GDPR, a tough nut to crack? Read these FAQs

The privacy law General Data Protection Regulation (GDPR) sees to it that companies and organisations process personal details with care. For example, you need to have a valid reason for processing personal details. And you are not allowed to collect or use more personal details than necessary. These rules apply to the entire European Union. In the Netherlands, the GDPR is known as the Algemene Verordening Gegevensbescherming (AVG). Read what you must do to comply with the GDPR. 

The European privacy law GDPR applies to all companies and organisations that process personal details of customers, personnel, or other persons from the EU. Nearly all entrepreneurs handle sensitive information, including self-employed professionals (zzp'ers) and small SMEs. The law also applies to schools, care institutions, associations, and foundations. International companies doing business with the EU also have to comply with the GDPR.

Which measures you must take depends on your company's size, acitivities, and services. Even just sending a quotation or newsletter is bound by GDPR rules. Or storing appointments, agreements, and contact details of customers or staff. Details connected with IP addresses and cookies are also subject to the law. Even if you do not know whose details you are dealing with, you have to treat them as privacy sensitive information.  

In the Netherlands, the Dutch Data Protection Authority (DPA) supervises compliance with the GDPR. The Dutch DPA is also authorised to investigate. Read more about the tasks and authorities of the Dutch DPA. 

The Dutch DPA checks whether companies comply with the GDPR. They can fine (in Dutch) organisations that do not comply. The maxium fine is 20 million euros, or 4% of your total turnover. The Dutch DPA has already fined several companies for violating the GDPR. For example, an orthodontist received a fine of 12,000 euros because new patients could sign up on an unprotected website. It meant that sensitive details, such as BSN numbers, could have fallen into the wrong hands. 

Yes. The GDPR allows you to email customers about products or services that are comparable to what they ordered from you previously. If soeone buys a bunk bed, you are not allowed to email them about bicycles. And, a customer must be able to unsubscribe from future mails at any given moment. 

The Dutch DPA (monitor of the GDPR) distinguishes between 3 types of direct marketing (in Dutch): digital direct marketing, telemarketing, and ad posts. Each type has its own set of rules.

Yes.

If someone gives you their business card, you automatically have permission (in Dutch) to use the card for which it is meant: to collect and use contact details. You may assume that the person who gives you the card knows what you will use it for. Unless you spread the contact details around. For example, it is not allowed to collect and register all the business cards given to your employees at a trade show, so that everyone in your organisation can use the details. If you plan to do so, you must tell the person who gives you their card. Do they object to this? Then the person who was given the card can only use it for private purposes. 

No.

You are not allowed to add your LinkedIn contacts to your email list without their permission, for example by exporting them to Excel and uploading them into your email system. Your contact has not given permission (in Dutch) for this.  

You can ask your LinkedIn contacts if they are interested in receiving emails about a certain topic via a public status update or private message. Put a link in that message, so that interested contacts can sign up. 

No.

The aim of the GDPR is that people make a conscious decision (in Dutch) to sign up for a list, not because they forget to de-check a box. You are not allowed to tick a box before you have even asked the user what they want.

Cookies are small files that store internet settings on the computer, telephone, or tablet of the website visitor. There are 3 types of cookies: functional cookies, analytic cookies, and tracking cookies. 

The GDPR only applies to tracking cookies (in Dutch). These cookies track visitors' internet behaviour and allow you to create personal profiles. To comply with the GDPR, you need to request permission to place these cookies. This is often done by using a popup screen with information about the cookies, and the request to click on OK. This permission is only valid if it is given freely, spcifically, in an informed manner, and unequivocally. This means you must meet the following requirements: 

• Visitors of your website must be able to decline cookies. 
• It must be clear what you are asking permission for.
• Visitors have enough information on what happens with their details in they give permission.
• Visitors must give their permission actively, for instance by checking a box. They do not give permission if they do not object. 
• The use of tracking cookies is in your privacy statement. 

The GDPR is an EU regulation. After Brexit, the UK no longer belongs to the European Economic Area (EEA). The EEA consists of the EU member states plus Liechtenstein, Norway, and Iceland.

Brexit does not affect (in Dutch) the transmission of personal details from the EEA to the UK. You may also receive details from the UK. Brexit does not affect that, either. 

