Can the data protection agency inspect an ombudsman institution?
This was one of the questions that came up during the Poldershop (for more information see below) on the General Data Protection Regulation (GDPR) at Schiphol airport on Monday 5th November. The Poldershop was organised by the Dutch National Ombudsman at the request of the IOI European Board.
More than 15 institutions were represent during the Poldershop from Austria Belgium Estonia Finland France Greece Ireland Italy Malta Netherlands Norway Portugal Spain Sweden and Wales.
And as for the question whether the data protection agency can inspect ombudsman institutions, the responses were quite different. In some countries it is not possible for the agency to inspect the ombudsman institution as this would infringe on its constitutional position and as representative of Parliament that also does not fall within the control of the data protection agency.
One of the questions that was broadly discussed was when and how to inform third parties of the fact that their personal data was being processed. Complainants sometimes send a lot of information to the ombudsman in which there is also a lot of personal data of third parties. As receiving this information constitutes the processing of the personal data, that person should be notified of this fact. When do you do that and how?
This and other questions were put to the expert from the Dutch data protection agency that visited the meeting during lunch. He was however not able to give a clear cut answer. Also the answer to other relevant questions stayed unanswered. This led to the conclusions that it is very important that ombudsman institutions together come up with practical guidelines that they feel are right.
But some quick wins were already made. The European Ombudsman has been so kind as to share with the Data Protection Officers the form that they use for assessing whether third parties have to be informed. Also the Irish ombudsman office has send the participants a data protection information sheet that gives a brief outline of all the things you need to know about the GDPR.
The data protection is an important topic, not in the least for ombudsman institutions. The wish was expressed to continue our efforts in clarifying the rules and get the best practices and practical tools out to everyone who is interested.
The Poldershop concept has the following characteristics:
Everybody is equal. There is a very strong feeling in Dutch culture as we have hardly any nobility in the Netherlands and traditionally are averse to any bragging or showing off. So very informal discussions.
Everybody may say what they want. There is no absolute truth and your opinion is as valid as mine. So no presentations and speeches. Just sharing of insights, challenges, etc.
Everybody can safely express what they want. As we are below sea level, we should keep the dikes closed to prevent us from drowning. So no leakages about what was discussed are allowed. Best practices of course should be shared.
Dutch treat. Dutch history is rich in art but offers sparse lavish lifestyles and monumental buildings. So single language meeting at an inexpensive location. And everybody carries their own costs.
No agenda. There is complete freedom in how the poldershop is filled in. On the basis of a general outline of the topic, the floor is opened for discussion to all present. No speeches, no powerpoint, etc.
Source: National Ombudsman, Netherlands