AFMP and MARVER: Challenges in Accessing Information Under GDPR for special groups of Defence Employees
GDPR friend or foe?
Challenges exist in accessing and processing information under the GDPR (Regulation (EU) 2016/679 (General Data Protection Regulation)) for Dutch MOD personnel and union members. In the Netherlands the GDPR is known as the AVG (Dutch: Algemene Verordening Gegevensbescherming).
The Dutch Government handles (y)our personal data with the utmost care. Personal data is information that can be traced to an individual, such as name, physical and postal address and email address.
In the Netherlands, the GDPR and the Dutch GDPR Implementation Act mainly govern processing personal data. The relevant Dutch Supervisory Authority is the “Autoriteit Persoonsgegevens” (AP), which is becoming more and more active from both a guidance and enforcement perspective. The Personal Data Protection Act regulates what may and may not be done with your personal data. For example, you have the right to access your personal data so you know what data is available. The AP checks whether organizations are obeying the law.
We, the Dutch unions AFMP and MARVER, have a need to be able to address and inform our members. This can be done by the “old school” method, by fiscal address, email or other forms of social media. Also, each member of the Dutch forces has a personal Defense email address within the organisation. A large number of our members, both military and civilian personnel, choose to receive information from their union via the military address.
The past, before the GDPR
Before the toughening of the rules under the GDPR (applied in May 2018), organisations were already required to protect the personal data of individuals and ensure that they had a legitimate basis for processing such data.
For the unions there were and are unique challenges related to data access due to the specific composition of the members, shared interests, and the need for certain information (e.g., workplace location, department, rank, and secure communication channels).
An agreement with the MOD on how the information needs to be handled served as a bases for the organisations to transfer, receive and handle information regarding the members of the unions within the military organisation. The unions therefore have their own (additional) regulations and systems for safely storing personal data.
As a result, the unions were always informed by the MOD regarding all relevant and necessary personnel information, in the awareness that we are working for MOD personnel and working together with the MOD in assuring the rights and inter alia the (unrestricted) workplace related information for MOD personnel.
The current, data transfer and availability under the GDPR
The GDPR requires organisations to strictly protect the personal data of individuals and ensure that they have a legitimate basis for processing such data.
- Data Protection Principles: The GDPR outlines several data protection principles, including the lawful and fair processing of personal data, the purpose limitation, data minimization, and ensuring data accuracy. These principles apply to all organizations, including those with a specialized membership like yours.
- Lawful Basis for Processing: To process personal data, an organization must have a lawful basis for doing so. In your case, it’s important to determine whether the information you seek to access is being processed lawfully, and whether the purpose for which it’s processed aligns with the interests of your group.
- Transparency and Consent: Individuals have the right to be informed about how their data is processed. An organization should ensure that its members are aware of how their data is being used and have given their consent, especially if the information shared involves sensitive details like military service and communication channels.
- Data Subject Rights: under the GDPR, individuals have certain rights regarding their personal data, including the right to access, rectify, or erase their data. Your members should be aware of their rights and be able to exercise them.
- Data Security and Communication: Given the sensitive nature of military personnel data, it’s crucial to ensure robust data security measures. Additionally, if your members need to communicate using specific channels like military email addresses, these channels must comply with GDPR requirements.
Conclusion: Navigating GDPR compliance within a specialized group like Defense employees can be complex due to the unique nature of the information involved. It’s essential for your organization to ensure that it processes personal data lawfully, transparently, and securely while respecting the rights of its members. Clear communication and awareness of data protection principles are key to resolving any challenges related to data access and privacy within your group.
How to obtain information on (y)our union members
We realize that the Government of the Netherlands handles personal data with the utmost care. As said before, personal data is information that can be traced to an individual or organization, such as names, postal and email addresses, etc.
Such information however is of vital need for military unions and associations. How else is it possible to organize and represent the interests of the employee? In case a member of a military union or association wants to share her of his information about a personal situation within the unit or other military organization, is the union or association able to process and store this information?
It is to our belief that the Dutch MOD does not provide all necessary personal information about a member of the AFMP/MARVER due to the privacy rules in the AVG (the Dutch General Data Protection Regulation). So the privacy rules make it difficult, or even (almost) impossible to share information about active duty union members.
We are convinced this is a specific problem for military unions and associations. Other external organizations with a direct relationship to the Dutch MOD do receive relevant data. The MOD and a third party send the information, based upon some sort of Memorandum of Understanding or a policy which describes the execution of the transfer of data, with relevant stakeholders.
This situation creates various questions that military associations and unions, as well as EUROMIL need to address. Firstly, it is important to exchange views on how other EU countries have implemented the GDPR regulation regarding military personnel, or whether there have been legal cases for obtaining information by the MoD. Lastly, it is also imperative to know whether there have been legal issues about obtaining (personnel of organization) information, regarding their own union or association members. This could serve as a basis for us to join legal procedures at the EU or similar organization to start a court procedure.