The GDPR three months later: assessment, complaints and a big fine

Slowly, the flood of e-mails announcing revised privacy policies and asking permission for these emails to continue is subsiding in everybody’s mailboxes. Most organisations put their privacy policies in order in advance of the introduction of the General Data Protection Regulation (‘GDPR’) on 25 May 2018 and have taken the steps necessary to ensure that their personal data processing is ‘GDPR-proof’.

In mid-July 2018, the Dutch Data Protection authority (‘Dutch DPA’) announced that it would start an exploratory survey into the compliance of large organisations with the European rules on privacy. The DAP will conduct a random survey among large private-sector organisations for that purpose in order to find out whether they keep the requisite data-processing register up to date. If they do and if the register contains the correct information, the DAP will see that as an important first step of the relevant business which shows that it takes the rules on privacy seriously.

At the end of June 2018, the DAP further announced that it had received over 600 complaints since 25 May 2018. 400 of them have been analysed. It was found that one third of the complains involved issues over the deletion of personal data. A substantial number of other complaints were made over denials of access to personal data and undesirable disclosures of personal data to third parties. Our advice therefore remains to adopt internal procedures to ensure that such privacy requests are handled quickly.

The DPA has in the meantime collected its first fine, EUR 48,000, from an asset manager who refused to grant full access to a client’s personal details.

In sum, the DAP has its hands full and, despite continuing reports of understaffing, seems to have taken the first steps towards enforcing the rules on privacy. By now, most businesses have completed the bulk of work that preceded the introduction of the GDPR. The spasms that seemed to affect everybody in late May have, fortunately, somewhat ebbed away. It goes without saying that this does not eliminate the need for every company to have privacy as an area of constant attention. That awareness at least has dawned on everybody in the run-up to the introduction of GDPR.

For more information or advice on this subject please contact Michiel van Haelst or Lise van den Heuvel.