Newsletter Vestius april 2018

Just a few more few weeks to go before the General Data Protection Regulation (“GDPR”) will enter into force on 25 May 2018.

One of the biggest changes compared to the Dutch Personal Data Protection Act is that the obligation to notify automatic processing of personal data will lapse. This obligation meant that before processing data, an organisation had to notify the Personal Data Protection Authority. This is replaced by an obligation to document. Organisations will have to demonstrate with documents that their data processing complies with the requirements set out in the GDPR.

Until now the salary and personnel administration have been exempted from the obligation to notify under the Exemption Decree of the Dutch Personal Data Protection Act. With the lapse of the obligation to notify, as of 25 May 2018 employers must also be able to demonstrate that these data are being processed in accordance with the GDPR. This means, inter alia, that employers must inform employees at the start of their employment about, amongst others, their privacy rights, the legal ground for the data processing, the retention period for the data and the parties with whom the personal data are shared. Moreover, procedures must be in place for the exercise of those privacy rights by employees. For example, the right of access to and a copy of the personnel file and the right to rectification.

With just under a month to go it is therefore high time to make sure that your personnel and salary administration are GDPR-proof. If you need advice, please do not hesitate to contact us!