In November 2018, the Dutch Data Protection Authority (DDPA) randomly investigated whether banks and insurers complied with their obligation to appoint and register a data protection officer (please see our previous blog on this topic of 22 November 2018). The outcome of this investigation of 45 banks and 93 insurers was that 6 banks and 9 insurers had not yet registered their DPO with the DPPA and that 7 banks and 14 insurers did not comply with the requirement of making available the direct contact details of their DPO. Further hetero, the DDPA granted these companies an additional period to meet their obligations.
The DDPA has followed up on this and has verified whether these companies are compliant by now. On 14 January 2019, the DDPA published an update on its website stating that all checked insurers and banks had implemented the required changes and now do comply with the aforementioned obligations.
Since the GDPR entered into force on 25 May 2018, the DDPA has shown quite active in carrying out such (random) checks at various organizations in different sectors to monitor the level of compliance of different important requirements of GDPR.
Recent activities of the DDPA inter alia included investigations (on a random basis) on compliance with the obligation to maintain a register of record of data processing activities, the compliance level of privacy statements used by healthcare institutions and political parties and the (compulsory) appointment and registration of data protection officers by public organizations, hospitals and health care insurers.
We expect that the DDPA will in 2019 continue to carry out similar random checks to investigate the GDPR compliance level of organizations (in all types of industries and sectors) in the Netherlands. The DDPA has shown that non-compliance is not without any consequences and that it will follow up on identified issues.