On 21 August 2018, the Dutch Supervisor Authority announced that it had conducted an investigation into the designation of a Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR) by 91 hospitals and 33 healthcare insurers in the Netherlands. Two hospitals had not yet communicated the contact details of their DPO to the Dutch Supervisor Authority, and were given four weeks to designate a DPO. In addition, the Supervisor Authority found that 25% of the hospitals and healthcare insurers whose practices were reviewed did not properly publish their DPO’s contact details on their website. They will also be expected to implement the necessary compliance measures.

The GDPR, which applies since 25 May 2018, requires organizations like hospitals and healthcare insurers to appoint a DPO, whose main task consists in monitoring compliance with the GDPR. DPOs should also be in a positon to provide independent advice on how to implement the requirements of the GDPR within the organization, and are an important point of contact for the Supervisor Authority on all issues relating to data processing. The Dutch Supervisor Authority emphasizes that it should be easy for anyone to contact DPOs directly, and therefore the DPO’s telephone number or email address should be made public, for instance, on the controller’s or processor’s website. It is not necessary, according to the Dutch Supervisor Authority, to mention the name of the DPO.

Since the GDPR came into effect, the Dutch Supervisor Authority has investigated different compliance aspects of the GDPR, with a focus on the GDPR’s new accountability requirements. The Supervisor Authority recently assessed whether a selection of large companies is maintaining records of their data processing activities, as required by Article 30 GDPR. This latest flurry of activity in the Netherlands demonstrates that, now that three months have passed since the effective date, GDPR enforcement indeed may be starting to build.