GDPR, AVG, AP, processing, and data breaches:

All you need to know about privacy

GDPR, AVG, personal data, privacy officer, BOY, data integrity: In recent years the terms regarding the protection of data and personal details have been buzzing around. Obviously, your organization wants to do everything possible to comply, especially towards your own employees and your customers. But where should you start? What do those terms stand for? What is your main priority when it comes to privacy and security? Crowe Peak is your partner in privacy and helps you pave your way in the world of legislation.  

The importance of privacy

As the Dutch Personal Data Authority (AP) states “many companies make their money primarily with personal data. There is nothing wrong with that. But too often companies do not follow the rules when they collect, link, and use data. This happens on a large scale and often in complex and opaque systems. (…) This can lead to discrimination and exclusion of people.”  

Privacy is thus a not-to-be-missed concern in your daily life and while doing business. Not only for the protection of your interests, your employees, and your customers as individuals, but also for the reliability and credibility of your organization. Privacy is a fundamental right that cannot be infringed without a valid reason or carefully designed safeguards. In addition, it has become increasingly clear in recent history that protection of personal data is also of utmost importance to ensure online security. When personal information falls into the wrong hands and/or is shared without consent, not only does it give an uncanny feeling, but there is also the real risk of identity theft and the occurrence of material and immaterial damage. This makes protecting privacy within the business community not only a legal, but in a sense a moral imperative.  

Wondering how your business is doing??

Schedule your free privacy assessment with one of our specialists.

Schedule now

Privacy in European legislation (GDPR)  

To underscore the seriousness of the consequences of not enforcing privacy protection, to make the duties in this regard more tangible, and to help companies make their privacy policies a priority with concrete goals, in 2018, the General Data Protection Regulation (GDPR) was introduced throughout the European Union (EU). This regulation aims to protect individuals and thus regulates the processing of personal data by organizations of all kinds. Compliance with the GDPR is enforced by the authorities that deal with data protection in the individual EU member states. In the Netherlands, the authorized authority is the Personal Data Authority (Dutch: Autoriteit Persoonsgegevens or AP). If this authority discovers a breach of the GDPR, this can result in the issuing of fines of up to 4% of the amount of annual revenue of the organization involved, with a maximum of 20 million euros. Not taking your privacy policy seriously can thus potentially become costly.  

Privacy in Dutch legislation (AVG)  

The GDPR has been implemented at the national level in all European Union member states. In the Netherlands, this was done with the Dutch General Data Protection Regulation (Dutch: Algemene Verordening Gegevensbescherming or AVG). The AVG is a replacement for the old Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens) and is identical in content to the GDPR. You can thus say that in the Netherlands the GDPR and the AVG are the same.  

The rules from the GDPR/AVG therefore do not only apply within the Netherlands or to Dutch companies. Indeed, the GDPR applies to all companies and organizations that hold and process personal data of natural personal persons (individuals/people) in the European Union, even if they are located outside the EU. The main organizations that are exempted from the legislation, however, are those that deal with national security or law enforcement such as the police and judiciary.  

This means that as a commercial organization, you can assume that you are bound by the GDPR/AVG. Even if you do not think you have much to do with privacy. Personal data is everywhere. Therefore, the chance that you are in some way undertaking the activity that the GDPR primarily regulates – namely, processing personal data – is almost one hundred percent. Wondering if your organization is indeed processing personal data and if so, what the GDPR/AVG therefore requires of you? Read on quickly.  

Key definitions from the GDPR and AVG  

Because the GDPR involves important obligations for all organizations active in Europe, it is wise for every entrepreneur, manager, HR manager, CFO, CTO, CiSO and marketing manager to have some basic knowledge of the GDPR/AVG. However, because the AVG is riddled with legal jargon and definitions, it is wise to have a professional give you an introduction to it. Are you looking for AVG training for yourself, your management team, or your organization? If so, contact us directly. Want a more entry level understanding of the key issues in the GDPR/AVG first? Then consult the glossary of terms below and the rest of this overview article. 

