On 1 October 2018, the Dutch Data Protection Authority ("DPA") published its policy rules (Dutch only) on the establishment of priorities in complaint investigations. Based on the scores for these criteria, the DPA will decide if a more detailed investigation (which may result in enforcement measures being applied) is required.
Data subjects' right to submit complaints
The General Data Protection Regulation ("GDPR") has introduced greater scope for data subjects to submit complaints on a possible breach of the rules on processing personal data. The DPA has the duty to investigate each complaint to the extent that is appropriate, and to inform the complainant about the progress and result of the investigation.
Criteria for prioritisation
As the DPA has limited resources, it cannot investigate every complaint to the same extent. It has therefore established policy rules which contain a set of criteria for prioritisation:
- Impact on the individual: (relevant factors: how serious is the breach, does it concern sensitive personal data);
- Impact on society: (relevant factors: are large numbers of people affected, how damaging is the breach, is there a cross-border element);
- Effectiveness: effective supervision demands decisive action. To operate effectively, the DPA employs a range of supervisory and enforcement instruments. These instruments include actions such as sending a warning letter, holding a remedial meeting to address a breach of a standard, launching an investigation, and imposing a penalty payment or a fine. The guiding principle is to choose the enforcement instrument that is the least severe and the most effective.
Same criteria apply to enforcement requests
In the policy rules, the DPA states that the criteria for prioritisation also apply to the assessment of enforcement requests from interested parties concerning sectoral legislation.
Do you have any questions about this article? Please contact Eliëtte Vaal.
This blog was written by Eliëtte Vaal.
This article is part of the IT & Privacy Newsletter.
On 1 October 2018, the Dutch Data Protection Authority ("DPA") published its policy rules (Dutch only) on the establishment of priorities in complaint investigations. Based on the scores for these criteria, the DPA will decide if a more detailed investigation (which may result in enforcement measures being applied) is required.
Data subjects' right to submit complaints
The General Data Protection Regulation ("GDPR") has introduced greater scope for data subjects to submit complaints on a possible breach of the rules on processing personal data. The DPA has the duty to investigate each complaint to the extent that is appropriate, and to inform the complainant about the progress and result of the investigation.
Criteria for prioritisation
As the DPA has limited resources, it cannot investigate every complaint to the same extent. It has therefore established policy rules which contain a set of criteria for prioritisation:
- Impact on the individual: (relevant factors: how serious is the breach, does it concern sensitive personal data);
- Impact on society: (relevant factors: are large numbers of people affected, how damaging is the breach, is there a cross-border element);
- Effectiveness: effective supervision demands decisive action. To operate effectively, the DPA employs a range of supervisory and enforcement instruments. These instruments include actions such as sending a warning letter, holding a remedial meeting to address a breach of a standard, launching an investigation, and imposing a penalty payment or a fine. The guiding principle is to choose the enforcement instrument that is the least severe and the most effective.
Same criteria apply to enforcement requests
In the policy rules, the DPA states that the criteria for prioritisation also apply to the assessment of enforcement requests from interested parties concerning sectoral legislation.
Do you have any questions about this article? Please contact Eliëtte Vaal.
This blog was written by Eliëtte Vaal.
This article is part of the IT & Privacy Newsletter.