General Data Protection Regulation Law In The European Union (AVG)
Loes Knetsch ©
This blog is an excerpt and is written with the permission of the Dutch Data Protection Authority in the Netherlands and serves to inform you about the new AVG law. You can visit the Dutch Data Protection Authority. (AVG) to read the complete text.
Control your data
From 25 May 2018, the General Data Protection Regulation (AVG) applies. This means that from that date the same privacy rules apply in all countries of the European Union. Can this have consequences for you? As a business owner or as an individual internet user?
You have rights as an individual
We all share more and more information about ourselves. Sometimes consciously, often unconsciously. The AVG gives you more protection in this digital age. With the arrival of the new rules, you are stronger in protecting your (online) privacy.
New privacy rights
The AVG strengthens your existing privacy rights and you get 2 new rights. In addition, organizations are held to more responsibilities. For example to respond within 1 month to the requests from people who want to exercise their rights.
Under the AVG, organizations have an obligation to provide information. As a new or existing customer, patient, client, etc., they must therefore clearly inform you about what they do with your personal data. For example via a clear online privacy statement.
Why new rules?
The current rules have been drawn up in an era in which the internet was still in its infancy. The new law has been adapted to the digital age. We are increasingly sharing our personal data. Sometimes consciously, often unconsciously. This data is stored somewhere. And then used and sometimes shared and sold. The new privacy law ensures that your data is better protected. Organizations get more obligations and have to explain in clear language which data they use and how they use it. And you will receive more and stronger privacy rights.
What does the new AVG law add to the old law?
The General Data Protection Regulation (AVG) is the new European privacy law that better reflects the digital age in which we live. The law gives you more and stronger rights. And organizations have more responsibility to also handle your personal data carefully during this time. And to inform you about this properly.
What privacy rights do you have under the AVG?
With the introduction of the General Data Protection Regulation (AVG) your existing privacy rights will be strengthened and you will receive 2 new rights. This allows you to exercise more control over what an organization knows about you.
What are your rights under the AVG?
Under the AVG you have the following privacy rights:
- The Right to forgetfulness.
You have the right to be ‘forgotten’ online (NEW).
- The Right to data portability.
You have the right to transfer your personal data (NEW).
- The Right of inspection.
This is the right to view the personal data that organizations process for you.
- The Right to rectification.
This is the right to have the personal data processed by organizations of you modified or supplemented.
- The Right to the restriction of processing.
You have the right to ask organizations to limit the use of your personal data.
- The Right to automated decision-making and profiling.
This means that you have the right to a human look at decisions that are about you.
- The Right of objection.
You have the right to object to data processing. For example in direct marketing.
Organizations are in most cases obliged to fulfill your request for the exercise of your rights within 1 month. And also to let you know within 1 month that this has happened. Unless they are not required by the AVG to comply with your request. But even then they have to let you know within 1 month. In exceptional cases, an organization may respond to your request within 3 months. For example, when a request is very complex. But even then they have to let you know within 1 month that they need more time to execute the request.
What information should organizations give you?
Under the General Data Protection Regulation (AVG), organizations have a strong obligation to provide information. This means that they must clearly inform you about what they do with your personal data. This often happens via an online privacy statement. Such an online statement or another document may not, according to the AVG, be too long and complicated. It must be easy for you to understand what the organization does with your personal data. After all, only then can you determine whether you want to share your personal data with that organization.
Requirements to inform AVG
The AVG sets strict requirements for what must be contained in such a privacy document. Organizations need to let you know:
- What personal data they process from you.
- For what specific purpose they do that;
- Whether they share the information with or resell to other organizations and if so, to which.
Tip when reading privacy statements
- Is a privacy document easy to find?
- Incomplete, or too long and complicated?
Then ask yourself whether you want to share your personal data with that organization. Perhaps there are other organizations that provide the same product or service and are transparent. Don’t you have the possibility to choose for another organization? Then contact the organization to point out to their duty to provide proper information. You can also refer to the information on this website.
How to keep more control over your personal data
Below are a few tips to keep more control over what organizations know about you.
- Make sure apps, games, and websites cannot just access your information; you can already protect a lot of personal data by using the right settings.
- Customize your privacy settings on your phone, such as location data. Be aware that it is a choice to share this information.
- Be aware of your digital footprint. Everything you do on the internet affects the information you receive.
- Make use of your privacy rights. For example, in many cases, you have the right to view data, have it changed or even have it deleted completely.
Don’t you come to an agreement with the organization? Then you can submit a complaint to the Dutch Data Protection Authority from 25 May 2018.
- For practical help with adjusting the settings on your telephone and computer, see the website
What are digital tracks?
If you are active on the internet, you leave digital traces. These tracks consist of websites you visit, emails you send and photos and videos that you share. But who is following this trail, what do they know about you and how can you erase your tracks? Cookies are small text files that are stored on your computer by a website that you have viewed. This makes your computer recognizable during the visit of these and other websites that use the same cookies. When you visit websites, your computer, tablet or smartphone keeps an overview of this. This is the browsing history. When the auto-complete function is turned on, completed data is automatically filled in. Useful if you use a particular website frequently and if you buy something online.