• Autoriteit Persoonsgegevens (AP): The Dutch enforcement organization under the GDPR/AVG. The AP is the official regulator when it comes to privacy in the Netherlands. This means not only that it may impose fines (see above), but also it can (temporarily) shut down a company for gross violations of the GDPR. 
• Processing: Any operation or set of operations involving personal data, such as collection, storage, consultation, use, disclosure, and erasure of personal data. 
• Controller: The natural or legal person who determines the purposes and means of the processing of personal data within an organization. 
• Processor: The natural or legal person who processes personal data on behalf of the Controller. 
• Consent: Any freely given, specific, informed, and unambiguous expression of will by which the data subject (the person whose personal data are processed) accepts that his/her personal data are processed. 
• Right of access: The right of data subjects to know what personal data about them is being processed and in what manner. 
• Right to rectification: The right of data subjects to have incorrect personal data corrected or completed.  
• Right to be forgotten: The right of data subjects to request deletion of their personal data. 
• Privacy by design: The design of systems and processes with the premise that personal data protection is considered from their design.  
• Data Protection Officer (DPO): An officer who oversees GDPR compliance within an organization.  

Want to know if your organization should work based on privacy by design? Are you curious about whether your organization should hire a DPO? Or do you have questions about consent, rectifications or requests-to-be-forgotten? If so, please contact our specialists.  

The most important definition: “personal data”  

In the list above, you will see the word “personal data” in almost every definition. This makes “personal data” the most important definition in the AVG. It reads “any data relating to an identified or identifiable natural person.” But what does this mean specifically? That personal data is any data by which a person can be identified. Thus, examples of personal data are combinations of name and date of birth, a phone number or passport number. It is important to note that an opinion about a person, an analysis of someone or a description or impression of a person can also be traced back specifically to one person and therefore falls under the GDPR. Internal interview notes, minutes, assessments, and appraisal forms are therefore also a concern under this regulation.  

Privacy in your organization – an introduction  

The above concepts are significant when developing a privacy policy for your organization. And the fact that this is necessary is evident from the size of the AVG, the widespread nature of its scope and the level of fines for non-compliance. And while this may seem intimidating, we also have some good news: AVG/GDPR compliance hinges on good process management. Indeed, one of the most important things the law requires business owners to do is to process the personal data (see above) they hold and receive in a structured manner and to do so on the right basis. Below, therefore, we introduce the principle of a processing register and explain the basic grounds for processing. We then go on to specifically address the topics of “privacy and your staff” and “privacy and your customers.”   

A processing register – who, what, how, why   

A processing register is a document that describes the processing activities of personal data within an organization. Such a document is mandatory under European and Dutch privacy laws for every processor of personal data. In brief, the processing register must address the following questions:  

• Who?  
• What?  
• How?  
• Why?  

In other words, the processing register must contain information about the processing of personal data, including at least the purpose of the processing, the categories of personal data being processed, the recipients of the data (and whether those recipients qualify as “third parties” and/or are located outside the EU) and the retention periods. The processing register is not intended to create red tape for business owners. Rather, it seeks to streamline the vast amount of information regarding the processing of personal data and enable data subjects and supervisors to gain insight into how personal data are processed. Here it is important to note that a register can only be drawn up properly if all work processes within the organization in which personal data are collected and used have been mapped out. The so-called “data map” that can thus be drawn up must be regularly updated so that the processing register can also be kept up to date. For this purpose, many companies use the well-known plan-do-check-act method. Need help setting up a (template) processing register? Please contact us.  

