The Netherlands has an attractive business climate for foreign investors. Starting a business in The Netherlands will, in nearly every case, lead to the processing of personal data. The processing of personal data is subject to the conditions set out in the (European) General Data Protection Regulation (GDPR).
Be aware: GDPR not only applicable to companies established in the EU / EEA
The GDPR is not only applicable when a business is established in The Netherlands or another Member State of the EU or the EEA (the European Economic Area, which is made up of the EU-Member States + Norway, Iceland and Liechtenstein). The territorial scope is wider than just businesses registered in the EU or the EEA. The GDPR is also applicable in situations in which an entity that is established outside the EU / EEA offers services or goods within the EU / EEA. And/or situations in which an entity monitors behavior of data subjects in the EU /EEA. An American company that sells goods in The Netherlands to consumers therefore needs to comply with the GDPR with respect to the personal data of these EU / EEA consumers and/or prospects. In short: the GDPR affects businesses worldwide. Note: article 27 GDPR states when appointing a representative within the EU / EAA is mandatory.
Key terms of the GDPR
In order to give some insight in what the GDPR requires organizations to do, a couple of key terms need to be clarified:
- Personal Data: information related to a natural person (Data Subject) that can be used to directly or indirectly identify that person;
- Data Subject: a natural person who’s data is processed;
- Processing: any operation (or set of operations) which is performed on personal data (such as: collection, storage, consultation or destruction);
- Data Controller: the entity that determines the purpose, condition and means of the processing of personal data;
- Data Processor: the entity that processes data on behalf of the Data Controller.
The GDPR in short: it regulates the processing of personal data
The GDPR is designed to give persons (Data Subjects) more control over their Personal Data. Under the GDPR organizations need to make sure that Personal Data is collected and processed under strict conditions. Data Subjects should be protected against misuse of their Personal Data by such organization and the GDPR grants Data Subjects some specific rights with respect to their Personal Data (such as: ‘the right of access’, the ‘right to rectification’ and the ‘right to be forgotten’).
The GDPR requires organization to be ‘in control’ with regards to Personal Data they process. That means that the organization needs to have insight in how and what is done with Personal Data and have policies in place which allows the organization to detect and report data breaches, protect its data sufficiently, deal with Data Subject requests and delete data in a timely manner. The GDPR does not only ask for appropriate legal and technical measures, but also organizational ones.
What should my organization do?
When doing business in The Netherlands, your organization should comply with the GDPR. That means at least the following:
- Analyze and map company data flows (document: record of processing activities) and asses the legal grounds for these processing activities;
- Have a data retention policy;
- Take technical and organizational measures to protect data and make sure that with new processes or products privacy is taken into account from the developing phase on (“privacy by design”);
- Carry out DPIA’s (Data Protection Impact Assessments) if necessary;
- Raise privacy and data protection awareness among employees;
- Provide information to Data Subjects (including the employees and visitors of the website) about how their Personal Data is being used by the organization (Privacy statements)
- Have processes for notifying authorities and Data Subjects in case of a data breach;
- Design a process for handling Data Subject requests;
- Sign data processing contracts with Data Processors (or Data Controllers if you organization is a Data Processor or a joint controller)
- Appoint a DPO (if necessary).
Note: the GDPR has no clear cut rules about how to comply. E.g. the organization needs to raise privacy awareness under its employees, but it’s up to the company whether the employees get to take a privacy course, play learning games or get a memo (the latter probably being not very effective).
A common misconception regarding consent
One of the basics of the GDPR is that Personal Data can only be processed when there is a legal ground. A wide spread misunderstanding is that consent of the Data Subject is always necessary. Consent is one of the legal grounds, but not the only one. Legal grounds are also: contractual necessity, legal obligation (of the Controller), vital interests of a natural person, public interest and legitimate interest (of the Controller or a third party). Since consent can be withdrawn by the Data Subject at any time, it pays to find out if another legal ground could be applicable.
What can Clairfort’s privacy team do for your organization?
Clairfort can assist with the privacy compliance of your company and every (other) aspect of the GDPR. From an ad hoc question about a very specific situation to a full GDPR-implementation. Clairfort also provides ‘DPO-as-a-service’.
Other blogs about Doing business in the Netherlands
Clairfort publishes a series of blogs about Doing business in the Netherlands. You can read the other blogs here.