Personal data protection is of utmost importance to Veriff. As the rules and regulations regarding GDPR and data protection keep evolving, we'll keep you up to date with what's happening via a series of blogs. Here's the first - underlining the key points of data protection and how the Netherlands have resolved some data related challenges.
Krete Paal, July 30th, 2020
ShareLove this blog? Why not share it with the world?
GDPR can be considered as the strongest set of rules for personal data protection. Following various rules and regulations can sometimes be considered quite a task for even the biggest companies. With this responsibility to be compliant, companies should always remind themselves that even though the devil is in the detail, company values and the basics of data protection always provide the guiding light even during the biggest challenges.
As consent is one of the legal grounds of data processing, getting all the aspects correct can be tricky. We would like to emphasize 2 conditions, which may be the turning points of getting a valid consent.
Firstly, freely given – while providing a service, the data controller has to provide real choices how to use the service.
For example, in the Netherlands, the processing of a BSN number (citizen service number, a unique registration number which is automatically given to Dutch citizens, other residents need to apply for it) can be complicated, because the state authorities in the Netherlands recommend to its citizens to cover the BSN number visible on their document.
Veriff's identity verification and fraud detection has been built in a way not to verify end-users who are presenting documents which are in any way tampered, or where data on the documents is covered. Therefore, the data controller, who has customers from the Netherlands, has to be ready to introduce alternative methods of verification in order for the consent to be freely given.
Secondly, consent has to be specific.
Composing documents and procedure overviews are essential for GDPR compliance, but at the same time they have to work in practise and be easily implemented and understood by all employees. In order to do that, pressure testing and reviewing procedures in real life may be useful in order to train staff.
Data controllers have the obligation to respond to data subject requests regarding their personal data. During the past few months we have seen an increase of requests coming from the Netherlands regarding the processing of their data. Due to the unique situation regarding data protection rules in the Netherlands, it is important to explain that Veriff is a data processor who gets instructions from data controllers and does not decide the extent and methods of data processing. Therefore, all service provider specific processing questions are communicated to our clients as data controllers.
GDPR article 9 paragraph 4 states that further conditions, including limitations may be introduced depending on a Member State.
For example, in the Netherlands, the BSN number is considered a special category of personal data. France, Germany and the UK have also imposed national rules about processing genetic data, biometric data or health data, in specific sectors (for example insurance) or for specific purposes.
European Data Protection Board also regularly publishes guidelines for general guidance, the latest guideline about consent was published in May. For daily updates, The International Association of Privacy Professionals (IAPP) publishes a daily dashboard about useful privacy news.
Knowledge is power. Let’s use it to create a secure and trustworthy cyberspace!