Announcement by Dutch DPA

The Dutch Data Protection Authority (Dutch DPA) announced on 21 August 2018 that it has audited 91 hospitals and 33 health care insurers regarding the obligation of these organizations to appoint a data protection officer. This ‘new’ requirement follows from the General Data Protection Regulation (2016/679) (GDPR), which came into force on 25 May 2018.

Background on appointment of data protection officers

The appointment of a data protection officer is, among other things, required for organizations that collect special categories of data as a core activity. One of these special categories is data revealing genetic and biometric information or data concerning health. Collecting such data is a core activity of hospitals and health care insurers, as this is inherent to their services. Consequently, these organizations are required to appoint a data protection officer under the GDPR.

Findings of Dutch DPA

The Dutch DPA discovered that two hospitals neglected to satisfy their notification requirements as to the appointment of their data protection officers. The Dutch DPA has given these two hospitals a four-week grace period to appoint a data protection officer and end their GDPR infringement. This grace period seems to indicate that the Dutch DPA did not in this case immediately impose a fine or an order subject to a penalty in spite of these GDPR infringements.

Another point of focus during this audit was whether hospitals and health care insurers had published the contact details of their data protection officer on their website. Almost 25 percent of the audited organizations had neglected this step.

To be GDPR compliant, these organizations are required to implement these measures.

More audits to come?

This audit of hospitals and health care insurers provides some insight on how the Dutch DPA will approach audits and GDPR enforcement moving forward.

The Dutch DPA made clear that it will continue performing audits on a random basis to check whether companies and organizations are in compliance with the GDPR. Such checks may include the following (to name a few):

  • whether the contact details of the data protection officer are published on the website
  • whether a notification of the appointment of the data protection officer was made to the Dutch DPA
  • whether records of processing activities are maintained (a data controller is required under the GDPR to maintain a record of processing activities that take place under its responsibility)

The Dutch DPA has also previously audited governmental organizations for the appointment of data protection officers and large private organizations for keeping records of processing activities. In our view, more unanticipated audits from the Dutch DPA should be expected shortly.