Skip to main content

Compliancy with EU regulations

NLX architecture compliancy with EU regulations and architecture frameworks

European Interoperability Framework (EIF)

The European interoperability framework is a commonly agreed approach to the delivery of European public services in an interoperable manner. It defines basic interoperability guidelines in the form of common principles, models and recommendations.

The purpose of the EIF is to:

  • inspire European public administrations in their efforts to design and deliver seamless European public services to other public administrations, citizens and businesses which are to the degree possible, digital-by-default (i.e. providing services and data preferably via digital channels), cross-border-by-default (i.e. accessible for all citizens in the EU) and open-by-default (i.e. enabling reuse, participation/access and transparency);
  • provide guidance to public administrations on the design and update of national interoperability frameworks (NIFs), or national policies, strategies and guidelines promoting interoperability;
  • contribute to the establishment of the digital single market by fostering cross-border and cross- sectoral interoperability for the delivery of European public services.

The EIF is meant to be a generic framework applicable to all public administrations in the EU. It lays out the basic conditions for achieving interoperability, acting as the common denominator for relevant initiatives at all levels including European, national, regional and local, embracing public administrations, citizens and businesses.

The EIF describes a set of 47 recommendations, as actionable items to be implemented by public administrations. Several these recommendations impact NLX. All recommendations from the EIF and their impact on NLX are detailed below.