Basis for using personal data   

The AVG not only requires companies to keep records of what data they process and how they process it, but also whether they have made sure they were allowed to do so. Therefore, the GPDR/AVG requires processors to process personal data only on a regulation basis. In doing so, processors must be able to demonstrate a basis for each individual processing of personal data. The legal grounds that are possible under the AVG/GDPR can be summarized as follows: 

• Processing based on a legal duty. 
• Processing of data necessary for the proper performance of an (employment) agreement. 
• Processing of data based on a legitimate interest. For this basis, it is important that there is a balancing of interests between the (legitimate) interest of the organization and the right to privacy of the data subject. Based on that balancing of interests, the processing must be necessary and not go beyond what is necessary. Because the question of whether there is a legitimate interest is very case-dependent, it is wise to consult with a privacy professional in cases involving this legal ground.  
• Processing based on consent. Whether and to what extent consent is a valid basis for processing personal data depends on the context. In the case of an employment relationship between data subject and processor, consent is not considered a valid ground, because the GDPR takes as its premise that an employee will feel obligated to their employer and therefore cannot “freely” give or withhold consent.  
• Processing based on vital interests of the data subject or another natural person. Or  
• Processing based on a task of public interest or exercise of public authority.  

The latter two grounds only apply in exceptional situations. In general, regular, commercial parties will perform most processing actions based on an agreement, consent or – in the case of an employment relationship, for example – on a legitimate interest.  

Privacy and your staff  

One group of data subjects whose personal data many organizations process (excessively) is their own employees. You know a lot about your employees, you communicate with and about them, and their data is in all kinds of systems. Below are guidelines for employers for a privacy-proof personnel policy.  

Privacy during recruitment and selection   

Because recruitment and selection are necessary for any organization, processing personal data for this purpose is a legitimate interest. In most situations, therefore, under the AVG/GDPR, processing of the following applicant data is permitted:  

• Name, home address, telephone, and email address. 
• Date of birth. 
• Information about education, courses and internships taken. 
• Data relating to the positions applied for. And 
• Data relating to the previous position and termination of previous employment.  

However, it is important to prevent the above data from ‘wandering’ around the organization. It is therefore important to establish a protocol that at least defines which officials have access to the data in the application file. Furthermore, it is good to be mindful that processing other applicant personal data is out of the question. These are the so-called special personal data. This concerns information about:  

• Ethnic background. 
• Political and religious beliefs. 
• Membership of a trade union. 
• Medical data. 
• Biometric and genetic data. And 
• Sexual preferences.  

In this context, it can be problematic that passport photos and video resumes often contain this type of information. Therefore, it is also wise to work with an application code that accompanies the job posting. In it, the expectations of the organization can be made known, and a privacy statement can be attached. Furthermore, in the Netherlands, it is good to note that – also from the point of view of privacy – it is not recommended to ask about pregnancy or a desire to have children. Also, requesting a copy of the passport is in principle not allowed. Finally, asking about medical data and health is also subject to strict rules. In short, the only permissible question is “whether there are circumstances that may affect the performance of the job.”    

Do’s and don’ts in screening  

In the context of job applications, many organizations also conduct “screening”. According to the AVG/GDPR, screening includes, for example, googling names and requesting references. To operate GDPR-proof, it is important to observe the following do’s and don’ts when screening:  

• Inform applicants in advance that they may be searched on social media, such as LinkedIn. Random googling is not allowed under the AVG. 
• Never request references without the applicant’s consent. Here it is important to note that a former employer is also not allowed to provide data without the applicant’s consent. 
• Checking an applicant’s criminal record is only permitted when it is necessary to weigh up the interests at stake. 
• Requesting a certificate of good behavior (Dutch: Veklaring Omtrent het Gedrag or VOG) also requires a balancing of interests.  

The personnel file  

Once an employee has been hired, a new phase begins in terms of restrictions on the processing of personal data. An employer may assume that during employment under the GDPR/AVG he has a basis to process the following data of an employee:   

• Copy of identification documents. 
• Bank details of the employee. 
• Payroll tax statement. 
• Statement on non-private use of car.  
• Time records. 
• Details of the employee’s qualifications. 
• Performance reports. And  
• Sick leave data.  

Part of a careful policy is that not every HR employee has direct access to the above data. Only necessarily authorized persons need access to such data.  

Retention periods  

When there is an employment relationship, the possibilities for processing personal data are broader. However, these possibilities are certainly limited. These are the retention periods that must be considered for personal data of (former) employees:  

• Tax and payroll data: 7 years from the date of leaving employment. 
• Payroll tax statement: 5 years after leaving employment. 
• Copy of ID: 5 years from the date of leaving employment. And 
• Other personal data: 2 years from termination of employment.  

