the EU. The main organizations that are exempted from the legislation, however, are those that deal with national security or law enforcement such as the police and judiciary.
This means that as a commercial organization, you can assume that you are bound by the GDPR/AVG. Even if you do not think you have much to do with privacy. Personal data is everywhere. Therefore, the chance that you are in some way undertaking the activity that the GDPR primarily regulates – namely, processing personal data – is almost one hundred percent. Wondering if your organization is indeed processing personal data and if so, what the GDPR/AVG therefore requires of you? Read on quickly.
Because the GDPR involves important obligations for all organizations active in Europe, it is wise for every entrepreneur, manager, HR manager, CFO, CTO, CiSO and marketing manager to have some basic knowledge of the GDPR/AVG. However, because the AVG is riddled with legal jargon and definitions, it is wise to have a professional give you an introduction to it. Are you looking for AVG training for yourself, your management team, or your organization? If so, contact us directly. Want a more entry level understanding of the key issues in the GDPR/AVG first? Then consult the glossary of terms below and the rest of this overview article.
Want to know if your organization should work based on privacy by design? Are you curious about whether your organization should hire a DPO? Or do you have questions about consent, rectifications or requests-to-be-forgotten? If so, please contact our specialists.
In the list above, you will see the word “personal data” in almost every definition. This makes “personal data” the most important definition in the AVG. It reads “any data relating to an identified or identifiable natural person.” But what does this mean specifically? That personal data is any data by which a person can be identified. Thus, examples of personal data are combinations of name and date of birth, a phone number or passport number. It is important to note that an opinion about a person, an analysis of someone or a description or impression of a person can also be traced back specifically to one person and therefore falls under the GDPR. Internal interview notes, minutes, assessments, and appraisal forms are therefore also a concern under this regulation.
A processing register is a document that describes the processing activities of personal data within an organization. Such a document is mandatory under European and Dutch privacy laws for every processor of personal data. In brief, the processing register must address the following questions:
In other words, the processing register must contain information about the processing of personal data, including at least the purpose of the processing, the categories of personal data being processed, the recipients of the data (and whether those recipients qualify as “third parties” and/or are located outside the EU) and the retention periods. The processing register is not intended to create red tape for business owners. Rather, it seeks to streamline the vast amount of information regarding the processing of personal data and enable data subjects and supervisors to gain insight into how personal data are processed. Here it is important to note that a register can only be drawn up properly if all work processes within the organization in which personal data are collected and used have been mapped out. The so-called “data map” that can thus be drawn up must be regularly updated so that the processing register can also be kept up to date. For this purpose, many companies use the well-known plan-do-check-act method. Need help setting up a (template) processing register? Please contact us.
The AVG not only requires companies to keep records of what data they process and how they process it, but also whether they have made sure they were allowed to do so. Therefore, the GPDR/AVG requires processors to process personal data only on a regulation basis. In doing so, processors must be able to demonstrate a basis for each individual processing of personal data. The legal grounds that are possible under the AVG/GDPR can be summarized as follows:
The latter two grounds only apply in exceptional situations. In general, regular, commercial parties will perform most processing actions based on an agreement, consent or – in the case of an employment relationship, for example – on a legitimate interest.
One group of data subjects whose personal data many organizations process (excessively) is their own employees. You know a lot about your employees, you communicate with and about them, and their data is in all kinds of systems. Below are guidelines for employers for a privacy-proof personnel policy.
Because recruitment and selection are necessary for any organization, processing personal data for this purpose is a legitimate interest. In most situations, therefore, under the AVG/GDPR, processing of the following applicant data is permitted:
However, it is important to prevent the above data from ‘wandering’ around the organization. It is therefore important to establish a protocol that at least defines which officials have access to the data in the application file. Furthermore, it is good to be mindful that processing other applicant personal data is out of the question. These are the so-called special personal data. This concerns information about:
In this context, it can be problematic that passport photos and video resumes often contain this type of information. Therefore, it is also wise to work with an application code that accompanies the job posting. In it, the expectations of the organization can be made known, and a privacy statement can be attached. Furthermore, in the Netherlands, it is good to note that – also from the point of view of privacy – it is not recommended to ask about pregnancy or a desire to have children. Also, requesting a copy of the passport is in principle not allowed. Finally, asking about medical data and health is also subject to strict rules. In short, the only permissible question is “whether there are circumstances that may affect the performance of the job.”
In the context of job applications, many organizations also conduct “screening”. According to the AVG/GDPR, screening includes, for example, googling names and requesting references. To operate GDPR-proof, it is important to observe the following do’s and don’ts when screening:
Once an employee has been hired, a new phase begins in terms of restrictions on the processing of personal data. An employer may assume that during employment under the GDPR/AVG he has a basis to process the following data of an employee:
Part of a careful policy is that not every HR employee has direct access to the above data. Only necessarily authorized persons need access to such data.
When there is an employment relationship, the possibilities for processing personal data are broader. However, these possibilities are certainly limited. These are the retention periods that must be considered for personal data of (former) employees:
Where there has only been a job application, the applicant’s personal data may be processed up to a maximum of four weeks after completion of the process with the specific candidate. Only with the explicit consent of the applicant may this be longer.
Monitoring emails, GPS tracking, phone data and browsing histories makes monitoring employees easier than ever. However, this too is subject to strict regulation in the GDPR/AVG. The same goes for camera surveillance of staff. We have listed the most important rules regarding these activities in our white paper In control with privacy law. Download it here.
