Draft Dutch GDPR Code of Conduct for Data Processors Contains Helpful Insights for Data Processor GDPR Compliance

August 13, 2019Alerts

Nederland ICT, an industry organization representing the IT sector and many data processors, submitted a Code of Conduct for approval by the Dutch Data Protection Authority, Autoreitpersoonsgegevens. It is open for comment for the next 6 weeks.

Once a data processor is certified under the code and has become registered in the Data Pro Register, it also acquires a right to use the Data Pro Certificate to demonstrate that it is complying with the provisions of the Data Pro Code.

Though applicable only to processing in the Netherlands, the code has useful takeaways for processors subject to the General Data Protection Regulation (GDPR). It is interesting, however, to note that even though the code is meant to help with the compliance of small and medium enterprises, it contains many requirements for specific processes and documentation.

Structure of Code

The code contains:

  • a requirement for a "Data Pro Statement" where the data processor sets forth how it protects personal data, including the technical and organizational measures used and which third party sub-processors are hired and why.
  • a standard data processing agreement (available to Nederland ICT members or otherwise for purchase); and
  • compliance requirements for the certifying data processor.

The code and the data processors certification will be assessed by the Data Pro Supervisor, a supervisory authority that has not yet been established.

Key Universally Applicable Takeaways for Data Processors

Mapping and documented privacy policy

  • Map your data processing.
  • Have a documented policy for data protection, including incident response (data breach).
  • Have a process for assessing your compliance regularly and periodically (but at least every 12 months).
  • Implement the recommended improvement measures after an audit to the extent that may reasonably be expected.
  • Document the adjustments resulting from the procedure followed in the data protection policy.

Data minimization, privacy by design

  • Have measures in place to prevent processing of unnecessary personal data in the use of the service or product.
  • Ensure that the personal data obtained from a client are only being processed for the provision of services to that client.
  • Appoint a contact person for data protection who has (or obtains through training) knowledge of the data that processor has.
  • Assess your sub-processors to ensure that they can provide sufficient protection for the data.
  • Have in place a contract administration system (to allow compliance with the requirement for records of processing).

Storage and deletion

  • Store personal data of each client separately from that of other clients.
  • Require your employees to observe confidentiality with regard to clients' personal data.
  • Return the data to the client after the end of the agreement with the client in a machine-readable format, if this has been agreed.
  • Delete (or render inaccessible) client information after up to three months after termination of the agreement.

Adequate measures

  • Use an industry-recognized Information Security Management System (ISMS), technical security standard or checklist (which includes data breach notification/response procedures).
  • Based on the ISMS, assess the adequate information security measures you need in accordance with the processing risks associated with the service or product, in particular with respect to possible consequences of destruction, loss, alteration or unauthorized access to personal data within or through the service or product.
  • Implement adequate measures to protect the data.
  • Set out your key information security measures, for example, in a standard exhibit.
  • Have a data breach response/notification procedure.

When assessing an appropriate level of security for its service or product, the Commission shall take account of the following factors the data processor takes into account:

  • The state of the art;
  • The execution costs;
  • The different risks for the rights in terms of probability and severity, and freedoms of individual data subjects;
  • The market in which he operates;
  • The number of data elements per data subject and the expected nature of the data to be transferred (special category or not)
  • The expected number of data subjects to be processed ((fewer or more than 100,000 data subjects);
  • The intended use of its services by a client (e.g. is the provision of services crucial/not crucial in the operation of the client).

Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of GDPR compliance issues contact Odia at [email protected] or 215.444.7313.