On 25 May 2018, the current law ‘Wet bescherming persoonsgegevens’ (Wbp) will cease to exist and will be succeeded by the ‘Algemene Verordening Gegevensbescherming’ (AVG), also known as the ‘General Data Protection Regulation’ (GDPR).
Some topics regarding protection of personal data will change as will the consequences of law infringement. This blog describes in short the legislation, the consequences of breaking the law and also provides some touchpoints to mitigate risks in contracts.
De Wbp is based on European legislation, is enforced since 2001 and is the first legislation to protect personal data in The Netherlands. The new 'Algemene Verordening Gegevensbescherming' is also based on European legislation and is known as the ‘General Data Protection Regulation’ (GDPR).
Data-and privacy law
The new legislation aims at further protecting data and privacy rights of EU citizens and expanding their legal rights. For instance, a specific clause was introduced regarding asking and granting of permissions: for companies more and stricter conditions will apply to obtain people’s permission regarding the processing of personal data. Companies need to prove that permissions are in place or were granted, to access or to process personal data.
Next to this, citizens obtain the right to have their personal data removed from databases. Personal data can be: names, addresses, locations, on-line identification means, information regarding health, income, sexual orientation etc. These rights are based on European legislation and will therefore be equal to all EU citizens. The current and per country different legislations will cease to exist.
Consequences for companies
One of the consequences of the new legislation is that penalties and fines in case of GDPR-law infringements are drastically increased and can reach the level of 20 million euro or 4% of the worldwide turnover of a company. Penalties and fines can, in The Netherlands, be imposed by the ‘Autoriteit Persoonsgegevens’.
Penalties and fines can reach the level of 20 million euro
This means that companies will have to take measures to ensure law compliance and the safeguarding of EU citizens’ rights. Amongst others it is important to know which data is accessible, available, processed and stored next to understanding how data are protected and secured. Main question is whether storage of data is necessary at all.
Which topics need to be addressed contractually?
We all need to comply with the law, so the new and upcoming legislation is applicable to your company as well as to your vendors. It is recommended to draw up an inventory of the vendors / contracts to which the new legislation will be applicable, so, the processors and custodians of personal data that you as a customer provide for.
It is advisable to capture in contracts with your vendors that the new legislation will be in force, will be applicable to the contract(s) in place and how your vendors will need to treat your data (without additional costs to you).
Next to this, contracts should contain a procedure which will kick in, in case of a breach of GDPR-legislation by your vendor as well as a termination right (for cause and at no cost). Lastly, a check is needed and conscious decisions are to be taken regarding the clauses for indemnification and liabilities, which should reflect the risks related to the new legislation.
Conclusion
The new GDPR-legislation, which will be in force on 25 May 2018, will have consequences for companies and these consequences should be listed together with a risk analysis and an action plan. One of the actions is changing or adding clauses to contracts to deal with the new legislation as well as the consequences of infringement.
Checklist IT-contracts
Qando works with a full checklist for contracts ensuring that all relevant areas of contracting are being addressed, negotiated and agreed. We are happy to help to draft an action plan and to implement necessary changes to your contracts.
