The GDPR in brief

Under the General Data Protection Regulation (GDPR), organisations that collect and use personal data have been given more responsibilities. And the people whose data they use have been given more rights. Do organisations fail to observe the rules? Then they may be fined.

On this page

To whom the GDPR applies

The GDPR has applied throughout the European Union (EU) since 25 May 2018. The GDPR applies to everyone who processes personal data.

  • The GDPR applies not only to large companies, but also to small entrepreneurs. Also see: GDPR for entrepreneurs.
  • The GDPR also applies to the government.
  • The GDPR applies not only to organisations, but also to individual persons who process personal data. For example, people who install a camera outside their home.

Separate directive for police and judicial authorities

Not the GDPR, but a separate legal framework applies for the police and judicial authorities. This is the European Directive on data protection in the law enforcement sector. This directive provides rules for processing of personal data by competent authorities for the prevention, investigation, detection and prosecution of criminal offences and the implementation of penalties.

The GDPR applies for other tasks of the police and the judicial authorities. For example, for the processing of staff details. In the Netherlands, the Directive was implemented in the Police Data Act (Dutch Wpol) and the Judicial Data and Criminal Records Act (Dutch Wjsg) as at 1 January 2019.

GDPR Implementation Act

Every EU Member State has to draft legislation of its own for a number of points from the GDPR. For a major part, this was done in the General Data Protection Regulation Implementation Act (GDPR Implementation Act..

Basic principles of the GDPR

The GDPR contains 6 basic principles, called 'principles' in the GDPR. They can be found in Article 5 of the GDPR. Everyone who processes personal data has to comply with these principles and hast to be able to demonstrate compliance. This is the seventh, overarching principle of the GDPR: the duty of accountability.

The 6 principles from the GDPR are:

  1. lawfulness, fairness and transparency;
  2. purpose limitation;
  3. data minimisation;
  4. accuracy;
  5. storage limitation;
  6. confidentiality and integrity.

Lawfulness, fairness and transparency

In order to be lawful, a processing must be based in any case on a legal basis from the GDPR. In addition, the processing may not be contrary to other legislation, such as a legal obligation of confidentiality.

Legal bases from the GDPR explained

The processing must also be ‘fair’. This means that it may not be disadvantageous, discriminatory, unexpected or misleading (in a way that cannot be justified) for the data subjects.

Furthermore, it must be transparent for data subjects how and why an organisation processes their personal data. This means that an organisation must communicate openly and clearly about this.

Right to information

Purpose limitation

Organisations may only collect personal data for a legitimate purpose. That purpose must be specific and explicitly described in advance. Organisations are therefore not allowed to start collecting personal data just in case, because they may come in handy at some time.

The purpose for which an organisation is going to process personal data must be compatible with the purpose for which these data were collected. In other words: the organisation may not suddenly start using the data for a different purpose.

This requirement also applies for the provision of personal data to another organisation (providing is a form of processing).

Data minimisation

When processing personal data, organisations have to proceed from the principle ‘as few as possible’. This means, for example, that the data processing must be compatible with the purpose. And that the organisation is not allowed to process more data than necessary for achieving that purpose.

Accuracy

Organisations have to ensure that the data are accurate. And update the data if necessary. People can also ask organisations to adjust their personal data if they are not correct.

Right to rectification

Storage limitation

Organisations must remove personal data as soon as they are no longer necessary for the original purpose for which they were collected. Organisations may therefore retain data for a specific period of time only.

Retention of personal data

Confidentiality and integrity

Organisations must secure their data processing operations properly. Particularly strict requirements apply for special categories of personal data.

Security of personal data

The meaning of the GDPR

Under the GDPR, organisations have been given more responsibilities. There is also more at stake, because they can get a hefty fine if they violate the GDPR. People whose data are processed by organisations have been given more privacy rights.

