"It's not allowed by the AVG!": an oft-heard complaint in municipal land. In this blog, I want to explain that with respect to the AVG, more is possible than people often think. And I explain why it is important to think about data protection at an early stage in new policy plans.
This blog was written by Johannes Homan, IBD privacy consultant.
Leading up to May 25, 2018 (remember it??), there was a lot of uncertainty about the AVG. What would change in terms of data protection? The main message during the AVG courses was: The AVG is much stricter than the Wbp and if municipalities do not comply with the AVG, they can be fined up to €20 million, or 4% of annual turnover! This set the tone: Prevention is better than cure. What was allowed before would no longer be possible after May 25, 2018. Had the Department for Work and Income - after months of brooding - come up with a nice plan to approach certain residents for income support, that pesky privacy officer/FG would wring the plan's neck by saying, "It's not allowed by the AVG!
And so the AVG has become a game-changer for many new municipal plans. And the privacy officer/FG to the messenger of this sour news.
We are now over four years since its introduction. So is the AVG really that pesky game-changer? Well, it's not that bad. Not everything is possible, but more can be done than people sometimes think. Therefore, here is a short guide that you can distribute in the municipal organization. In this way, you can make life a little easier for yourself as a privacy officer/FG and not always have to be that messenger of bad news again.
Does the municipality process personal data in carrying out a particular task? If so, first map out what data is used and exactly what happens to it.
Next, look at the law that the municipality implements, such as the Participation Act, or the Environmental Management Act. Often these already contain the necessary rules on how to handle personal data when implementing this law and what is and is not allowed in the process. Do you have too little guidance on how to process personal data when implementing this law. Only then do you look to the AVG.
The AVG says that processing should be for the benefit of human beings (recital 4 of the AVG). This is a positive principle.
However, there are conditions attached to the processing of personal data: ensure a basis and purpose limitation. Can it be done differently? Can it be done with less personal data? Is it clear to all involved what the municipality is doing? In addition, the AVG requires municipalities to account for the processing of personal data. Is the performance of this task in accordance with the privacy policy? Does the processing appear in the register of processing operations? Does this processing require a DPIA?
Municipalities can deviate from the AVG. But they must be able to justify this. Therefore, record deviations with justification!
Finally, but very important: involve the privacy officer/FG in the design phase of municipal plans. If the plans are already almost cast in concrete and chafe with privacy laws, the privacy officer/FG can often only say, 'It's not allowed by the AVG,' rather than, 'It can't be done that way. Shall I help think about how it can be done?' In this way, municipalities immediately comply with another requirement of the AVG: 'privacy by design.'
In short, the AVG is not always that game-changer for good municipal plans. If municipalities consider data protection at the design stage and properly justify their plans, in many cases the privacy officer/FG can say, "It's allowed by the AVG!