Where there has only been a job application, the applicant’s personal data may be processed up to a maximum of four weeks after completion of the process with the specific candidate. Only with the explicit consent of the applicant may this be longer.  

Monitoring and control  

Monitoring emails, GPS tracking, phone data and browsing histories makes monitoring employees easier than ever. However, this too is subject to strict regulation in the GDPR/AVG. The same goes for camera surveillance of staff. We have listed the most important rules regarding these activities in our white paper In control with privacy law. Download it here.  

AVG and disability to work  

When an employee becomes unfit for work, there is a lot on the employer’s mind. Not only, the employee must be replaced temporarily, but also in terms of administration. On top of that, the paperwork must take the employee’s privacy into account. But how do you do that? In summary, the answer is “by not processing data that may be covered by medical confidentiality.” Specifically, this means the following for dealing with sickness reporting and reintegration, contact with the absence insurance company and processing data in the absence system:  

Sick reporting and reintegration   

In short, when reporting sickness and the reintegration process applies that only the most necessary data may be processed for a correct reporting of sickness and a functioning absence and reintegration policy. This means, among other things, that you may only request the following information when reporting sickness: (i) the employee’s telephone number and nursing address, (ii) probable duration of the absence, (iii) information regarding necessary transfer of work, (iv) whether the employee is covered by the safety net provisions of the Dutch Sickness Benefits Act, (v) whether the illness is related to an accident at work, and (vi) whether there is a traffic accident for which a third party may be liable. As an employer, you may not process data on the nature and cause of the illness.  

Insurer 

If personal data of an (ill) employee is passed on to a third party, the employee concerned must be informed. This also applies in the case of passing on data to your absence insurance company. Does your organization need more information on how and when to request, process and store (personal) data of employees? Look at our privacy page.  

Absence system & retention period   

The privacy rules around sick employees are thus strict. Therefore, make sure that the absence system used by your organization is only made accessible to a limited group of people. Also, do not rely solely on the IT supplier for the security of data therein; as an employer, you yourself are responsible for complying with privacy rules and therefore for compliance when using software. Do you have questions about this or are you curious about specific retention periods for absence files? Then download our full white paper on (Dutch) privacy law here.  

Pay attention to the Works Council   

Finally, for organizations with a works council (OR), the OR has a legal right of consent when drafting/changing regulations regarding:  

• Processing personal data of employees; and  
• Arrangements regarding employee tracking systems.  

Note that consent of the works council does not automatically mean validity under the GDPR/AVG. Such arrangements must also meet all other AVG/GDPR requirements, and management remains responsible for them. Want to know more about employee tracking systems? Contact us.  

Privacy and your customers  

Another group of ‘data subjects’ from whom – often unnoticed – an enormous amount of personal data is (can be) processed are the customers of companies. It is therefore important that a processing register is kept up to date and on a regular basis. Furthermore, many specific rules apply under the AVG/GDPR to the processing of personal data via your website and other digital channels. Below, we list some of the main points of interest in this regard.  

Privacy on the website  

Under the GDPR/AVG, the most obvious obligation for organizations with a website is that it must be clear which personal data is collected and what it is used for. This should not be done in “fine print”. Permission to process personal data and information about this must be given in understandable language.  

Furthermore, users of your website have the right to see what personal data you keep about them. They also have the right to correct and/or delete this data. Therefore, it is also important to establish a procedure to exercise these rights. Finally, of particular importance is to provide your website visitors with a privacy statement that is up to date. You can read more about privacy statements below.  

Privacy statements   

A privacy statement is a document in which you, as website owner, explain what personal information you collect, why you collect it and how you use it. The statement should include user rights, such as the right to view, correct and delete data, and provide information about exercising those rights, retention periods and security measures. Creating a conclusive privacy statement based on your company’s privacy policy is therefore a priority. 