When an employee becomes unfit for work, there is a lot on the employer’s mind. Not only, the employee must be replaced temporarily, but also in terms of administration. On top of that, the paperwork must take the employee’s privacy into account. But how do you do that? In summary, the answer is “by not processing data that may be covered by medical confidentiality.” Specifically, this means the following for dealing with sickness reporting and reintegration, contact with the absence insurance company and processing data in the absence system:
In short, when reporting sickness and the reintegration process applies that only the most necessary data may be processed for a correct reporting of sickness and a functioning absence and reintegration policy. This means, among other things, that you may only request the following information when reporting sickness: (i) the employee’s telephone number and nursing address, (ii) probable duration of the absence, (iii) information regarding necessary transfer of work, (iv) whether the employee is covered by the safety net provisions of the Dutch Sickness Benefits Act, (v) whether the illness is related to an accident at work, and (vi) whether there is a traffic accident for which a third party may be liable. As an employer, you may not process data on the nature and cause of the illness.
If personal data of an (ill) employee is passed on to a third party, the employee concerned must be informed. This also applies in the case of passing on data to your absence insurance company. Does your organization need more information on how and when to request, process and store (personal) data of employees? Look at our privacy page.
The privacy rules around sick employees are thus strict. Therefore, make sure that the absence system used by your organization is only made accessible to a limited group of people. Also, do not rely solely on the IT supplier for the security of data therein; as an employer, you yourself are responsible for complying with privacy rules and therefore for compliance when using software. Do you have questions about this or are you curious about specific retention periods for absence files? Then download our full white paper on (Dutch) privacy law here.
Finally, for organizations with a works council (OR), the OR has a legal right of consent when drafting/changing regulations regarding:
Note that consent of the works council does not automatically mean validity under the GDPR/AVG. Such arrangements must also meet all other AVG/GDPR requirements, and management remains responsible for them. Want to know more about employee tracking systems? Contact us.
Another group of ‘data subjects’ from whom – often unnoticed – an enormous amount of personal data is (can be) processed are the customers of companies. It is therefore important that a processing register is kept up to date and on a regular basis. Furthermore, many specific rules apply under the AVG/GDPR to the processing of personal data via your website and other digital channels. Below, we list some of the main points of interest in this regard.
Under the GDPR/AVG, the most obvious obligation for organizations with a website is that it must be clear which personal data is collected and what it is used for. This should not be done in “fine print”. Permission to process personal data and information about this must be given in understandable language.
Furthermore, users of your website have the right to see what personal data you keep about them. They also have the right to correct and/or delete this data. Therefore, it is also important to establish a procedure to exercise these rights. Finally, of particular importance is to provide your website visitors with a privacy statement that is up to date. You can read more about privacy statements below.
Therefore, one of the most frequently heard questions regarding the AVG/GDPR is “is a privacy statement mandatory?” The answer to that question is “sometimes” or perhaps even “often.” Under the general principle of transparency enshrined in the GPDR/AVG, every processor is obliged to provide information about how personal data is processed. This obligation arises when processing begins. In concrete terms, this means that if your website does not register an IP address or place cookies on single viewing of the website, a privacy statement is strictly not necessary. However, if this does happen, a privacy statement, for example through a cookie banner, is immediately mandatory. It is then also important that the visitor cannot miss the statement.
When your website does not automatically track data, but can receive information about visitors through, for example, a contact form, a privacy statement is mandatory from the moment the data is provided. Nevertheless, even for companies that do not (directly) process data, it may be wise – from the point of view of transparency – to prepare a privacy statement based on the processing register/processing protocol. Need help with this? Crowe Peak is happy to provide this.
Once you have determined that a privacy statement is needed for your website, you will want to know what it should include. It should at least include the following:
Personal data of your customers (and other affiliated parties) are not only in your website (environment), but mostly in all kinds of (digital) places within your organization. The AVG/GDPR therefore includes all kinds of (general) rules for document management that must safeguard the privacy of individuals. This is expressed not only in the previously formulated obligation to draw up and use a processing register, but also in regulations on purpose limitation, specific retention periods, data security and protection against data leaks. Which regulations deserve special attention will depend on where you process which personal data. Crowe Peak is happy to help you put this into perspective.
Under the AVG/GDPR, certain organizations are required to hire someone whose task is to draft and enforce privacy policies. This applies at least to government agencies, organizations whose core business is to monitor individuals on a large-scale, regular, and systematic basis, and organizations whose core business is to process special personal data on a large scale or to process data on criminal convictions and offenses on a large scale.
The foregoing makes it clear that personal data is everywhere and therefore privacy is not a right that is only around the corner when disclosing obviously sensitive information. Personal data can be found in many nooks and crannies of your (digital) organization and is sometimes even processed unnoticed. Therefore, if your organization has not yet worked on its AVG/GDPR compliance, or only on a fragmented basis, a privacy assessment is a wise step.
A privacy assessment can offer several advantages. It helps avoid fines and reduce risks of data breaches. Thus, it not only strengthens your GDPR compliance, but also your resilience against reputational damage. Moreover, a privacy assessment often provides valuable insights into how personal data is processed within an organization. This can lead to improved security for customers and staff and efficiency gains. Crowe Peak can advise and assist you if you wish. Plan an exploratory meeting here.
Plan your free privacy assessment with one of our specialists.
With the information above and our white paper on AVG and HR policies we hope to help you deal with the challenges of privacy regulations. However, it is easy to imagine that a further exchange of ideas about this will not feel redundant. Our advisors are therefore happy to help you face your GDPR challenges together. Feel welcome to get in touch or do our no-obligation privacy assessment here.