The European General Data Protection Regulation (the 'Regulation') will take effect on 25 May 2018. The Regulation will replace the current European Data Protection Directive of 1995. The Dutch Data Protection Act (locally known as 'Wbp') will expire by the effective date of the Regulation. The Regulation will be directly applicable in all the EU Member States, without the need for conversion into national legislation. These developments bound to have an impact on labour law practices in the Netherlands. Employers process personal data of their employees for numerous reasons. Think of: the usual data processing for staff administration purposes, data processing for sickness absence counselling, and data processing in relation to employee attendance at work.
The Regulation: General
The Regulation aims to provide a high or higher degree of protection for personal data. For example, consent should be given by a clear affirmative act (such as a written or oral statement), indicating voluntary, specific, informed and unambiguous agreement to the processing of the personal data of the data subject, i.e. the employee. In addition, the principle of transparency requires any information and communication relating to the processing of those personal data to be easily accessible and easy to understand, and clear and plain language must be used. This is relevant in particular to informing employees of the data controller's identity and the purposes of the data processing.
What will change for the employer?
Under the Regulation, employers will have of a number of new obligations. The principal changes for employers are set out below:
- Expansion of information obligations. The Regulation requires an employer to inform its employee on time of the purpose of the processing as well as the storage period of personal data. The employer must also inform the employee if personal data are to be transferred to a third party or to another country and must inform the employee of where he or she can turn to with any complaints.
- Record-keeping requirement. The employer will have to keep records of the processing activities. With regard to personal data of employees, that obligation applies, in principle, only to businesses with more than 250 employees.
- Appointment of data protection officer. The Regulation also requires certain businesses to appoint a data protection officer. This requirement only applies to public authorities and undertakings and organisations involved in regular and systematic monitoring of individuals on a large scale or in processing special categories of personal data or data relating to crimes or both. The data protection officer will enjoy dismissal protection.
Infringement of the above requirements may lead to heavy sanctions, including fines of up to €20 million or 4% of the total worldwide annual turnover, whichever is higher.
What will change for the employee?
The Regulation aims to strengthen the protection of personal data. For employees, this specifically results in the following changes:
- Their right of inspection is expanded. A new feature is that the employee will also have the right to obtain information regarding the storage period of personal data. In that connection, the Regulation grants the employee the right to obtain a copy of the personal data. When providing a copy, the employer has to make sure that the rights and freedoms of others are not affected, which concretely means that the employer will have to ensure that the privacy of, for example, a colleague or customer remains assured. This could lead to restrictions when providing a copy from the personnel record.
- Introduction of a right to be forgotten. An employee's personal data must be erased in some cases, including: (i) when the personal data are no longer needed for the purposes for which they were collected or (ii) processing was based solely on the employee's consent and the employee has withdrawn that consent. The right to be forgotten cannot be invoked if the employer has processed the data in order to comply with a statutory obligation or if the data are necessary for a legal claim.
- Introduction of a right to portability. Under the Regulation, the employee has a right to personal data portability. This means that the employee has the right to receive the personal data kept in his or her respect by the employer and may transmit it to another organisation.
Regulations applying to privacy are about to change significantly. A set of new rules will be introduced. On 25 May 2018, the Regulation will enter directly into force in the EU Member States. Member States may adopt further rules for processing the personal data of employees by law or collective bargaining agreement. We will keep you posted once more information is available. Until 25 May 2018, the Dutch Personal Data Protection Act remains applicable.
Although the Regulation does not enter into effect until 25 May 2018, it would be wise to map the existing procedures within your business and adjust them in time to comply with the new legalisation. After all, non-compliance with the new European Regulation may eventually lead to a hefty fine.
We will be happy to provide your organisation with advice tailored to your needs.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.