The Personal Data Authority is going to investigate!

Last week, the Personal Data Authority (AP) launched an exploratory investigation to find out whether large organizations within the Netherlands are complying with the new European privacy rules. The AP is investigating 30 Dutch organizations from 10 private sectors through a random sample. In addition to doing a random sample, the AP may also decide to investigate if there has been a complaint about an organization.

Date: July 26, 2018

Modified November 14, 2023

Written by: Valerie Lipman

Reading time: +/- 2 minutes

Last week, the Personal Data Authority (AP) launched an exploratory investigation to find out whether large organizations within the Netherlands are complying with the new European privacy rules.

Using a random sample, the AP investigates 30 Dutch organizations from 10 private sectors, including: industry and metal, waterworks, construction, trade, hospitality, travel, communications, financial services, business services and healthcare. In addition to doing a random sample, the AP may also decide to investigate if there has been a complaint about an organization. Since May 25, 2018 (effective date of the AVG), the AP has already received over 600 complaints! During an investigation, one of the things the AP looks at is whether the organization under investigation has a register of processing activities and whether this register contains the correct information.

A register of processing activities, what is it?

A register of processing activities is an important first step in complying with the new European privacy legislation. The register of processing activities contains information about the personal data an organization processes and the purpose for which it processes the personal data.

In principle, for all organizations, establishing a register of processing activities is an obligation under the AVG. Only in very exceptional cases may an organization not have to keep a processing register. For example, does your organization process personal data of customers, suppliers and/or employees? Then the obligation to draw up a register of processing activities applies. So this obligation applies to the multinational company as well as the baker on the corner and everything in between.

All organizations required to prepare a register of processing activities must be able to provide the register to the AP when it requests it. Can your organization comply with this obligation? Or are you unsure whether your organization should prepare a register of processing activities or how to do so?

We would like to help you ensure that your organization is completely "privacy"-proof. Could you use some help with that? Please contact (one of) our privacy specialists: Valerie Lipman or Annemarie van Woudenberg. We would be happy to assist you.

You can read the Authority's news release here.


Stay Focused

As attorneys for business owners , we understand the importance of staying ahead. Together with us, you will have all the opportunities and risks in sight. Feel free to contact us and get personalized information about our services.