Chat with us, powered by LiveChat
Blog Privacy Matters

Privacy Matters: Guidelines Issued on Privacy Policies (Netherlands)

The first question that may come to mind is: why should I care about The Netherlands issuing guidelines on privacy policies? The answer is simple. The Netherlands, and all other 27 EU member states’ DPAs hold the same or equal authority in issuing interpretations of the GDPR–or the General Data Protection Regulation. As a result, a U.S. or Canadian company should care because it places you squarely within the requirements of the law and how you should react when you are crafting a privacy policy.

The Netherlands, and all other 27 EU member states' DPAs hold the same or equal authority in issuing interpretations of the GDPR Click To Tweet

It is important to note that just because the General Data Protection Regulation is a European Union law, it does affect business around the globe. 

The Dutch Data Protection Authority, or Autoriteit Persoonsgegevens, issued the following six recommendations (in nederlands) for any privacy policy for companies. Privacy policies are required under Article 24.2 of the GDPR.

The guidelines issued are as follows:

  • assess whether they are under an obligation to implement a privacy policy, based on their processing activities (according to Article 24 of the GDPR, such assessment must be made taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons);
  • use internal and/or external expertise (in this respect, the Dutch DPA states that companies’ data protection officers can play a role in implementing privacy policies);
  • draft their privacy policy in one document to avoid fragmentation of information about data processing;
  • draft specific and concrete privacy policies (a data protection policy should be a concrete reflection of the principles of the GDPR as simply reiterating the principles of the GDPR is not sufficient);
  • raise awareness (although this is not a requirement under the GDPR, the Dutch DPA recommends publishing privacy policies to ensure that data subjects are aware about how companies handle their personal data); and
  • consider implementing a privacy policy even if it is not required, to demonstrate the organization’s willingness in protecting individuals’ personal data.

The original report is located here: https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/rapportage_verkennend_onderzoek_gegevenschermingsbeleid.pdf.

This post was written in conjunction with the AOTMP® Efficiency First® Framework’s Regulatory Compliance and Risk Management core activities. 

Efficiency First® Framework v3.0 is the standard for measuring Telecom / Mobility / IT Management Center of Excellence maturity. It defines a comprehensive set of strategic performance measures, tactical diagnostic measures, and best practice principles used to optimize Center of Excellence business value. Enterprise organizations adopt the Framework and vendors align solutions to Framework principles.

To learn more about the Framework, click here.