Six Recommendations on Privacy Policies Released by Dutch DPA Following Investigation

Autoriteit Persoonsgegevens, the Dutch Data Protection Authority (DPA),  has published six recommendations for companies operating in the Netherlands. The agency says that these guidelines should be considered when drafting privacy policies.

The Dutch DPA recommends employing procedures when drafting privacy policies:

  1. Review if they legally required to implement a privacy policy, based on the data processing they are carrying out.
  2. Collaborate with all available internal and/or external specialists, particularly data protection officers. so they can assist in implementing privacy policies.
  3. Ensure that the draft privacy policy is held on one single document to prevent fragmentation of information about data processing.
  4. Establish specific and solid privacy policies. This means that a data protection policy should be a reflection of the basic principles of the GDPR rather than just restating the principles of the GDPR.
  5. Increase internal awareness of the privacy policy among data subjects. This is not obligatory under GDPR, however the Dutch DPA advises sharing privacy policies internally so that data subjects are aware about how companies handle their personal data.
  6. Put a privacy policy in place even if it it not required under GDPR as this will show that the company is making every effort to to secure protecting personal private data.

These recommendations were put together following the DPA’s investigation of companies’ existing privacy policies. The investigation centred on companies that process sensitive personal data, including health data and data related to individuals’ political beliefs. Alongside the recommendations, the Dutch DPA released a report (in Dutch) summarizing the investigation’s results.

During the investigation into privacy policies the the Dutch DPA reviewed the privacy policies of blood banks, IVF clinics and local political parties and focused on three mandatory components of a privacy policy:

  • A description of the range and types of personal data that is being processed.
  • A description of the aims of the processing of private data.
  • Details about data subjects’ rights.

Upon completion of the investigation, the Dutch DPA found that the privacy policies’ descriptions of the types of personal data processed and processing aims were usually inadequate or incomplete. Due to this outcome, the Dutch DPA put together the six recommendations about that it believes companies should take into account when drafting privacy policies.

This comes not long after the annual report of the Dutch DPA revealed that “at least 94% of people are worried about the protection of their personal data. People are primarily
concerned about fraudulent use of their identity documents, monitoring of their online search behaviour and Wi-Fi tracking. In regard to these situations people tend to feel that they don’t have
complete control over their personal data. ” You can read the full report here. Chair of the Dutch DPA , Aleid Wolfsen said: “What it’s ultimately about is people having greater control over their personal data.”