On May 25, 2018, the General Data Protection Regulation (hereinafter, AVG) came into force. The AVG is also known by its English name, General Data Protection Regulation (hereinafter: GDPR). The AVG is not a new privacy law, but concerns an "update" of the Data Protection Directive. At the time, the Data Protection Directive was implemented in our Dutch legal system in the Personal Data Protection Act. An implementation also took place when the AVG legislation entered into force, namely in the General Data Protection Regulation Implementation Act (hereinafter: UAVG). This implementation takes place because in certain places the European legislator has given member states discretion to give a specific interpretation of the rules. An example is the age at which individuals may exercise their rights under the AVG (and not the legal representative). That age limit varies by member state. In the Netherlands, the limit is 16 years old. (3)

Scope of AVG

The AVG applies if it involves I) processing of II) personal data, III) the processing of which is not for the purpose of a purely personal or domestic activity.

I. Processing

'Processing' includes, in short, all operations involving personal data, for example, retrieval, deletion, storage, transmission and copying.(4) An explanation from the European Commission shows that the mere posting of a photograph of someone on a website already falls within the scope of the processing concept. (5)

II. Personal data

'Personal data' refers to any information that can directly or indirectly identify a data subject. Examples include a name, location data, an identification number, or one or more elements characterizing the economic or social identity of the data subject.(6) 'Information' is a broad concept. For example, photographs and videos may also contain personal information. Nor does the information have to be factually accurate to fall within the definition. However, the information must relate to a natural person.(7)

A personal data can be used to directly or indirectly identify a data subject, as mentioned above.(8) 'Identified' means that the information directly reveals the identity of the person.(9) 'Identifiable' refers to the fact that the person is not yet identified, but that it is possible. A person is identifiable if sufficient elements are available by which the person can be directly or indirectly identified. Identifiability falls into a direct form of identifiability and an indirect form of identifiability. In the first form, the information by itself makes it possible to identify the person. The second form requires several steps to identify the data subject. The AVG mentions that identification must take into account all means that can reasonably be expected to be used for identification, taking into account objective factors, such as time, cost and the technology available at the time of processing.(10) However, identification must not be so burdensome as to be impracticable, for example, by involving excessive effort. Identification does not require that all information reside with the same person.(11)

Special categories of personal data

Art. 9 AVG provides specific protection to a certain group of personal data, namely the special categories of personal data, due to their sensitive nature. These are data revealing racial or ethnic origin or political opinion. They further include genetic and biometric data processed for the purpose of uniquely identifying a person or "data concerning health, or data relating to a person's sexual behavior or sexual orientation. (12) | topic file Biometric data

This group of data is subject to a processing ban unless 9(2) AVG can be invoked. An example is the exception in which processing is necessary for a substantial public interest. Thus, the processing of a special personal data can still be lawful if, for example, it serves to protect the right to freedom of expression.(13)

III. Domestic activity exception.

For processing of personal data in the context of a purely personal or domestic activity, the AVG does not apply.(14) These activities may include the use of online social media activities. The exception must be interpreted strictly.(15): The activity must not have any connection with a professional or commercial activity.(16) The processing of personal data that consists in the disclosure on the Internet making such data accessible to an indefinite number of persons is not covered by the exception.(17) The exception also does not apply when it comes to processors and responsibilities that process data with a view to providing resources.(18)

Basis required

An organization may only process personal data if there is a basis for doing so. The bases are:

• Consent of data subject (Art. 6(1)(a) AVG)

• Necessary performance of agreement (Art. 6(1)(b) AVG)

• Necessary fulfillment of legal obligation (Art. 6 (1) (c) AVG)

• Necessary vital interest of data subject (Art. 6(1)(d) AVG)

• Necessary performance of task in public interest or exercise of public authority (Art. 6 (1) (e) AVG)

• Necessary for pursuit of legitimate interest (Art. 6 (1) (f) AVG)

  | Topic File AVG| Legitimate interest.

Rights and obligations

Rights of data subjects I


Theme file Rights of data subjects

The AVG defines rights for data subjects. The data subject is the person whose personal data are processed. (19). The data subject's rights are:

• Right of inspection (Art. 15 AVG): the right to receive a copy of personal data processed, among other things;

• Right to oblivion (Art. 17 AVG): the right to be "forgotten," or the erasure of personal data;

• Right to rectification (Art. 16 AVG): the right to have personal data changed;

• The right to data portability (Art. 20 AVG). The right to have personal data transferred to another party;

• The right to restrict processing (Art. 18 AVG): The right to have less data processed;

• The right not to be subjected to automated individual decision-making and profiling (Art. 22 AVG). In other words, the right to a human eye in decisions;

• The right to object to data processing (Art. 21 AVG);

• The right to information (art. 13 and 14 AVG): The right to clear information about what an organization is going to do with personal data and why. It must be made clear what personal data is being processed, why it is being processed (what purpose) and with whom data is being shared or sold on to other organizations and exactly which organizations those are. (20)

Relationship between controller and processor

The controller is responsible for the personal data processing of data subjects. This is the organization (or other entity) that determines the purpose and means of the personal data processing.(21) A processor is the organization that processes personal data on behalf of the controller.(22) A well-known example is the outsourcing of payroll. The organization places this work with an outside company, an activity that involves personal data processing. The organization is then the controller, the external company the processor. There may also be joint processing responsibility.(23) Then both organizations establish the purposes and means. This will be the case when the external company doing the payroll processing also processes the provided data for its own purpose.(24) In practice, it can be difficult to determine exactly who is the processor and who is the controller. This sample list will help.

Duties of controller and processor

Both the controller and the processor have duties regarding compliance with data subjects' rights. For example, the parties must enter into a processor agreement with each other.(25) | Read more: Topic File AVG| Accountability Obligations.

If the processor and/or controller does not comply with the rules in the AVG, data subjects are entitled to compensation with respect to the damage they have suffered as a result of the AVG violation.(26)

Footnotes

(1) Ov. 11 AVG

(2) Directive 95/46/EC.

(3) Article 5 UAVG.

(4) Art. 4 (2) AVG.

(5) European Commission, "What is Data Processing?", https://ec.europa.eu/info/law/lawtopic/data-protection/reform/what-constitutes-data-processing_nl

(6) Art. 4(1) AVG.

(7) Kranenborg, Verhey 2019, §5.

(8) Art. 4 (1) AVG

(9) ECJ EU 19 October 2016, C-582/14.

(10) Ov. 26 AVG.

(11) ECJ EU 29 July 2019, C-40/17, §56.

(12) Ov. 51 AVG; Art. 9 AVG.

(13) Art.9(2)(g) AVG

(14) Art. 2(2)(c) AVG.

(15) Kranenborg, Verhey 2019, §5.

(16) Kranenborg, Verhey 2019, §5.

(17) ECJ EU 6 November 2003, C-101/01, para. 47.

(18) Ov. 51 AVG.

(19) Art. 4 (1) AVG.

(20) https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/algemene-informatie-avg/rechten-van-betrokkenen

(21) Art. 4 subsection 7 AVG.

(22) art. 4 sub 8 AVG.

(23) Art. 26 AVG.

(24) https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-europese-privacywetgeving

(25) Art. 28(3) AVG.

(26) Art. 82 AVG.