Last week, the Dutch Data Protection Authority started an "ex officio" investigation into compliance with the EU General Data Protection Regulation in the private sector. The AP verifies compliance with Article 30 (the data registry) in 30 randomly selected large companies (more than 250 employees) in 10 different sectors: industry, water supply, construction, retail, hospitality, travel, communications, finance, business services, and health care across the Netherlands.
Basis for this ex officio investigation is Article 57(1)(a), which gives the supervisory authorities the task to monitor and enforce compliance with the GDPR and Article 58(1)(a), which empowers supervisory authorities to order the controller and the processor, and, where applicable, the controller's or the processor's representative, to provide any information the supervisory authority requires for the performance of its tasks.
Carrying out ex officio investigations is a long-standing tradition in the AP. Each year, the AP sets a list of enforcement priorities, typically by sector or topic, that may or may not be followed by an ex officio investigation in randomly selected organizations in the designated focus sectors. For an investigation to occur, there does not need to be a complaint filed nor any other indication of wrongdoing.
It is worth noting that the AP uses "system supervision" as its primary enforcement strategy. Part of this strategy is to focus on compliance with GDPR requirements that act as safeguards in organizations to become and stay compliant with the GDPR, especially regarding the vague requirements in Chapter 2. Most of those safeguards are mentioned in Chapter 4, like the appointment of a data protection officer, the existence of a data register, the execution of data protection impact assessments, codes of conduct, and certification schemes. This way, the AP seeks to create ripple effects in the sectors in which it exercises its enforcement powers.
The private sector investigation into compliance with Article 30 of the GDPR comes not even two months after another ex officio investigation into public sector compliance with the requirement to appoint a data protection officer in each public authority or body. The AP compared the list of DPO’s notified to the AP with the official list of public sector organizations. The result: Of the more than 400 public sector organizations in the Netherlands, 4 percent had not yet appointed a DPO by June 1.
What is interesting in this case is the fact that multiple official lists circulate in the Netherlands as to which organizations qualify as public-sector organizations. Apparently, the list of public sector organizations compiled under the PSI Directive (2003/98/EC on the reuse of public sector information) seems to be wider than the list used by the AP. The difference seems to be whether a public-sector organization exercises public authority. If so, Article 37(1)(a) requires such organization to appoint a DPO. By using the more limited list, the AP has indirectly sent a message that the public-sector organizations on the PSI list that do not wield public authority do not need a DPO. This seems to be consistent with the idea behind Article 37(1)(a): Exercising public authority creates risks for the rights and freedoms of data subject with regard to the processing of their personal data, so the appointment of a DPO is required.
In the private sector, where there is no DPO requirement for most organizations, the main driver for GDPR compliance is the data registry (Article 30): knowing what data the organization has and why. In many organizations, it is the first activity to become compliant with the GDPR. Therefore, the AP’s choice to start its enforcement focusing on compliance with Article 30 seems logical.
It is expected that the results of the investigation will be published, probably without mentioning any names of organizations violating the Article 30 requirement, but with percentages or numbers and details of the violations in specific sectors. This should have a ripple effect on other organizations in those sectors, which is also part of the "system supervision" idea.
The Dutch GDPR Execution Act, which governs the power of the AP, allows a fine to be issued in case of noncompliance, but it also allows the AP to issue a so-called "enforcement notice under penalty" in case of an established situation of noncompliance. In the latter case, organizations may be ordered to comply and demonstrate compliance within a set time frame (for instance, within 30 days) with a fixed penalty for each day or week that they fail to comply with such order. As there are no precedents, one can only speculate about which sanction the AP will apply in case any of the investigated organizations are found in breach of Article 30. Under the law, both can be applied at the same time, as a fine is punitive (i.e., punishing past or current behavior), and an enforcement order under penalty is corrective (i.e., forcing change of behavior), although this is rare.
It should also be mentioned that an enforcement order under penalty is not only the more logical sanction for most Chapter 4 violations, as a violation is not likely to result in harm for the data subjects, but that it is also procedurally easier. On the other hand, where harm is expected or where noncompliance with Chapter 4 requirements is deemed unfair under Article 5, the maximum fine may duplicate (as a violation of Article 5 is in the highest category of fines, where Chapter 4 violations are in the lower category). Since we do not know which organizations are under investigation, and we don’t know the state of compliance in such organizations, we have no way of predicting the outcome of this investigation.
What is surprising (or maybe not) is that the AP has started this investigation right at the beginning of the school summer holidays in the Netherlands. Many of the people who know how to deal with the investigation and who are familiar with the Article 30 data registry in their organizations will likely be on holiday. This means that the AP, intentionally or not, indirectly also tests the maturity and effectiveness of each organizations’ GDPR compliance programs as required under Article 24 of the GDPR. Thus, the AP is sending a message that GDPR compliance isn’t just about being compliant on paper (aka "window dressing") but requires real and effective compliance policies and procedures in organizations.
photo credit: bruXella & bruXellus via photopin