The meaning for organisations

For you as an organisation, the following things are important, among others:

Are you, as an organisation, active in several EU Member States? Then the GDPR brings you the following benefits:

  • You have fewer administrative costs and compliance costs.
  • You have more legal certainty.
  • There is a level playing field, because the rules are in principle the same for all companies in the EU.
  • You have to deal with one supervisory authority only (one-stop-shop mechanism).

The meaning for privacy rights

The GDPR has given people more options to stand up for themselves with regard to the processing of their personal data. They already had rights (also called 'data subjects' rights') before the GDPR entered into effect, but the 'right to removal of data' was extended in the GDPR and a new right was added: the 'right to data portability'.

  • Right to removal of data (‘right to be forgotten’). People already had the right to ask an organisation to remove their personal data. Now they can additionally demand that the organisation communicates the removal to all other organisations that have received the data.
  • Right to data portability ('right to data transferability'). People have (on certain conditions) the right to receive their personal data from the organisation in a standard format. This is called the right to data portability. This makes it easy for them to transfer their data to another provider of the same type of service.

The role of the Dutch DPA

The GDPR and the General Data Protection (Implementation) Act (GDPR Implementation Act) arrange the tasks and powers of the Dutch DPA as supervisor of the legislation and regulations for the processing of personal data.
Privacy protection is a continuous process. The Dutch DPA helps organisations meet the requirements of the GDPR in a variety of ways.


Contact

You can call the Dutch DPA with general questions about the GDPR. You can ask us questions about your responsibilities under the GDPR. You can also contact us for general information about the privacy rules. We will then explain what the law says.
As a supervisor, we give general answers to your questions. Do you want to know whether you meet the requirements of the GDPR with a specific act or practice? Then you can best contact, for example, a consultancy firm, a corporate lawyer or a sector organisation.
Sometimes we are (still) unable to give a concrete answer to your GDPR question. In some cases, the European data protection agencies are still working on, for example, guidance concerning a specific rule from the law. If this is available, they will issue, for example, new guidelines. To ensure that all countries give the same explanation.


Do you help us improve our information?
 

Your questions and responses give us insight in the subjects from the GDPR regarding which there is still a considerable need for information. This helps us improve our information. Among other things, by extending the information on our website.
So even if we are sometimes unable to give a concrete answer to your question, keep asking us any questions you may have. By telephone or during meetings.


Information
 

On invitation and in consultation, the Dutch DPA gives presentations during meetings organised by sector organisations or other organised forms of cooperation. The Dutch DPA also provides information through the press.


Enforcement


The Dutch DPA is authorised to impose sanctions if an organisation infringes the privacy laws. The most important sanctions are the fine, the order subject to a penalty, the ban on processing, the reprimand and the warning.


Fine
 

The Dutch DPA may impose a fine up to 20 million euro or 4% of the worldwide turnover. The Dutch DPA has had this power since 25 May 2018, the date on which the GDPR entered into force.


More about the Dutch DPA

Read more about the work of the Dutch DPA.


Information and tools

A range of tools are available for organisations. 
Information on the website of the Dutch DPA
The information on this website has been arranged according to themes. With each theme, you can find basic information and answers to frequently asked questions. In this way, step by step, you obtain all information you need.


GDPR rule tool
 

The Dutch DPA has developed the interactive GDPR rule tool. When you answer the questions from the rule tool, you will be provided with practical tailor-made advice about the things you still have to work on to comply with the GDPR (and stay compliant). The GDPR rule tool was developed by the Dutch DPA together with the Netherlands Enterprise Agency (RVO).


GDPR checklist
 

For an overview of a number of important parts of the GDPR you can view the GDPR in a nutshell infographic. The Dutch DPA's checklist Keep a grip on personal data helps you check whether your organisation (still) complies with a number of important parts of the GDPR. 


GDPR guidelines

Together with the other European data protection agencies, the Dutch DPA publishes guidelines that clarify specific subjects from the GDPR.