Developing a Compliance Strategy:
Dutch Supervisory Authority starts random investigations into GDPR compliance among large corporations.
On 17th July, 2018 the it was announced that the Dutch Supervisory Authority (DSA) will be conducting initial investigations to ascertain whether large corporations are are compliant with the General Data Protection Regulation (GDPR). The DSA intends to review the records of processing activities from a random sample of 30 Dutch corporations.
Article 30 of the GDPR stipulates that organisations with more than 250 employees must maintain a register of all data processing activities.
The register must include a description of the categories of data subjects, types personal data, and the purpose of personal data being processed. Details of data recipients and data transfer methods must also be recorded.
Although smaller organisations with less than 250 employees are usually exempt, they are still obliged to maintain a register, if they:
- consistently process personal data, e.g. employee data;
- process personal data which poses a high risk to the rights and freedoms of individuals;
- process ‘special category’ data, such as health data or religious data.
The 30 randomly selected organisations will be taken from ten different sectors across the Netherlands. These are:
- financial services
- water suppliers
- business services
- metal industries
The DPA states that:
the correct maintenance of records of processing activities is an important first indication of an organization’s compliance with the new EU data protection rules.
Download the official press release (in Dutch) here.
Source: DPA Netherlands – AP starts research into compliance with privacy rules by private sectors.
Could the Dutch supervisor’s investigation have an influence on your organization?
Let op: Nederlandse bedrijven
Kan het onderzoek van de Nederlandse toezichthouder invloed hebben op uw organisatie?
De GDPR Guys kunnen Nederlandse bedrijven helpen ervoor te zorgen dat hun artikel 30-registraties van verwerking volledig en nauwkeurig zijn. We controleren uw artikel 30-records om te zien of ze GDPR-compatibel zijn. Dit omvat ook het voltooien van eventuele herstelacties, indien nodig.