On April 17, 2019, the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (the “Dutch DPA”) issued six recommendations (in Dutch) for companies, to be taken into account when drafting privacy policies for the purpose of Article 24.2 of the EU General Data Protection Regulation (the “GDPR”). Article 24.2 of the GDPR provides the obligation for data controllers to implement privacy policies for accountability purposes, under certain criteria. The published recommendations follow the Dutch DPA’s investigation of companies’ privacy policies. The investigation focused on companies that process sensitive personal data, including health data and data related to individuals’ political beliefs. Alongside the recommendations, the Dutch DPA released a report (in Dutch) summarizing the investigation’s results.

The Dutch DPA’s Investigation

As part of its investigation, the Dutch DPA reviewed the privacy policies of blood banks, IVF clinics and local political parties. The investigation focused on three mandatory components of a privacy policy: (1) a description of the types of personal data processed, (2) a description of the purposes of the processing and (3) information about data subjects’ rights. After reviewing, the Dutch DPA found that the privacy policies’ descriptions of the types of personal data processed and processing purposes were often insufficient or incomplete. As a result, the Dutch DPA formulated its six recommendations that companies should take into account when drafting privacy policies.

Recommendations

According to the Dutch DPA, companies should:

  • assess whether they are under an obligation to implement a privacy policy, based on their processing activities (according to Article 24 of the GDPR, such assessment must be made taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons);
  • use internal and/or external expertise (in this respect, the Dutch DPA states that companies’ data protection officers can play a role in implementing privacy policies);
  • draft their privacy policy in one document to avoid fragmentation of information about data processing;
  • draft specific and concrete privacy policies (a data protection policy should be a concrete reflection of the principles of the GDPR as simply reiterating the principles of the GDPR is not sufficient);
  • raise awareness (although this is not a requirement under the GDPR, the Dutch DPA recommends publishing privacy policies to ensure that data subjects are aware about how companies handle their personal data); and
  • consider implementing a privacy policy even if it is not required, to demonstrate the organization’s willingness in protecting individuals’ personal data.