Is your organisation prepared for the

General Data Protection Regulation?

GDPR shall be applicable in









New data protection legislation

General Data Protection Regulation (GDPR)

Algemene Verordening Gegevensbescherming (AVG)

The General Data Protection Regulation (GDPR) is an EU-wide regulation that aims to strengthen and unify data protection for all individuals within the European Union. It imposes a strict data compliance regime on organisations, with hefty fines for non-compliance.

Applies from

25 May 2018


Applies to organisations worldwide

Fine for non-compliance

€20m / 4% of global turnover, whichever is greater

GDPR at a glance

Core principles

At its core, GDPR obligates organisations
to lawfully process personal data and limit the collection and processing of data for specified, explicit and legitimate purposes.


Far-reaching privacy rights for data subjects

Data subjects receive extensive control
over how their personal data is used, including the right to access, rectify and erase.


Extended obligations for organisations

Organisations need to provide greater
accountability and transparency and must be able to demonstrate their compliance with the GDPR.


Core principles

Lawful processing and Purpose limitation

Personal data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Any processing of personal data must have a legitimate basis.

Data minimization

Data processing is limited to what is necessary for the above purposes.


The controller must take every reasonable step to ensure that incorrect personal data is erased or rectified without delay.

Storage limitation

Personal data may not be retained for longer than is necessary for the purposes for which the personal data were processed.


The data controller is responsible for and must be able to demonstrate compliance with the GDPR.

Ground for processing

The processing of personal data must be based on a ground (AG consent, execution of  a contract or the legitimate interest of the data controller).


Far-reaching privacy rights for data subjects


The controller must provide information about the data processing in a concise, transparent, intelligible and easily accessible form. This amongst others includes information about the purposes of processing and the categories of personal data.


The data subject has the right to access and obtain a copy of their personal data undergoing processing.


The data subject may obtain without undue delay the rectification of inaccurate personal data and the completion of incomplete data.

Erasure (“right to be forgotten”)

The data subject has the right to obtain the erasure of personal data,

  • when the personal data is no longer necessary in relation to the purposes for which the data are collected and processed,
  • the data subject withdraws consent to the processing,
  • the data subject exercises his right to object,
  • or the data has been unlawfully processed.

Data portability

The data subject has the right to receive personal data, which he has provided to a data controller, in a structured, commonly used and machine-readable format, where the processing is based on consent or on a contract.

Right to object

Where the processing is based on the legitimate interest of the controller, the data subject shall have the right to object to the processing, unless the processing is necessary for the establishment, exercise or defense of legal claims or the controller demonstrates other compelling legitimate grounds.

Automated decisions

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects him.

Response term

When the data subject exercises one of the above rights, the controller has to respond within one month.


Extended obligations for organisations

Appoint a Data Protection Officer (DPO)

The controller or processor shall designate a DPO if its core activities consist of processing on a large scale of special categories of personal data or processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.

De verwerkingsverantwoordelijke moet betrokkenen op een beknopte, transparante, begrijpelijke en toegankelijke wijze informeren over hoe gegevens worden verwerkt. Dit omvat o.a. informatie over de doeleinden van verwerken en de categorieën van persoonsgegevens.

Security measures

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the privacy of data subjects, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Data Protection Impact Assessment (DPIA)

Where a type of processing is likely to result in a high risk for the privacy of the data subject, the controller shall, prior to such processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

Data protection by design and default

The controller shall, both at the time of the determination of the means of processing and at the time of processing itself, implement technical and organisational measures which are intended to protect personal data and to limit the processing by default to only what is necessary.

Record keeping

The controller and processor shall maintain a record of all personal data processing activities.

Breach response

Supervisory authority:
In case of a personal data breach, the controller shall without undue delay and, where feasible, no later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the breach is unlikely to result in a risk to the rights and freedoms of persons.

Data subject:
Where the personal data breach is likely to result in a high risk to to the rights and freedoms of persons , the controller shall communicate the breach to them without undue delay.

How does your organisation prepare for GDPR?

StEp 1


Create an inventory of all personal data processing activities within your organisation.

StEp 2

Record of personal data processing activities

Translate the inventory into a record of personal data processing activities and analyse which GDPR regulations your organisation needs to follow. For example, does your organisation need to hire a DPO?

StEp 3


Apply the relevant GDPR regulations to your organisation by formulating policies which could concern:

  1. Securing and handling of data breaches,
  2. Handling data subjects’ privacy rights,
  3. Response terms and use of processors and applicable agreements.

Updated privacy statements

It is also important to update your privacy statements (for customers, website visitors and employees) in accordance with the new transparency regulations.

Design standard instruments

Finally, your organisation needs to put standard instruments in place to handle data subject access requests (i.e. via dashboard) and create a data protection impact assessment. 

Get in touch to discuss how we can help your organisation get GDPR-ready

Contact to get started

GDPR super-specialists

We are a leading firm in matters of privacy and the protection of personal data. We support Dutch and international companies as well as government bodies in matters concerning (EU) privacy legislation, compliance and enforcement.

Hester de Vries

Attorney at law, Partner
+31 20 5506 657

Nicole Wolters Ruckert

Associate Partner, Attorney at law
+31 20 5506 646

Rosalie Heijna

Attorney at law
+31 20 5506 611


How can we help you?

We can help you with creating the inventory of data processing activities, the follow-up analysis as well as the translation of GDPR regulations to policies for your organisation.

Would you like to know more? Please get in touch. You can also leave behind your e-mail address or phone number so we can call
you back.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.