Dutch DPA Publishes Six Recommendations for GDPR Privacy Policies

The Dutch Data Protection Authority (DPA) has published guidelines including six recommendations regarding privacy policies for companies operating in the Netherlands.

Autoriteit Persoonsgegevens (the Dutch DPA) recommends companies who are drafting and implementing privacy policies to:

1. Assess their data processing procedures and determine if they are legally required to implement a privacy policy.
2. Collaborate with privacy specialists, including the company’s data protection officers and external experts, when designing and implementing privacy policies.
3. Keep all of the information relating to the draft privacy policy is stored together in a single document to prevent ‘fragmentation’ of information, and therefore potential gaps in the policy.
4. Establish specific and robust privacy policies which reflect the basic principles of GDPR.
5. Ensure that data subjects are aware of your organisation’s privacy policy. GDPR does not explicitly require companies to do this, but the Dutch DPA recommends companies to share their privacy policies internally so that there is greater awareness of how the organisation handles data.
6. Implement privacy policies even if GDPR does not require them, as this will show that the company is making every effort to secure protecting personal private data.

These recommendations result from DPA’s investigations into existing privacy policies of companies operating in the Netherlands. The DPA investigates companies that process sensitive personal data, including health data and data related to individuals’ political beliefs. Alongside the recommendations, the Dutch DPA released a report (in Dutch) summarising the investigation’s results.

The Dutch DPA included the privacy policies of blood banks, IVF clinics and local political parties in their investigation. They focused on three necessary components of privacy policy:

1. A description of the range and types of personal data that is being processed.
2. A description of the aims of the processing of private data.
3. Details about data subjects’ rights.

The Dutch DPA’s investigation concluded that the privacy policies’ descriptions of the types of personal data processed and processing aims were usually inadequate or incomplete. This prompted the Dutch DPA to create the six recommendations above that it believes companies should take into account when drafting privacy policies.

This comes not long after the annual report of the Dutch DPA revealed that “at least 94% of people are worried about the protection of their personal data. People are primarily concerned about fraudulent use of their identity documents, monitoring of their online search behaviour and Wi-Fi tracking. In regard to these situations, people tend to feel that they don’t have
complete control over their personal data.”

Chair of the Dutch DPA, Aleid Wolfsen said: “What it’s ultimately about is people having greater control over their personal data.”