European privacy legislation General Data Protection Regulation (GDPR)
As from 25 May 2018, the Personal Data Protection Act will be replaced by the General Data Protection Regulation (GDPR). It means that as from that date the same privacy legislation will apply throughout the European Union (EU). The Dutch Data Protection Authority (DPA) monitors compliance with the GDPR.
Why this new Privacy Act
The new regulations aim to give the lawful owner control over his own personal data. This implies that the lawful owner knows what happens to his personal data and must be able to have access to his data. Upon request of the lawful owner, the personal data are to be removed (taking statutory retention period of insurance data into account).
Who must comply with the GDPR
All businesses processing privacy sensitive personal data must comply with the regulations of the GDPR. Personal data are data which can be traced back to a natural person, for instance: name, address details and date of birth. But also information about work disability of an insured person.
Accountability of Anker Crew Insurance
Anker processes personal data of its policyholders and their crew. This is done in accordance with the insurance contract which has been effected between Anker and its policyholders. On the basis of the insurance contract we are also allowed to process all the personal data necessary for the performance of the insurance contract(s).
The accountability implies that as insurer we must be able to demonstrate that processing by Anker complies with the regulations of the GDPR. For instance, we must demonstrate that data processing complies with the most important principles of processing, such as:
- purpose limitation;
And we must also show that the correct technical and organizational measures have been taken to protect the personal data.
As soon as we pass personal date on to external parties which will process the personal data for us, we are obliged by the GDPR to make agreements with that party about the protection of these personal data. All this will be laid down in a personal data processor agreement.
An insurer and policyholder do not need to enter into a personal data processor agreement because it does not concern contracting out work, but work which is performed on the basis of an insurance contract.
Information about the GDPR
A comprehensive explanation about the consequences of the new legislation is to be found on the website of the Dutch Data Protection Authority (DPA).
Any further questions?
If you have any questions about the General Data Protection Regulation, the processing of your personal data by Anker or if you require further clarification, please do not hesitate to contact Erik Weisfelt, the Data Protection Officer, telephone number +31 50 520 99 73 or send an email to firstname.lastname@example.org.