A processor (in Dutch) is an external party that you assign to process personal data. For example, a cloud provider where you store personal details. Or a callcenter, that you hire to call people, using your list of phone numbers. Do you have a company with staff and do you hire the services of an administrative office? Then they process personal details as well, and are a processor. 

Yes.

When you use the services of another organisation to process personal details (in Dutch), you must make arrangements with this organisation about protecting personal details, non-disclosure, and the rights of the persons involved. You record these arrangements in a data processing agreement. This party must be able to guarantee you that they meet the GDPR requirements. You can draw up your own data processing agreement, or you can use one provided by the processor. 

The processing register is a registration of the personal details processed in your organisation. Drawing up a processing register is often required by the GDPR. Whether or not you have to have a processing register depends on the size of your organisation and the type of details you process. You are legally required to draw up a processing register if:

• your organisation employs more than 250 persons
• the processing involves a sizeable risk for the persons involved
• you process details on a regular basis, for example customer management
• you process special details, such as health details

Please note: most processing actions are not incidental. Think of processing customer or employee details. In other words, you have to draw up a processing register in many situations. A processing register also helps you meet your duty to demonstrate you meet the GDPR requirements. Should the Dutch DPA ask you for information about the personal details you process in your organisation, it will be easy to meet their request if you have a processing register. Read how to keep a processing register (in Dutch).

Drawing up a privacy statement is easy and free. You can use the free privacy statement generator on Veiliginternetten.nl (in Dutch), for instance. This allows you to make a basic text for your own company. 

Your customers are entitled to information. Make your privacy statement easy to read. Put in it what you do with personal details, what you use them for, why this matters to your customers, and for how long you store personal details. 

According to the GDPR, you must have a privacy statement and inform your customers about it. In principle, you must provide the information about processing personal data in writing.

Privacy statement on your website

The Dutch Data Protection Authority (DAP) recommends an online privacy statement. Make sure your privacy statement is easy to find (in Dutch). On most websites that already have a privacy statement, you can find it via the footer. That is the standard bar at the bottom of a web page. You can also place a link to your privacy statement on web pages that require visitors to enter personal data, such as a contact form.

Other ways

You may also use means other than a webpage to make the content of your privacy policy accessible. Such as showing popups explaining each consent question. Or using clickable icons, a video or a pdf document.

The DAP checks whether you have a privacy statement. You should be able to show them that you inform your customers about what you do with their personal data.

Clear language

Use clear and simple language. This means, among other things: be brief and to the point, avoid technical terms and put yourself in the reader's shoes. Are you addressing children under 16? Then adapt the choice of words, tone and style of the information.

In most cases, the answer is no. 

Many entrepreneurs have to deal with crime at some point. Perhaps you have too, and you now want to share details of possible criminals with others. This is usually not allowed. You can keep a blacklist of potential thieves, fraudsters, or persons causing disturbances, but you are bound by strict privacy rules when you do so. And you are certainly not allowed to simply share (in Dutch) those details with other organisations. 

Sometimes, you need to establish a customer's identity (in Dutch). To prevent fraud, for example. If you want to confirm someone's identity, find the most suitable manner first. 

Do you need a valid proof of ID to check someone is who they say they are? In that case, it is usually enough if the person shows you their ID, such as a driving licence, passport, or identity card. 

You are only allowed to make a full copy or scan (in Dutch) of a person's ID, on which all personal details are visible, if your organisation is required by law to do so. You must provide the following information (in Dutch) to your customer of your own accord:

• The purpose for the copy of the ID.
• The legal basis for processing (art. 6 GDPR).
• If the customer makes the copy themselves: which personal details on the ID are not required for the purpose, so you do not receive more personal details than you need. 
• What the customer can do to shield off non-required personal details, like using the Rijksoverheid 'Kopie ID' app.

It is a question the KVK advisers get a lot: How do I make my company GDPR-proof? Or, what steps do I need to take as an entrepreneur to ensure I comply with the privacy regulation GDPR (AVG in Dutch)? This is not the same for every company. To help you on your way, KVK has drwan up a roadmap. You answer 10 questions, and this tells you what you need to do to comply with the law. Avoid a fine, and get to work with the GDPR.