Following the General Data Protection Regulation (GDPR) entering into force the Dutch Data Protection Authority (DDPA) carries out random checks on organizations to assess their level of GDPR compliance. In that respect the DDPA performed checks on 91 hospitals and 33 health insurers to determine their level of compliance with the GDPR with regards to the appointment and registration of the (mandatory) data protection officer (DPO). On 16 August 2018 two of these hospitals had not yet appointed a DPO. The DDPA granted these hospitals a four week period to comply with this requirement, subjecting them to a possible fine if failing to do so.
Furthermore, when appointing a DPO, organizations are required to provide the data subjects with direct contact details (e.g. direct phone number or email address) which can be used to contact the DPO directly. In almost 25% of the cases the DDPA found that the contact details of the DPO were not accessible or made available at all, as seventeen hospitals and two insurers had failed to include such contact details on their website completely. Moreover, in the cases where the hospitals and insurers did provide such information on their websites, the DDPA found that three of the hospitals and one insurer did not provide a direct email address or phone number to the DPO. The DDPA has requested the organizations concerned to improve this for future reference. On its website the DDPA emphasized that DPOs are considered an important point of contact for the DDPA as the DPO has the capacity to independently render its advice on the way data protection legislation is or should be implemented within its organization.