August 11, 2022

Volume XII, Number 223


August 10, 2022

Subscribe to Latest Legal News and Analysis

August 09, 2022

Subscribe to Latest Legal News and Analysis

August 08, 2022

Subscribe to Latest Legal News and Analysis

Dutch Data Protection Authority approves Code of Conduct for Data Processors in the ICT Sector

On August 27, 2020 the Dutch Data Protection Authority (Dutch DPA) announced that it approved the first ‘code of conduct’ in the Netherlands, the Data Pro Code. The Data Pro Code was drafted by NL Digital, the Dutch industry association for organizations in the ICT sector in the Netherlands.

What is a ‘Code of Conduct’?

Under the EU General Data Protection Regulation (GDPR), organizations must implement ‘appropriate measures’ on an organizational, technical, and legal level and be able to demonstrate their compliance with the GDPR. In order to help companies from particular sectors with this obligation, GDPR allows associations and other bodies representing categories of controllers or processors to prepare codes of conduct that specify what data controllers and processors need to do in order to be GDPR compliant.

By means of best practice, such codes of conduct clarify the obligations of controllers and processors, thereby taking into account the risk likely to result from the processing for the rights and freedoms of natural persons. Once drafted, the codes must be approved by the relevant national data protection authority.

Why apply ‘Codes of Conduct’?

Companies that apply codes of conduct may thereby ensure that they conform with the GDPR effectively. In addition, the adherence to codes of conduct means that the company follows GDPR requirements in a manner that is considered as good practice within the sector.

What does the Data Pro Code entail?

The Data Pro Code focuses on the ICT sector in the Netherlands and provides further explanation of data processors’ obligations under the GDPR. In particular, the code offers the relevant Dutch processors practical information about open standards from the GDPR.

An important element is compliance with GDPR information obligations which require a data processor to inform its customer (the data controller) about its security measures. Such information must be provided in a way which allows the customer to assess whether the measures are sufficient, given the intended use of the service or product by the customer.

Data processors which apply the Data Pro Code may comply with this obligation by completing a Data Pro Statement which is then made part of the data processing agreement between the processor and the customer. The data processor thereby informs its customer (i) how it has implemented the GDPR’s security measures, (ii) what certification it holds and (iii) how it is processing the customer’s data (incl. duration, possible ways of deletion and retention period).

Supervision of the Data Pro Code

Compliance with the Data Pro Code is supervised by an independent body, the Data Pro Supervisor. A data processor who wishes to apply the Data Pro Code must accept an independent assessment of its activities. In addition, the processor can be certified as an adherer to the Data Pro Code and be included in a Data Pro Code Register, which is managed by the Data Pro Supervisor. This enables potential customers to view the code membership and ensures that the processor’s compliance with the GDPR is monitored by the Data Pro Supervisor. This monitoring, in turn provides assurance that the code of conduct can be trusted.

Next steps

Currently, the criteria that the Data Pro Supervisor must meet are submitted to the European Data Protection Board for advice. The Dutch DPA expects a definite answer within the course of this year.

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 252

About this Author

Willeke Kemkers IP lawyer Greenberg Traurig

Willeke Kemkers is an associate in the IP / Tech department of Greenberg Traurig’s Amsterdam office. She focuses on a broad range of intellectual property issues, including proceedings, drafting of (commercial) contracts and providing of advice regarding transactions (mergers and acquisitions). Willeke also has deep knowledge of EU e-commerce regulations and regularly counsels clients with respect to the interpretation and application of the relevant laws.  

Furthermore, Willeke counsels clients on a wide range of privacy issues such as data processing agreements, cross-border...

+31 (0) 64.718.0845
Carsten Kociok, Greenberg Traurig Law Firm, Germany, Cybersecurity and Technology, Finance Litigation Attorney

Carsten Kociok focuses his practice on the technology, media and telecommunications industries. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution,...

Viola Bensinger, Greenberg Traurig Law Firm, Germany, Cybersecurity Litigation Attorney

Viola Bensinger chairs the Technology Practice as well as the Litigation Practice in Germany. She advises clients from the technology, media and healthcare industries.

Within the technology sector, Viola advises international internet, technology and healthcare companies in the areas of digital products, e-commerce, electronic payment, data protection, software licensing, (IT-) outsourcing as well as digital media.

49 -030700-171-150