On August 12, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced its intent to approve Nederland ICT’s Data Pro Code (the “Code”), a code of conduct for the ICT sector. Nederland ICT represents data processors from the IT sector. Data processors that process personal data on behalf of and for a data controller can join this code of conduct. The draft decision of the Dutch DPA regarding the Code was published in the Official Journal of the Netherlands (the “Staatscourant”) on August 12 and interested parties have six weeks to submit their opinion on the draft decision.
The Code elaborates on the obligations that apply to data processors under Article 28 of the EU General Data Protection Regulation (“GDPR”). It applies to processing activities taking place in the Netherlands and contains practical guidance to help companies comply with the GDPR. In particular, the Code provides guidance on (1) how to inform affiliated parties’ clients on the security measures implemented to protect personal data (including, inter alia, the measures listed under Article 32 of the GDPR); (2) the content of data processing agreements; (3) the processes and procedures implemented to respond to data subject rights requests; (4) the processes and procedures implemented to handle/inform the data controller about data breaches; and (5) the processes implemented to review, evaluate and adjust (where necessary) the security measures implemented and existing data protection policy(ies). The Code also includes two annexes containing a template data processing agreement and a list of key principles to take into account when drafting privacy policies.
The Dutch DPA’s approval of the Code is conditional upon the creation and accreditation of a supervisory body, the Data Pro Supervisor. The Data Pro Supervisor would be responsible for verifying compliance with the Code, assessing whether affiliated parties are eligible to apply to the Code, and handling complaints related to breaches of the Code.
The Dutch DPA’s decision is currently in draft form and interested parties can submit their opinion regarding the draft decision within six weeks, starting August 12.