New European privacy rules

Publication date: 23 August 2017
Does your company collect or process personal data? Do you, for instance, register customer data? Or do you store addresses and telephone numbers of your personnel. If so, you will have to comply with the new European privacy rules!

persoonsgegevens - ubo

New European Data Protection Regulation

The General Data Protection Regulation will take effect soon. This European privacy regulation protects the privacy of EU citizens and creates various requirements for many companies and authorities.

For whom?

Many people think that privacy rules only apply to large data processing companies, such as Facebook and Google. Nothing could be further from the truth! The new privacy rules also apply to all companies and authorities inside and outside of the EU that hold or process personal data of EYU citizens. Probably, your organisation will also have to comply with the requirements.

Please note: Less stringent rules and exceptions to the requirements often apply to medium-sized and small companies.

Processing of personal data

Personal data are data regarding one person or data that can be traced back to this person. These might include names, addresses, telephone numbers and data regarding a person’s religion or health.

Processing of data includes all operations that can be performed with personal data. This might include collecting, registering, storing, updating, consulting and deleting of data.

What will change?

The most important rights and requirements introduced by the General Data Protection Regulation involve the following:

  • Right to transferability of data

If so desired, persons will have to have their personal data at their disposal and be able to transfer these to a different organisation. Data processors will have to ensure that this can be accomplished easily.

In certain cases, personal data will have to be deleted, and it must be prevented that these data will be passed on.

  • Asking permission

For the processing of personal data, permission of the person in question is required. Under the General Data Protection Regulation, you will have to prove that you have got this permission. In addition, withdrawal of the permission should be just as easy as giving permission.

  • Performing ‘privacy impact assessment’

Prior to the processing of data a risk analysis must be performed, where internal privacy risks are examined. By means of this analysis you can take measures to minimize risks as far as possible.

Certain organisations are required to hire a data protection officer. This officer is an independent individual who has to monitor the quality and policy regarding the protection of personal data within the organisation.

If there has been a breach of the security measures of data in your company (for instance, theft of passwords and client data, hacking, or loss of data) the competent data protection supervisor will have to be notified. The notification has to be made as soon as possible and preferably within 72 hours after the leak has been detected. Data leaks not only have to be reported but must also be documented.


The General Data Protection Regulation will enter into force on 25 May 2018 and replace the Dutch Data Protection Act (Wbp). What if companies will not meet the requirements by then? Sanctions, such as severe fines, may be imposed by the data protection supervisors.

What do you have to do?

Probably, your organisation will have to change radically too. Purely administrative changes will usually not be sufficient; your security and IT-systems will have to be in perfect condition too.

Make sure to engage a lawyer who can tell you what has to be done and get started by yesterday. After all, implementing of technical changes can take some time. We will gladly help you by letting you know how to organise your business in the context of the General Data Protection Regulation. Please contact us:

    Share on social media

    • Fashion and luxury
    • Contracts

    New privacy law affects us all

    25 April 2018

    The Facebook and Cambridge Analytica data scandal brought privacy into focus once again. At the end of May, the new European privacy law will enter into force. So what do you certainly need to do?

    read on
    • IT and ICT

    EU-US Privacy Shield invalid: now what?

    27 August 2020

    The EU-US Privacy Shield has been invalidated. This means that companies need another legal basis for the transfer of data of EU citizens to the US. What are their options?

    read on
    • IT and ICT
    • Employment law and dismissal

    Uber drivers are employees, not self-employed workers

    14 September 2021

    According to the Amsterdam District Court, Uber drivers are employees. Therefore, they are covered by the collective agreement of the taxi industry with all associated rights and obligations. How did the District Court reach this judgement? And what does it mean for other forms of platform work?

    read on
    • Retail
    • Employment law and dismissal

    Questions and challenges during COVID-19: Dutch employment law, tenancy law and contract law

    13 September 2021

    In this article, we will discuss several questions and challenges in the field of Dutch employment law, tenancy law and contract law during COVID-19.

    read on
    • Retail
    • Real estate and rent

    Calculation of rent reduction due to lockdown

    30 August 2021

    How does the court calculate a lower rent due to the lockdown? Does online turnover count? Does it matter whether the tenant or landlord is large or small?

    read on
    • Corporate law

    Is a management agreement an employment contract or a contract for services?

    26 August 2021

    Do the new rules of the Supreme Court for the assessment of employment contracts also have consequence for management agreements? Case law has not decided yet. This can be seen from the judgments of the Arnhem-Leeuwarden Court of Appeal and the District Court of Midden-Nederland about the management agreement of the CFO of Volksbank.

    read on
    • Employment law and dismissal

    Dismissal of sick statutory director

    12 August 2021

    A sick employee may not be dismissed. However, an employee who knows of imminent dismissal, cannot avoid this by reporting sick. But when does the employee know that this is the case? This question was central to the court case concerning the dismissal of a CFO of Volksbank.

    read on
    • Employment law and dismissal

    Personnel: Rules on employee appearance in company regulations

    10 August 2021

    Employers can determine rules on clothing and appearance in company regulations. What do employers have to keep in mind when setting such rules?

    read on