LibraryblogThe Strongest Set of Rules for Personal Data Protection

The Strongest Set of Rules for Personal Data Protection

Personal data protection is of utmost importance to Veriff. As the rules and regulations regarding GDPR and data protection keep evolving, we'll keep you up to date with what's happening via a series of blogs. Here's the first - underlining the key points of data protection and how the Netherlands have resolved some data related challenges.

Header image
Krete Paal
July 30, 2020
Blog Post

GDPR can be considered as the strongest set of rules for personal data protection. Following various rules and regulations can sometimes be considered quite a task for even the biggest companies. With this responsibility to be compliant, companies should always remind themselves that even though the devil is in the detail, company values and the basics of data protection always provide the guiding light even during the biggest challenges.

1. Always obtain a valid consent

As consent is one of the legal grounds of data processing, getting all the aspects correct can be tricky. We would like to emphasize 2 conditions, which may be the turning points of getting a valid consent. 

Firstly, freely given – while providing a service, the data controller has to provide real choices how to use the service. 

For example, in the Netherlands, the processing of a BSN number (citizen service number, a unique registration number which is automatically given to Dutch citizens, other residents need to apply for it) can be complicated, because the state authorities in the Netherlands recommend to its citizens to cover the BSN number visible on their document.       

Veriff's identity verification and fraud detection has been built in a way not to verify end-users who are presenting documents which are in any way tampered, or where data on the documents is covered. Therefore, the data controller, who has customers from the Netherlands, has to be ready to introduce alternative methods of verification in order for the consent to be freely given. 

Secondly, consent has to be specific

Consent must cover all the processing steps the data controller has in place. It is important to find the balance of giving information in a precise and easily understandable way, with as short wording as possible and not to burden the end-user with legal jargon. Also, expressly mentioning processing of BSN numbers in your Privacy Policy, if end-users are verifying themselves with Dutch documents.

2. Train Train Train - preparation is the key

Composing documents and procedure overviews are essential for GDPR compliance, but at the same time they have to work in practise and be easily implemented and understood by all employees. In order to do that, pressure testing and reviewing procedures in real life may be useful in order to train staff.

3. All Data Subject Access Requests need attention

Data controllers have the obligation to respond to data subject requests regarding their personal data. During the past few months we have seen an increase of requests coming from the Netherlands regarding the processing of their data. Due to the unique situation regarding data protection rules in the Netherlands, it is important to explain that Veriff is a data processor who gets instructions from data controllers and does not decide the extent and methods of data processing. Therefore, all service provider specific processing questions are communicated to our clients as data controllers.

4. Different countries may have different rules regarding what is considered special category data

GDPR article 9 paragraph 4 states that further conditions, including limitations may be introduced depending on a Member State. 

For example, in the Netherlands, the BSN number is considered a special category of personal data. France, Germany and the UK have also imposed national rules about processing genetic data, biometric data or health data, in specific sectors (for example insurance) or for specific purposes.

5. Keep yourself updated with the latest in the privacy field

French and UK data protection authorities provide a lot of useful resources regarding data protection. 

European Data Protection Board also regularly publishes guidelines for general guidance, the latest guideline about consent was published in May. For daily updates, The International Association of Privacy Professionals (IAPP) publishes a daily dashboard about useful privacy news.

Knowledge is power. Let’s use it to create a secure and trustworthy cyberspace!