All Posts By

SmithDoe

Nov 19
0

AVG AND BREXIT: WHAT ARE THE CONSEQUENCES?

By | Geen onderdeel van een categorie | No Comments

What are the consequences of the Brexit for Dutch organizations under the General Data Protection Regulation (GDPR)?

Data export ban

The consequences under the GDPR are mainly related to the transfer of personal data to the United Kingdom, including the storage of personal data there. For example if British suppliers are used, or information is exchanged with a British group company. This is also called ‘data export’.

This is relevant because the GDPR has as a starting point a prohibition on transferring personal data from the European Economic Area (EEA) to countries outside, if there is not a good level of privacy protection there.

“The EEA currently consists of EU countries , Norway, Iceland and Liechtenstein.”

If the UK became part of the EEA after the Brexit, there is no problem. Personal data may then simply be transferred to the UK. But at the moment it seems that this will not happen so the question is what the alternatives are.

Exceptions to data export prohibition

The GDPR contains the necessary exceptions to the data export ban.

Adequate protection level in UK

An exception that would make it easy to transfer personal data to the UK is if the European Commission determined that there was an adequate level of privacy protection in the UK. The Commission would then issue an ‘adequacy decision’.

This is the most practical alternative to a ‘non-EEA’ Brexit. There is a chance that the European Commission will determine this. The UK has already indicated that it will apply GDPR(AVG) and want to get an adequacy decision. But at the moment it is still pending.

Model contracts European Commission

If the European Commission does not determine this, then it must be examined whether there are other exceptions. One of those exceptions is the use of a so-called Model Contract from the European Commission . With such a contract, a controller within the EEA can share the personal data with a controller or processor outside the EEA.

More information about the exceptions for data export? https://www.smithanddoe.com/factsheet-dataexport-3

Nov 14
0

AVG! What is changing?

By | Geen onderdeel van een categorie | No Comments
What will change in the privacy rules with the introduction of the new privacy law?

From 25 May 2018, the General Data Protection Regulation (AVG) will apply. This new privacy law then replaces the current Personal Data Protection Act.

The privacy rules remain basically the same, but a number of new obligations are added. There will also be higher fines for breaching the obligations, up to 20 million euros or 4% of worldwide turnover.

What are the new obligations that the AVG entails?

The 10 most important changes to the privacy rules with the introduction of the AVG are:

  1. More detailed requirements for what should be included as a minimum in the processor agreement (referred to in the AVG, processor agreement).
  2. Specific rules when it comes to using children’s personal data.
  3. Obligation to keep an overview of the different flows of personal data that an organization uses.
  4. More extensive requirements for requesting permission to use personal data.
  5. Stricter rules for taking solely automated individual decisions, including profiling. Only automated individual decisions are taken if a computer or algorithm makes a certain decision about a person based on input of certain data, without involving a person.
  6. The obligation to perform a Privacy Impact Assessment (PIA) in some situations. A PIA is a risk analysis of the processing of personal data.
  7. The obligation for some organizations to appoint a Data Protection Officer (FG). An FG is a person who supervises compliance with privacy legislation within an organization.
  8. The new right to data portability or data transfer. This new right means that the persons whose personal data are processed are entitled to receive that data in a standard format under certain conditions.
  9. The obligation, where applicable, to take appropriate technical and organizational measures to apply privacy by design and privacy by default to the flows of personal data.
  10. More detailed requirements for the privacy statement.
What are the fines for violation of the AVG?

This AVG Fines Table contains an overview of the fines for violations of the privacy rules from 25 May, when the AVG will apply. The Fine table states the maximum fines that can be imposed in the event of a violation. The amount of the fine will ultimately depend on various circumstances such as the seriousness of the violation, the degree of guilt and any previous violations.

Nov 14
0

AVG vs GDPR

By | Geen onderdeel van een categorie | No Comments
What is the difference between AVG and GDPR?

In the communication about the new privacy legislation that will apply from 25 May 2018, the abbreviations AVG and GDPR are sometimes used together and sometimes separately from each other. This can create uncertainty. Are we dealing with one or two new privacy laws? Fortunately it only concerns one new privacy law. A point of attention is that on some points the privacy rules may differ per country within the European Union.

What is GDPR?

GDPR stands for General Data Protection Regulation, and is the English abbreviation for the AVG(the Dutch abbreviation). The AVG stands for General Data Protection Regulation. So GDPR is AVG and AVG is GDPR.

GDPR, and thereby also AVG, is a European law that will apply from 25 May 2018. The new privacy law is intended to modernize existing privacy legislation within Europe. The existing privacy legislation is based on a European “Directive” and has been introduced differently in the local legislation per country. The new privacy law will become generally applicable in all countries of the European Union. The intention is that as a result the same privacy rules will apply within Europe as much as possible.

