What is GDPR all about?

Privacy and the handling of personal data are becoming increasingly important. Organizations must handle personal data correctly. Failure can result in data breaches, negative publicity, or even fines. That's why compliance with the General Data Protection Regulation (GDPR) is essential. Organizations are required to comply with the rules of the General Data Protection Regulation (GDPR).

Wat houdt de AVG in?

The most important topics from the GDPR

The GDPR contains a number of core principles that govern how organizations must handle personal data carefully. Below, we summarize the key points.

Fundamentals

  • Lawfulness, fairness and transparency

    Data subjects must be clearly informed about which of their personal data is being processed. This communication must be easy to understand, and all processing must comply with the law.

  • Purpose limitation
    Personal data may only be used for a specific purpose.

  • Data minimisation
    Process only the personal data strictly necessary, in accordance with the principle of data minimisation. For instance, sending a newsletter requires only an email address; collecting the recipient's home address would be unnecessary.

  • Accuracy

    All personal data processed within an organization must be accurate. If you discover that a customer's data is incorrect, the data must be corrected.

  • Storage limitation
    Personal data may not be retained longer than necessary. Where a legal retention period applies, organizations must comply with it. Otherwise, they may determine an appropriate retention period themselves.

  • Integrity and confidentiality
    All organisations must take appropriate security measures to ensure that the data is adequately protected.

Legal bases

An organisation may only process personal data if there is a legal basis. The GDPR contains six legal bases:

  • Consent
  • Performance of a contract
  • Legal obligation
  • Vital interests
  • Public interest
  • Legitimate interest

Information obligation

Organizations inform data subjects about which personal data is processed through a privacy statement. It is a common practice to publish the privacy statement on the website. In this document, an organization explains what personal data is processed, why it is needed, on what legal basis, and for how long it is retained. It is also mandatory to explain what rights data subjects have, and to which third parties the data is transferred.

Division of roles and agreements with other parties

Organisations use all kinds of software packages and systems. Think of an HR or CRM system, or an accounting package. Another example is the use of security cameras in the office or in a warehouse. Suppliers that provide such systems or packages process personal data. The agreements regarding the handling of these personal data are laid down in a data processing agreement.

Data breaches

A data breach is a security incident resulting in the unauthorized access, accidental loss, or unlawful disclosure of personal data. As an example, employee A accidentally received the payslip of employee B, or an order confirmation for customer C was sent to customer D. In such cases, it is important that an organisation acts quickly. The error must be rectified, and the data breach must be registered internally. It may even be mandatory to report the data breach to the Dutch Data Protection Authority and the data subject(s).

Read moreRead less

Data Processing Agreement

The GDPR distinguishes between a data controller and a data processor. The data controller determines the purpose and means of the data processing. And the data processor acts on behalf of the data controller. These parties must enter into a data processing agreement. In this agreement, the parties make arrangements on how the personal data is handled.

Data Sharing Agreement

When both parties are joint controllers, they make arrangements in a data sharing agreement. If the parties are independent controllers, this type of agreement is not mandatory but recommended. This is to ensure that the recipient does not process the data for a purpose other than that for which it was provided.

Documents to comply with the GDPR

It is often said that the GDPR is a 'paper tiger'. Organisations must have various documents in place. The following documents are a must-have:


Need support with implementation?

Hire an expert

Documenten om te voldoen aan de AVG

5 steps to check your GDPR compliance

Complying with the GDPR is not always easy. Organisations sometimes can't see the wood for the trees. To help organisations on their way to becoming GDPR compliant, we created a simple 5-step checklist.

Short on time or resources? We're here to help. We conduct privacy inventories for your organization.

Checklist downloaden

Visual voorkant checklist AVG

FAQ about the GDPR

Who does the GDPR apply to?

The GDPR applies to all organisations. The reason is simple: every organisation processes personal data. Think of the data of your own employees, but also your customers and website visitors.

Is a Data Protection Officer required?

Some organisations are legally required to appoint a Data Protection Officer (DPO). The DPO informs and advises on the handling of personal data. In doing so, the DPO holds an independent position.

The following organizations are required to appoint a DPO:

  • Public authorities
  • Organisations engaged in systematic monitoring
  • Organisations that process special categories of personal data on a large scale

Even for organisations that do not fall under one of these categories, it is advisable to appoint a DPO to ensure privacy compliance.

What is the role of the Dutch Data Protection Authority?

The Dutch Data Protection Authority (Dutch DPA) is the supervisory authority for privacy in the Netherlands. The Dutch DPA has the authority to address organisations when they do not act in accordance with the GDPR. The Dutch DPA also has the power to impose fines. Naturally, organisations want to avoid fines due to the financial impact. But organisations often forget that reputational damage might be much worse. To prevent any kind of damage, organisations are well advised and remain GDPR compliant.

What are the basic principles of the GDPR?

The GDPR has six basic principles for processing personal data:

  • Lawfulness, fairness and transparency;
  • Purpose limitation (data may only be used for clear and pre-defined purposes);
  • Data minimisation (only collect data that is necessary);
  • Accuracy (data must be correct);
  • Storage limitation (not retained longer than necessary);
  • Integrity and confidentiality (data must be adequately secured);

Accountability: organisations are required to demonstrate compliance with the above-mentioned basic principles. This can be achieved through clear documentation, such as records of processing activities and privacy statements.

How long can you retain data according to the GDPR?

The GDPR requires organisations to not retain personal data longer than necessary. Data may only be kept as long as it remains relevant to the purpose for which it was collected. For certain types of data, such as financial records, statutory retention periods apply. Implementing a sound retention policy helps mitigate risks and strengthens trust in your organisation.

Contact

Curious about what we can do for you? Get in touch!

Leave a message via this form and we will contact you shortly.

When you submit a request, we always start with a no-obligation introductory meeting.







 

Submit your details