The Dutch Data Protection Authority (DPA) has released six recommendations in relation to privacy policies for companies in the Netherlands.

Autoriteit Persoonsgegevens (the Dutch DPA) advises companies who are drafting and using privacy policies to:

Review their data processing procedures and determine if they are legally obligated to implement a privacy policy. Speak with privacy specialists, including the company’s data protection officers and 3rd party experts, when designing and implementing privacy policies. Keep all of the information about the draft privacy policy is stored together in a single document to stop ‘fragmentation’ of information, and therefore possible gaps in the policy. Create specific and robust privacy policies which are in line with the basic principles of GDPR. Make sure that data subjects are conscious of your group’s privacy policy. GDPR does not outright require bodies to do this, but the Dutch DPA recommends companies to share their privacy policies internally so that there is increased awareness of how the organisation manages data. Create and put in place privacy policies even if GDPR does not require them, as this will indicate that the company is making every attempt to secure protecting personal private data.

These recommendations arise from DPA’s reviews into existing privacy policies of firms working in the Netherlands. The DPA investigates firmss that process sensitive personal data, including health data and data related to individuals’ political beliefs. Alongside the guidelines, the Dutch DPA released a report (in Dutch) summarising the investigation’s outcomes.

As part of the review, the Dutch DPA looked at the privacy policies of blood banks, IVF clinics and local political parties. They concentrated on three necessary components of privacy policy:

A description of the sort and varieties of personal data that is being dealt with. A description of the targets of the managing of the private data. Specific details regarding data subjects’ rights.

The Dutch DPA’s investigation found that the privacy policies’ descriptions of the types of personal data processed and processing aims were typically inadequate or incomplete. This lead to the Dutch DPA to establish the six recommendations above that it believes companies should take into account when creating privacy policies.

This comes soon after the annual report of the Dutch DPA showed that “at least 94% of people are worried about the security of their personal data. People are mainly worried about fraudulent use of their identity documents, reviewing of their online search behaviour and Wi-Fi tracking. In regard to these situations, people tend to feel that they don’t have

complete control over their personal data.”

Chair of the Dutch DPA, Aleid Wolfsen commented: “What it’s ultimately about is people having greater control over their personal data.”