On which points can the privacy rules differ per country within the European Union?

These are the main points on which the privacy rules can differ per country within the European Union under the new European privacy law:

  • Specific exceptions to be allowed to process special personal data.
  • The “limitations” of the rights of the persons involved, such as when retrieving data in the context of national security.
  • What age limit is used for the concept of “children” when requesting permission (checking whether the parents or guardians have given it) in an online context.
  • Exceptions for journalism.
Nov 14
0

Workers agreement: what should it contain?

By | Geen onderdeel van een categorie | No Comments

The GDPR privacy law sets requirements that must at least be included in a processing agreement.

What is a processor agreement?

A processor agreement is an agreement that is concluded with a processor. A processor is an external supplier or service provider to which an organization outsources actions (legal expression: “processing”) with personal data. Examples of actions are saving, viewing, adjusting, deleting and forwarding.

In a processor agreement, the agreements are made on the actions with personal data that a processor may perform on behalf of a client (legal expression: “responsible person”).

What does the GDPR privacy law say about processing agreements?

The GDPR privacy law stipulates that only processors may be hired who can give sufficient guarantees that they have taken “appropriate technical and organizational measures” to ensure that the obligations under the privacy law are met, and also to ensure that the rights of the persons whose personal data are processed are guaranteed.

What should at least be stated in a processing agreement?

A processor agreement must at least include the following provisions:

  • A description of the processing by the processor including the duration of the processing, the nature and purpose of the processing, the type of personal data being processed, and the categories of persons involved whose personal data are being processed.
  • Requesting permission to outsource processing to sub-processors . If the processor outsources operations with the personal data to other processors (sub-processors), these are usually subcontractors of the processor, then the principal (responsible) must give specific or general prior permission for this. If general consent is given, the processor must report changes to sub-processors to the client and allow the client to object.
  • Impose the same obligations on sub-processors . The processor must impose the same minimum obligations on hired sub-processors as the obligations that the client imposes on the processor.
  • Only act on behalf of the client. The processor may only perform operations with the personal data on behalf of the client. That is, the processor may only perform those operations that are necessary to perform the services that the processor performs for the client. The processor may not independently determine what happens to the personal data.
  • Take appropriate measures to protect personal data. Securing personal data is one of the most important tasks of the processor. The processor agreement must state that the processor is taking “appropriate technical and organizational measures” to protect the personal data. The Dutch Data Protection Authority stipulates that the security measures must also be described in the processing agreement.
  • Ensuring confidentiality for employees. The processor must ensure that the persons who process the personal data under the control of the processor are obliged to maintain confidentiality with regard to this personal data, either through agreements with the client or on the basis of a professional duty of confidentiality.
  • Providing assistance with various obligations. The processing agreement must state that the processor assists the client by means of “appropriate technical and organizational measures”, as far as possible, in answering requests from the persons whose data are involved, in securing the personal data, reporting data breaches, the performance of PIAs and (if necessary) prior consultation of the Dutch Data Protection Authority.
  • Transfer or destroy personal data . At the end of the service provided by the processor, the processor must delete the personal data or return the personal data to the client and delete existing copies.
  • Allow audits and provide information to the client. The processor must allow audits and provide information to the client so that he can check whether the processor complies with the obligations under the processor agreement.

Nov 14
0

Whether or not required to keep your personal data folder mandatory?

By | Geen onderdeel van een categorie | No Comments

The AVG requires the upkeep of register of the processing of personal data (“overview of data flows” or “data folder”).

Is every organization obliged to keep a register of processing of personal data?

Yes, almost every organization is obliged to retain a register of the processing of personal data (“overview of data flows” or “data folder”).

The AVG privacy legislation states that you are obligated to keep a register of processing of personal data but, it does not apply to companies with less than 250 employees. But it also says: unless the use of the personal data is “not secondary” (ie: structural). On the basis of this provision, every organization that uses personal data on a structural basis is obliged to keep an overview.

Almost every organization will process personal data structurally. Because it uses business e-mail or collects IP addresses via a website or uses camera surveillance, for example. The obligation to keep an overview will therefore apply to most organizations, whether they have more or less than 250 employees.

However, even if an organization processes personal data very seldom, the overview will be necessary if it concerns special personal data or the processing entails a risk for the people, for example because it concerns a vulnerable group of people.

Which organizations are not obliged to keep a register of the processing of personal data?

If only very sporadic personal data is processed and the processing does not involve special personal data or entails processing for persons, for example because it is a vulnerable group of people, then an organization does not need a register (“overview” or “data folder”) to keep track of.