Earlier, we announced the publication of a series on our website in which different topics of the General Data Protection Regulation (‘GDPR’) will be discussed on a regular basis.
In order to opt for a better understanding of the entry into force and the application of the GDPR in the Netherlands, we will commence this series with answering the following questions:
- When will the GDPR enter into force?
- Does the GDPR have direct effect in the Netherlands?
- What does this mean in practice?
When will the GDPR enter into force?
On the 4th of May 2016, the official text of the GDPR was published in the Official Journal of the European Union. This means that the GDPR entered into force on the 24th of May 2016, namely twenty days after its publication.
However, the GDPR will become permanently applicable as from the 25th of May 2018, which is two years after its entry into force. Until then, organizations will have time to modify their business operations in compliance with the GDPR.
Will the GDPR be directly applicable in the Netherlands?
The European Union is able to adopt various legislative acts, including directives and regulations. After the adoption of a directive, all member states must convert (to implement) it into national law first. The rules laid down in the directive will only be applicable in the member state concerned as from the moment of implementation. In concrete terms, this means that an individual or organization cannot directly invoke a provision of a directive before national court.
On the other hand, regulations are directly applicable. More specifically, this means that the GDPR – contrary to the current Privacy Directive (95/46/EC) (the GDPR’s predecessor) – does not need to be implemented into Dutch legislation to be directly invoked. On the 25th of May 2018, the GDPR will replace the current national data protection legislation (the Dutch Data Protection Act) without prior implementation.
What does this mean in practice?
Although the 25th of May 2018 might seem far away, we do recommend organizations to identify all business operations relating to the processing of personal data as soon as possible and to clarify all modifications that should be made in the light of the GDPR. After all, our experience has shown that this is a time consuming process. Moreover, many organizations operate with multiple systems all processing personal data. If your business operations do not (timely) comply with the rules laid down in the GDPR, the Data Protection Authority may impose heavy fines (more details on this topic will follow).