Why do you have to manage your digital tracks?
Cookies are used to track your behavior on the internet. Sometimes you want that too, for example at a web store that keeps your ‘shopping basket’ in a cookie. However, cookies are also used to create personal profiles to show targeted advertisements. By managing and removing cookies, you control which website can follow your behavior. Your browsing history provides an overview of which sites you have visited. You may not want everyone to see this. For example, if you use a public computer. The same applies for example for auto-completion. This STARTPAGE is not using cookies.
What can you do yourself?
You can check all your privacy settings in your browser and on Social Media. What do you accept? And what and to whom do you share?
Can you change your data?
Yes, that’s possible. You have the right to have incorrect personal details changed. Or to supplement your personal details. This is called the right to rectification. The organization that processes your personal data is responsible for ensuring that this information is correct. That is why the organization must update your data if necessary.
Do you notice that the data an organization uses is incorrect? For example, after you have made a request for access? Or is your data incomplete? Then you can ask the organization to adjust or supplement your data. The organization is obliged to do this. You also have the right to ask to whom the organization has forwarded your incorrect or incomplete data in the past. The organization is obliged to pass on the changes or additions of your data to these other organizations too.
What can you do if you do not agree with an automatic decision?
Some organizations make decisions about people based on automatically processed data. For example, the automatic assessment of an online submitted credit application. Or processing of applications via the internet without human intervention.
But you have the right to a human look at automatic decisions that are about you and that have consequences for you. For example that you do not get a loan. Or not be invited for a job interview.
You can then invoke article 22 of the General Data Protection Regulation (AVG), the privacy law. This means that the organization must make a new decision in which a person has assessed your data.
Do you want to know if an automatic decision has been made about you? And on the basis of which logic and what personal data that decision has been taken? Then you can make a request for access to the relevant organization.
In addition to the right to inspect your personal data, you also have the right to receive the following information:
- Why the organization processes certain data.
- What kinds of personal data the organization collects.
- If applicable: to which other organizations the data is passed on.
This also applies to the transfer of your data to organizations in other countries or to international organizations.
- How long the organization stores your personal data.
Can the organization not state this precisely? Then the organization must be able to make clear what criteria is used to determine a storage period.
- Which privacy rights do you have?
The right to have your personal data changed or supplemented, or to have the data erased, to ask organizations to limit the use of your personal data and to object when organizations process your personal data.
You have the right to file a complaint with the Dutch Data Protection Authority. (AVG)
Which impact does this law have on business owners?
Organizations that process personal data are themselves responsible for keeping the rules according to the Personal Data Protection Law. The Dutch Data Protection Authority (AP) supervises this. But the interpretation of the law can sometimes be difficult in practice. For this reason, the AP publishes policy rules on certain subjects (previously called guidelines). In these thematic policy rules, the AP sets out the legal standards. For example, there are policy rules on sick employees, camera surveillance and the obligation to report data leaks.
Copying legal identity data
Organizations are increasingly copying the identity card of customers and relations, for example. This phenomenon is also known as ‘copy passport’. The large-scale copying or scanning of identity documents, however, involves privacy risks, such as identity fraud. People can experience financial and social damage for years.
Making a copy of a passport, driving license or identity card is, therefore, with a few exceptions – prohibited by law. Companies and organizations in the private sector can, in most cases, legitimize themselves with the demand for customers to show their passport or other identity documents.
The policy rules contain illustrative situations in which proof of identity is required, such as hotels and gyms.
More and smarter cameras. Organizations are increasingly using camera surveillance. The technical possibilities of cameras are also becoming more advanced. There are cameras that are connected to drones and cars and cameras are becoming ‘smarter’. There are cameras that can rotate, zoom in or record sound. Some cameras can not only perceive, but also identify people by face recognition.
Camera surveillance must be necessary. This means that the employer can’t achieve the goal, for example combating fraud, in any other way. Is there no other option that is less intrusive for privacy? The business owner must first check this. The camera surveillance may not stand alone. It must be part of a comprehensive package of measures.
Information duty camera surveillance. The employer must ensure that employees and visitors know that there is a camera. For example, by hanging up signs.
There are new rules incorporated in this law about camera surveillance. Read more about the different situations. (Dutch, but Google can help you)
There is only a data leak as a security incident has occurred. For example, in case of a security incident, you should think of losing a USB stick, the theft of a laptop or a hacker.
When something in this order has taken place you are obliged to report this.
Some data processing requires permission from the individual. The AVG imposes stricter requirements on permission. Therefore, evaluate the way you consent asks, receives and registers. Adjust this mode if necessary. New is that you must be able to demonstrate that you have received valid consent from people to their personal data
to process. And that it should be just as easy for people to withdraw their consent.
Source: Dutch Data Protection Authority. (AVG)