On April 17, 2019, the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (the “Dutch DPA”) issued six recommendations (in Dutch) for companies, to be taken into account when drafting privacy policies for the purpose of Article 24.2 of the EU General Data Protection Regulation (the “GDPR”). Article 24.2 of the GDPR provides the obligation for data controllers to implement privacy policies for accountability purposes, under certain criteria. The published recommendations follow the Dutch DPA’s investigation of companies’ privacy policies. The investigation focused on companies that process sensitive personal data, including health data and data related to individuals’ political beliefs. Alongside the recommendations, the Dutch DPA released a report (in Dutch) summarizing the investigation’s results.
The Dutch DPA’s Investigation
According to the Dutch DPA, companies should:
- use internal and/or external expertise (in this respect, the Dutch DPA states that companies’ data protection officers can play a role in implementing privacy policies);
- draft specific and concrete privacy policies (a data protection policy should be a concrete reflection of the principles of the GDPR as simply reiterating the principles of the GDPR is not sufficient);
- raise awareness (although this is not a requirement under the GDPR, the Dutch DPA recommends publishing privacy policies to ensure that data subjects are aware about how companies handle their personal data); and