The General Data Processing Regulation (AVG) came into force on 25 May this year. Much has already been written about the new European privacy legislation, but in small businesses like those often active in yacht building, not everything is always in order. Therefore, a compact overview with important points to watch out for.
The law concerns the protection of personal data in connection with (the manner of) processing these personal data. What is personal data? This is all information that can be traced to a natural person: name, address, telephone number, identification number, location data, IP address, email address, but also race, religion or health. Are there any ground rules when processing personal data? Simply put, there must be a necessity for processing personal data for the execution of a contract or legal obligation, or for example, in the case of consent in the case of a newsletter. If you process data (customers, staff, website visitors) and if that data can be traced to a natural person and your data processing is fully or partially automated, the AVG applies.
Any organization that processes personal data must make clear whose data are being processed, how and for what purpose, with whom the data are shared and how long they are kept. Furthermore, personal data must be properly secured. You meet these obligations by: Drafting a privacy statement; Entering into agreements with processors; Checking IT systems and organization for data security.
In a privacy statement you make clear why, for what purpose and what data is processed by your company, how someone can get access to that data and can complain if something is not right.
This is necessary if there are companies that process personal data of your employees or your customers on your behalf. It concerns outsourced activities that you would otherwise do yourself. The processor does not use this personal data for its own purposes. Examples: payroll administration, purchasing IT services from the Cloud, outsourcing invoices.
With an external privacy statement on your website and a processor agreement, you’ve come a long way. You can also go a step further and keep a register of the processing. Then you immediately have a picture, if someone requests his data or wants to change, with whom the data is shared and what other organizations should be informed about the changes. How do you do that? Map out the data processing, for example in an Excel file: what personal data do you process, for what purpose, on whose grounds (agreement/legislation/permission), with whom do you share this data and how long do you store the data? A practical application of such a register is, for example, sick leave and health data, where the phone number and (nursing) address are registered, as long as the illness is not traceable from them, the probable duration of the absence, current appointments and activities. Whether the employee falls under one of the safety net provisions of the Sickness Benefits Act is permitted after two months of employment. It is not permitted to ask which safety net provision the employee falls under. However, it may be recorded whether the illness is related to an accident at work and whether there has been a traffic accident with recourse. Note: other health data may not be collected or further processed, because they are not necessary for the obligation of continued payment of wages or reintegration. They fall under medical confidentiality. The company doctor may therefore not provide these data of a temporary employee.
What data may not be processed?
The nature and cause of absenteeism, including the name of diseases and specific complaints. It is sufficient to have knowledge of functional limitations: what the employee / temporary employee can and cannot do. Personal subjective observations about the mental or physical health situation and whether an illness is work-related or, for example, has to do with relationship problems, may not be recorded. Also not data on therapies, appointments with doctors, physiotherapists, psychologists. Note: even when an employee or temporary employee voluntarily provides information about the nature and cause of the absence, these data may not be recorded. This is only allowed if it is necessary to protect an interest that is essential to the life of the person concerned. High fines have been set for non-compliance with the AVG, which can reach up to 20 million euros or 4% of the global annual turnover! The Personal Data Authority, which monitors compliance, will not immediately issue a fine if the intention to comply with the AVG is there, but will first issue a warning.
Would you like to know more about the AVG? The website authoritypersoonsgegevens.nl describes everything in detail and also allows you to download a 10-step plan.