On July 17, 2018, the Dutch Supervisory Authority announced that it will start a preliminary investigation to assess whether certain large corporations comply with the EU’s General Data Protection Regulation (“GDPR”) – see the official press release here (in Dutch). To that end, the authority will review the “records of processing activities” from thirty randomly selected corporations which are located in the Netherlands.
Article 30 of the GDPR requires data controllers and processors to maintain a record of their processing activities. These records must, among other things, include a description of the categories of data subjects and types of personal data processed, as well as the recipients of the data and the transfer mechanisms used. While small organizations with less than 250 employees are generally exempted, but there are several exceptions to the exemption which may still cause this obligation to apply to them as well.
The thirty corporations will be selected from ten different economic sectors across the Netherlands, namely: metal industry, water supply, construction, trade, catering, travel, communications, financial services, business services and healthcare.
According to the authority, the correct maintenance of records of processing activities is an important first indication of an organization’s compliance with the new EU data protection rules.