Did you receive a message from an organisation that they have become the victim of a data breach? And that bank account numbers have been leaked as a result? This is what you can do in such case:

• Be alert to phone calls or messages by email, text or WhatsApp in which people try to obtain information from you, such as your PIN code. Your bank will never ask you to provide a certain code or to send your bank card to a certain address, and certainly not in this way.
• Pay frequently attention to any debits from your bank accounts. Criminals may use your bank account for buying things.
• For more information see Veiligbankieren.nl (in Dutch).

Do you want to ask the Dutch DPA a question about reporting data breaches? Then you can call 088 - 1805 255. You pay your usual telephone costs.

Note: This number is only intended for organisations that have questions about the data breach notification obligation.

No permit is needed if there is a cooperative working arrangement under public law. These types of cooperative working arrangements are mentioned separately in the GDPR Implementation Act as an exception.
However, these 2 conditions apply:

1. The processing is necessary for these governmental organisations for the performance of their task.
2. The governmental organisations implement such safeguards that the privacy of the data subjects is not disproportionally affected.

You can attend a class through video calling. When you do this, your educational institution may film you at home. This is an invasion of your privacy. But it is allowed when teaching in any other way is not possible. In that case, your school or university has to ensure that the invasion of your privacy is minimised.

For example, your school or university has to choose a software supplier that meets the requirements of the privacy law. Here it is particularly important that the supplier does not retain all data longer than necessary.

Your school or university also has to provide you (or your parents) with clear information about what exactly happens with your data, such as why your data are processed and when your data will be erased. Take a look at the privacy policy, for example. Or ask a teacher or an employee of your school or university.

Make sure that you keep things that are very personal to you outside the range of the camera as much as possible, such as things that have to do with your religion or political preference.

Your school or university is not allowed to retain the images made during class through video calling if pupils or students are visible in them and if they do not have a good reason for retaining them.

Images without pupils or students

Your school or university is allowed to retain a recording of the class or the lecture without the interaction with pupils or students in it. An example of this is to be able to watch the class or lecture at a later time.

It is advisable here that your school or university indicates beforehand when the recording will start so that you will know when you have to turn off your microphone and camera.

Images with pupils or students

Only in exceptional situations will your school or university be allowed to retain images in which pupils and students can be recognised.

In that case, your school or university must have a good reason to do this. And recording the images must be necessary for that purpose, such as if interaction with pupils or students is an important component of the study material. Or if watching the images at a later time is necessary for the evaluation of the teachers.

The school or university has to explain clearly beforehand why retaining those images is necessary and how long the images need to be retained.

Erasing images

Does you school or university retain images in which you are visible, but do you not want this? Then you can ask for erasure of the images. Your educational institution will then decide if the images will be erased.

Some schools and universities opt for software to conduct online surveillance (online proctoring). The question of whether your school or university is allowed to use online proctoring cannot simply be answered with yes or no. In any case, your school or university will have to meet strict requirements because online proctoring has a significant impact on your privacy.

Is proctoring necessary?

Firstly, your school or university will have to assess whether using proctoring is necessary.

Are there less intrusive ways of examining that also limit the chance of fraud? Then your school or university is not allowed to deploy proctoring. An alternative may be to have pupils or students submit a paper, an essay. or an open book examination.

Is proctoring indeed necessary? Then your school or university will have to ensure in any case that the invasion of your privacy is minimised.

More information

More requirements that your school or university has to meet can be found in Recommendations for online proctoring in education (in Dutch).

Do you have a complaint about the processing of your personal data? Then you can submit your complaint to the Dutch DPA.

The AP will check whether there is a cross-border (international) processing operation. If so, the Dutch DPA may not be the supervisory authority designated for handling your complaint. The Dutch DPA will then pass on your complaint to the European fellow supervisory authority which is competent to deal with your complaint. You do not have to anything yourself. The fellow supervisory authority will handle your complaint in close consultation with the Dutch DPA and any other supervisory authorities involved.

Information about the handling of the complaint

Do you have any questions? Then you can always contact the Dutch DPA. The Dutch DPA will also provide you with information about the handling of your complaint and inform you about the final outcome of your complaint.

This is not necessary if the Dutch Data Protection Authority (Dutch DPA) is the lead supervisory authority of your organisation. In that case, you will have to register your Data Protection Officer (DPO) with the Dutch DPA only.

Is your only establishment or your European central administration located in the Netherlands? Then the Dutch DPA is your lead supervisory authority. You have to provide the contact details of the DPO to the lead supervisory authority.

Registering your DPO with supervisory authorities involved in other member states is permitted, but not mandatory. The Dutch DPA recommends that you do this, though. In doing so, you promote the contact with supervisory authorities involved. 

Are you not sure which supervisory authority is the lead supervisory authority? Then you can register your DPO with the supposed lead supervisory authority and the supervisory authorities involved.

Yes. If you are a processor with cross-border activities or multiple establishments in the EU, you can also benefit from the one-stop shop mechanism.

The location where your central administration takes place is regarded as the central administration. The supervisory authority in the EU member state in which your central administration is located is in principle the lead supervisory authority.

The one-stop shop mechanism is the starting point for processors as well. This means that the lead supervisory authority is the only data protection supervisory authority in the EU that you will have to deal with.

Central administration outside the EU

Is your central administration not located in the EU? Then the lead supervisory authority is the data protection agency of the country in which the most important data processing operations in the EU take place.

Controller and processor

Are you as a processor involved in a concrete case, but so is the controller? Then the lead supervisory authority of the controller is the sole lead supervisory authority for that case.

The supervisory authority from the country in which you as a processor have your central administration will then become a supervisory authority involved and cooperate with the other supervisory authorities involved.

Never just a processor

Note: you are actually never just a processor. Even if you process personal data for others just as a processor, you are in any case the controller for the data of your own staff.

No, not in principle. Sometimes, the Dutch DPA may decide to publish the advice on your processing. For example, if this may be of significant value to other organisations. If the Dutch DPA intends to publish the advice, the Dutch DPA will let you know in advance.

In the following cases, the Dutch DPA may see a reason to start an enforcement investigation or impose a fine:

• if you do not apply for a prior consultation while this is mandatory;
• if you have already started processing before or during the prior consultation;
• if after the prior consultation it turns out that you have processed data contrary to the advice given.

No, this is usually not necessary. The obligation to ask the Dutch DPA for a test always applies to legislation on personal data processing, regardless of whether or not there is a high risk (Article 36, paragraph 4 GDPR).

In this legislative test, the Dutch DPA checks the privacy aspects of the intended processing operation. In the methodology of the Dutch DPA, a separate prior consultation would be redundant.

Note: A legislative test from the Dutch DPA is mainly about the legislative text itself. Are there any aspects of the processing operation(s) that have not logically been dealt with already in the legislative text or the explanatory notes? Then these are not part of the test.

There may be issues of a factual nature in the implementation or the implementing systems to which the (national) legislation does not apply. For example, because the regulation is not needed for it or has a different level of abstraction. Or because the subject has fully been covered in the GDPR in principle (such as security of processing in Article 32 GDPR).

Do such subjects result in a high risk? Then you can apply to the Dutch DPA for a prior consultation about them. Did you apply for such prior consultation? Then state this in your request for a legislative test.