Therefore, one of the most frequently heard questions regarding the AVG/GDPR is “is a privacy statement mandatory?” The answer to that question is “sometimes” or perhaps even “often.” Under the general principle of transparency enshrined in the GPDR/AVG, every processor is obliged to provide information about how personal data is processed. This obligation arises when processing begins. In concrete terms, this means that if your website does not register an IP address or place cookies on single viewing of the website, a privacy statement is strictly not necessary. However, if this does happen, a privacy statement, for example through a cookie banner, is immediately mandatory. It is then also important that the visitor cannot miss the statement.  

When your website does not automatically track data, but can receive information about visitors through, for example, a contact form, a privacy statement is mandatory from the moment the data is provided. Nevertheless, even for companies that do not (directly) process data, it may be wise – from the point of view of transparency – to prepare a privacy statement based on the processing register/processing protocol. Need help with this? Crowe Peak is happy to provide this.  

What should be in a privacy statement?  

Once you have determined that a privacy statement is needed for your website, you will want to know what it should include. It should at least include the following:  

• Name and contact information of the controller (or its representative in the EU). 
• The contact details of the DPO (see below) if required. 
• The data that will be processed. 
• The purposes and legal basis for processing the data. 
• In case the legal basis mentioned above is a ‘legitimate interest’, the relevant legitimate interest. 
• The (categories) of recipients of the personal data. 
• Information on any plans to transfer personal data outside the EU. 
• The retention period used. 
• The rights of the data subject such as the right to inspect, correct and delete. 
• The right to be able to withdraw consent to processing. 
• The consequences of not providing the data. 
• Information on whether automated decision-making and profiling is used. 
• If the data was obtained from another organization: The source from which the personal data came, and whether it came from public sources.  

Privacy and your document management  

Personal data of your customers (and other affiliated parties) are not only in your website (environment), but mostly in all kinds of (digital) places within your organization. The AVG/GDPR therefore includes all kinds of (general) rules for document management that must safeguard the privacy of individuals. This is expressed not only in the previously formulated obligation to draw up and use a processing register, but also in regulations on purpose limitation, specific retention periods, data security and protection against data leaks. Which regulations deserve special attention will depend on where you process which personal data. Crowe Peak is happy to help you put this into perspective.  

Do I need to hire a DPO?  

Under the AVG/GDPR, certain organizations are required to hire someone whose task is to draft and enforce privacy policies. This applies at least to government agencies, organizations whose core business is to monitor individuals on a large-scale, regular, and systematic basis, and organizations whose core business is to process special personal data on a large scale or to process data on criminal convictions and offenses on a large scale.  

Organizations that are not required to employ a DPO may also choose to do so and make it an integral part of their privacy policy. They may also choose to hire a DPO as an outside consultant to help implement the GDPR/AVG regulations. Given the scope of the obligations and the complexity of the matter, this is recommended for many organizations. Another option to begin systematically addressing your privacy policy is to have a privacy assessment performed.  

The importance of a privacy assessment  

The foregoing makes it clear that personal data is everywhere and therefore privacy is not a right that is only around the corner when disclosing obviously sensitive information. Personal data can be found in many nooks and crannies of your (digital) organization and is sometimes even processed unnoticed. Therefore, if your organization has not yet worked on its AVG/GDPR compliance, or only on a fragmented basis, a privacy assessment is a wise step.  

A privacy assessment can offer several advantages. It helps avoid fines and reduce risks of data breaches. Thus, it not only strengthens your GDPR compliance, but also your resilience against reputational damage. Moreover, a privacy assessment often provides valuable insights into how personal data is processed within an organization. This can lead to improved security for customers and staff and efficiency gains. Crowe Peak can advise and assist you if you wish. Plan an exploratory meeting here. 

Want to know more?  

With the information above and our white paper on AVG and HR policies we hope to help you deal with the challenges of privacy regulations. However, it is easy to imagine that a further exchange of ideas about this will not feel redundant. Our advisors are therefore happy to help you face your GDPR challenges together. Feel welcome to get in touch or do our no-obligation privacy assessment here.