Lisanne Meijerhof


Lisanne is lawyer for corporate litigation, contracts and charities
+31 20 301 55 55

Reinier Russell

managing partner

Reinier advises national and international companies
+31 20 301 55 55

New privacy law affects us all

Publication date 25 April 2018

The Facebook and Cambridge Analytica data scandal brought privacy into focus once again. At the end of May, the new European privacy law will enter into force. So what do you certainly need to do?

persoonsgegevens - ubo

Privacy is hot. Mark Zuckerberg had to eat humble pie because of Cambridge Analytica that collected personal data of 87 million people via Facebook. The Haga Hospital in The Hague violated privacy by taking insufficient measures to prevent unauthorised employees from browsing in the medical data of a Dutch celebrity. The General Data Protection Regulation will be effective from 25 May 2018, and it will include heavy sanctions for violations. Russell Advocaten organised seminars on the GDPR on 16 and 17 April 2018, thereby updating (potential) clients on the consequences of the GDPR. So what are the implications of the GDPR for you?

General Data Protection Regulation

The GDPR is the European privacy law which is directly applicable in all EU Member States and abroad. The Chinese web store AliBaba has to comply with the GDPR too, as it offers goods in the EU.

The aim of the GDPR is to provide individuals with more control over their personal data. Personal data are all data linking either directly or indirectly to a natural person, such as name, address, DNA, number plate, personal preferences, etc. Company data are not included but the mobile phone number of a contact is.

Each day, individuals share personal data with organisations. This is done either knowingly (for instance, if you order something online or become a member of an association) or unknowingly (for instance by surveillance cameras). The GDPR will apply to that, unless a natural person processes personal data for non-business purposes only. Thus your private birthday calendar will not fall under the GDPR.

Mandatory privacy statement for companies and authorities

The GDPR requires organisations to make transparent in advance which personal data they need, for what purpose and with whom they will be shared, and for how long they will be stored. This can be done by means of a privacy statement on the website of the organisation.

In such a statement, persons have to be informed of the modalities of the processing of personal data – storage, changes, sharing, etc. – so that they will be informed of what happens with their data and, if necessary, can give informed consent to the processing. The processing of personal data is only permitted, if an individual has given explicit consent to do so or it will be necessary for any of the following:

  • implementation of a (future) agreement to which the individual is a party
  • compliance with a legal requirement
  • vital interests of the individual or another natural person
  • performance of a task of general interest or exercise of public authority and/or
  • a reasonable interest of the controller

In addition, specific mention has to be made whether data will be shared with third parties, with whom a processing agreement will have to be concluded. This requirement does not just apply to, for instance, providing addresses to PostNL, so that PostNL can deliver the order at the correct address, but also if you contract a party for payrolling, thus sharing personal data of your employees. In a processing agreement will be specified that these data will not be used for other purposes.

Rights of individuals

Further, the privacy statement has to contain the rights of individuals and the modalities of exercising these rights. This regards the rights

  • of access to data
  • of rectification of data
  • of deletion of data (“right to be forgotten”)
  • of restriction of data processing
  • of transfer of data
  • of objection against processing and
  • of not being subject to automated decisions. This may include that you have to state which systems you use.


The GDPR is a considerable administrative burden for companies and organisations. They will have to analyse which personal data they (need to) have and whether the legal basis is sufficient. If there is no legal basis or requirement, the organisation will have to request the individual’s consent or delete the data.

There won’t be just more administration, but companies will also have to answer for how they use personal data. You can do so by means of a privacy statement in relation to persons who have contact with the organisation, for instance customers and suppliers. As penalties for violations of the GDPR can be extremely high, such a statement needs to be legally sound.

More information

Would you like us to check or draft a privacy statement for you? Or do you have any other questions regarding the GDPR and what you have to do to become “GDPR-proof”? Please contact us:

    We process the personal data above with your permission. You can withdraw your permission at any time. For more information please see our Privacy Statement.

    Related publications

    Is your staff management ready for the GDPR?

    At the end of the week, on 25 May 2018, the General Data Protection Regulation (GDPR) comes into force. This does not just have consequences for your website or online shop but also for your staff management. Is it ready for the GDPR?

    Read more

    Privacy: New European Data Protection Regulation

    In this newsletter Russell Advocaten will inform you, in short, about the most important changes to be expected in the European data protection regulations. More detailed information on this topic can be found in our previous newsletters.

    Read more

    1 January 2025: Dutch Tax Authority will enforce rules on labour relations

    From 1 January 2025, the Dutch Tax and Customs Administration is going to enforce the Deregulation of Assessment of Employment Relationships Act (DBA). How will this affect principals and self-employed workers?

    Read more

    Dutch employment law: 6 clauses that should be included in an employment contract

    Our longstanding partner Diplomat Magazine has interviewed our employment law and diplomatic missions expert Jan Dop on the relevance of Dutch employment law for Embassies and Consulates in the Netherlands.

    Read more

    Statutory minimum hourly wage

    The statutory minimum hourly wage changes every six months. What are the new amounts as of 1 July 2024?

    Read more

    Statutory director: the good, the bad and the other leaver

    On the departure of a statutory director/shareholder, any participation in the company must also be settled. Then a discussion may arise about the value of this participation, depending on whether the director counts as a good leaver or bad leaver. What should companies and directors pay attention to when interpreting a leaver arrangement?

    Read more