General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. The same privacy legislation applies throughout the European Union (EU) as of that date. The earlier Personal Data Protection Act [Wet bescherming persoonsgegevens] will no longer apply.

The GDPR regulates all that may or may not be done with personal data, and the rights that people have if organisations process their personal data.

Core principles in the protection of personal data are the concepts of privacy by design and privacy by default:

  • Privacy by design implies that right from the start, any actions involving the processing of personal data are done with data protection and privacy in mind.
  • Privacy by default ensures that by default, all technical and organisational measures are taken to process data with the highest privacy protection.

The GDPR stipulates that an organisation may only process personal data provided that it is necessary to do so for a specific purpose and that an organisation may not simply use such data for some other purpose. Anyone whose personal data is processed (the data subject) must be properly informed of this (transparency), amongst other things. Organisations also have a duty to secure personal data properly and to show that they comply with the GDPR (the principle of accountability).

Whenever personal data is used, the relevant person's privacy must be infringed upon as little as possible.

What will those people whose personal data is processed notice about the GDPR?