Skip to main content

View more from News & Articles or Primerus Weekly

By Roos Inklaar
Russell Advocaten, B.V.
Amsterdam, Netherlands

Does your company collect or process personal data? For example, do you register customer information? Or do you store your personal address and telephone numbers? Then you must comply with the new European privacy rules!

General Data Protection Regulation

The General Data Protection Regulation (AVG) will be applicable soon. This European Privacy Policy protects the citizens' privacy in the EU and raises many kinds of obligations for many companies and agencies.

For whom?

Many believe that privacy rules apply only to major data processing companies, such as Facebook and Google. Nothing could be further from the truth. The new privacy rules apply to all companies and institutions inside and outside the EU who own or process personal data of EU citizens. Most likely, your organization must also comply with its obligations.

Note: For medium and small businesses, milder rules and exceptions to the obligations often apply.

Processing of Personal Data

Personal data is data that directly or relegates a person to that person. These include names, addresses, telephone numbers and data relating to one's religion or health.

The processing of personal data means all actions that can be performed with personal data. For example, collecting, registering, storing, updating, consulting and deleting data.

What's Changing?

The main rights and obligations introduced by the AVG are as follows:

  • Right of transferability of data

Individuals should be able to access their personal information, if any, and may pass this information to another organization. Data Processors should ensure that this is easily possible.

  • Right to be forgotten

In some cases, personal data must be removed and should be prevented from spreading that data.

  • Questions of permission

The processing of personal data requires the consent of the person concerned. Under the AVG, you must be able to prove that you received this permission. In addition, withdrawal of permission must be made as easy as giving permission.

  • Carry out 'privacy impact assessment'

Prior to data processing, a risk analysis must be made, which identifies internal privacy risks. This analysis allows you to take measures to minimize the risks.

  • Appoint employee data protection officer

For some organizations, it is mandatory for a staff member to designate data protection. The Officer is an independent person who oversees the quality of the policy on the protection of personal data within the organization.

  • Notifiable data sheets

If there is an infringement of data security measures imposed by your organization (for example, by theft of passwords and customer data, hacking or data loss), this should be reported to the privacy supervisor. The notification must be done as soon as possible and preferably within 72 hours after leak detection. Datalekken should not only be reported, but also documented.


The General Data Protection Regulation will take place on May 25, 2018 instead of the Personal Data Protection Act (Wbp) . Do companies still not comply with the rules? Then they can be imposed penalties, such as high fines , from private oversight officers.

What do you have to do?

Most likely, your organization is also on the run. Pure administrative adjustments will usually not be enough; Your security systems and IT systems must also be in order.

In any case, please turn on a lawyer who can tell you what's happening like that, and start off yesterday. Implementing technical changes can take long. We are happy to assist you by telling you how to set up your business under the General Data Protection Regulation.  Please contact us.