Dutch DPA Issues Privacy Policy Recommendations Following Review of Organizations Processing Special Data
The Dutch DPA has recently released a set of six recommendations (in Dutch) for an organization’s privacy policy following its review of the data protection policies of a group of organizations processing special data concerning health and political preferences.
The organizations subject to the review were blood blanks, IVF clinics and political parties in three municipalities with more than 100,000 people. The review was initially announced in December 2018 following the request to the organizations.
The Dutch DPA checked the privacy policy of the organizations for the following required elements:
– A description of the categories of personal data
– A description of the purposes of data processing
– A description of the rights of data subjects
When the DPA started the inquiry, its announcement said that it must be clear the categories of personal information being processed, for what purpose processing is happening, how the data is protected, and the rights offered to individuals as well as how to exercise those rights.
Since the organizations were processing special data, the DPA expected the organizations to communicate their policies transparently and show the data that it processes. However, it found that the required components (listed above) were often inadequate at the health care institutions that it examined.
The six recommendations provided by the Dutch DPA in the announcement were:
– Assess whether an organization is required to have a policy.
– Develop the policy using internal and/or external expertise including the data protection officer.
– Maintain the policy in one document.
– Be concrete and specific rather than repeating the standards from GDPR.
– Publish the policy but be careful when making public information about security.
– Even if a privacy policy is not required, it is still advisable.
The inquiry into the privacy policies is the latest investigation of industry practices by the Dutch DPA. The DPA has previously conducted inquiries into whether certain organizations had identified a data protection officer and whether large private organizations were maintaining a register of processing activities.
Does your privacy policy need a check-up? Ask Clarip for a demo of our Data Risk Intelligence Scan to see the data collected by your organization and the third-parties with whom that information may be shared. Call 1-888-252-5653 today to schedule it.
Other Relevant Posts:
Consent Required by Danish DPA for Customer Service Call Recording under GDPR
EDPB Releases GDPR Guidance on Contractual Necessity Lawful Basis
Poland and Denmark Issue First GDPR Fines (covering Transparency and Data Minimization)
Third-Party Data Sharing In Focus Again with Finland DPA Investigation
Dutch DPA Issues Policy on GDPR Fines
EDPB Issues Opinion on Intersection of GDPR and ePrivacy
Dutch DPA Says No Cookie Walls Because of GDPR Consent
Summary of Ireland’s Data Protection Commission Annual Report
EU Issues Third Proposal of ePrivacy Regulation Changes in February
Romanian Presidency Offers ePrivacy Regulation Compromises
CNIL Releases Data Sharing Guidance for Third-Party Marketing under GDPR – Requires Informed Consent
More Resources:
Ready for the new California privacy law coming on January 1, 2020? Learn more about CCPA compliance and contact us to see a demo of the Clarip privacy management platform used by Fortune 500 clients.