Requirement NLX0001
Source European Interoperability Framework (EIF)
Category Underlying principle: Subsidiarity and proportionality
Type Recommendation
Compliant Yes
Description Ensure that national interoperability frameworks and interoperability strategies are aligned with the EIF and, if needed, tailor and extend them to address the national context and needs.
Implications
  • The NLX will be aligned with the goals described in the EIF.
  • Extensions in the NLX have been added with regards to authentication and logging in the federated infrastructure.
  • Requirement NLX0002
    Source European Interoperability Framework (EIF)
    Category Underlying principle: Openness
    Type Recommendation
    Compliant N/A
    Description Publish the data you own as open data unless certain restrictions apply.
    Implications
  • NLX can be used as the infrastructure to publish any data, including open data.
  • Making data available as open data is the responsibility of the data owner.
  • Requirement NLX0003
    Source European Interoperability Framework (EIF)
    Category Underlying principle: Openness
    Type Recommendation
    Compliant Yes
    Description Ensure a level playing field for open source software and demonstrate active and fair consideration of using open source software, taking into account the total cost of ownership of the solution.
    Implications
  • NLX is being developed as Open Source using Open Source components.
  • Development is done using the European Union Public License, version 1.2 (EUPL-1.2) license.
  • Requirement NLX0004
    Source European Interoperability Framework (EIF)
    Category Underlying principle: Openness
    Type Recommendation
    Compliant Yes
    Description Give preference to open specifications, taking due account of the coverage of functional needs, maturity and market support and innovation.
    Implications
  • The NLX development exclusively uses both international and national open specifications.
  • Examples of local open specifications are the Dutch DSO API/URI specification and Dutch government OAuth 2.0 profiles.
    Requirement NLX0005
    Source European Interoperability Framework (EIF)
    Category Underlying principle:Transparency
    Type Recommendation
    Compliant N/A
    Description Ensure internal visibility and provide external interfaces for European public services.
    Implications
  • NLX can be used as the infrastructure for provisioning the external interfaces.
  • Ensuring internal visibility and provisioning of external interfaces is the responsibility of the public administration.
  • Requirement NLX0006
    Source European Interoperability Framework (EIF)
    Category Underlying principle:Reusability
    Type Recommendation
    Compliant Yes
    Description Reuse and share solutions, and cooperate in the development of joint solutions when implementing European public services.
    Implications
  • NLX is being developed as Open Source using Open Source components.
  • Development is done using the European Union Public License, version 1.2 (EUPL-1.2) license.
    Requirement NLX0007
    Source European Interoperability Framework (EIF)
    Category Underlying principle:Reusability
    Type Recommendation
    Compliant N/A
    Description Reuse and share information and data when implementing European public services, unless certain privacy or confidentiality restrictions apply.
    Implications
  • Reusing and sharing of information and data is the responsibility of the data owner
  • Requirement NLX0008
    Source European Interoperability Framework (EIF)
    Category Underlying principle:Technological neutrality and data portability
    Type Recommendation
    Compliant Yes
    Description Do not impose any technological solutions on citizens, businesses and other administrations that are technology-specific or disproportionate to their real needs.
    Implications
  • The NLX doesn't impose any technical solutions on organisations or businesses which are disproportionate to their needs.
  • The NLX is being developed as a lightweight solution based on open source development.
  • Requirement NLX0009
    Source European Interoperability Framework (EIF)
    Category Underlying principle:Technological neutrality and data portability
    Type Recommendation
    Compliant N/A
    Description Ensure data portability, namely that data is easily transferable between systems and applications supporting the implementation and evolution of European public services without unjustified restrictions, if legally possible.
    Implications
  • Ensuring data portability is the responsibility of the data owner;
  • NLX can accommodate the transfer of the data between systems and organisations.
  • Requirement NLX0010
    Source European Interoperability Framework (EIF)
    Category Underlying principle:User-centricity
    Type Recommendation
    Compliant N/A
    Description Use multiple channels to provide the European public service, to ensure that users can select the channel that best suits their needs.
    Implications
  • It is the responsibility of the public administration to provide multiple channels for provisioning of public services.
  • Requirement NLX0011
    Source European Interoperability Framework (EIF)
    Category Underlying principle:User-centricity
    Type Recommendation
    Compliant N/A
    Description Provide a single point of contact in order to hide internal administrative complexity and facilitate users' access to European public services.
    Implications
  • It is the responsibility of the public administration, or government, to provide a single point of contact in order to hide internal administrative complexity.
  • Requirement NLX0012
    Source European Interoperability Framework (EIF)
    Category Underlying principle:User-centricity
    Type Recommendation
    Compliant N/A
    Description Put in place mechanisms to involve users in analysis, design, assessment and further development of European public services.
    Implications
  • Involving users in analysis, design, assessment and further development of public services is the responsibility of the public administration.
  • Requirement NLX0013
    Source European Interoperability Framework (EIF)
    Category Underlying principle:User-centricity
    Type Recommendation
    Compliant N/A
    Description As far as possible under the legislation in force, ask users of European public services once-only and relevant-only information.
    Implications
  • This is the responsibility of the public administration.
  • Requirement NLX0014
    Source European Interoperability Framework (EIF)
    Category Underlying principle:Inclusion and accessibility
    Type Recommendation
    Compliant Yes
    Description Ensure that all European public services are accessible to all citizens, including persons with disabilities, the elderly and other disadvantaged groups. For digital public services, public administrations should comply with e-accessibility specifications that are widely recognised at European or international level.
    Implications
  • The API discovery user interface used to find services offered by API-providers through NLX should be accessible to all citizens and compliant with the "Accessibility requirements suitable for public procurement of ICT products and services in Europe" standard (EN 301 549 v1.1.2)
  • Requirement NLX0015
    Source European Interoperability Framework (EIF)
    Category Underlying principle:Security and privacy
    Type Recommendation
    Compliant Yes
    Description Define a common security and privacy framework and establish processes for public services to ensure secure and trustworthy data exchange between public administrations and in interactions with citizens and businesses.
    Implications
  • The NLX exchanges data in a way that is secure and in full compliance with the GDPR and eIDAS regulations.
  • - Transaction logs are maintained for auditing purposes.
    Requirement NLX0016
    Source European Interoperability Framework (EIF)
    Category Underlying principle:Multilingualism
    Type Recommendation
    Compliant Yes
    Description Use information systems and technical architectures that cater for multilingualism when establishing a European public service. Decide on the level of multilingualism support based on the needs of the expected users.
    Implications
  • The main users of NLX and the services offered through NLX are developers
  • Developers are used to working in environments where English is the main language
  • The primary language for development and documentation of NLX will be English
  • The primary language for API documentation published through NLX will be English
  • Requirement NLX0017
    Source European Interoperability Framework (EIF)
    Category Underlying principle:Administrative simplification
    Type Recommendation
    Compliant N/A
    Description Simplify processes and use digital channels whenever appropriate for the delivery of European public services, to respond promptly and with high quality to users' requests and reduce the administrative burden on public administrations, businesses and citizens.
    Implications
  • Simplifying processes and using digital channels for the delivery of public services is the responsibility of the public administration offering these services.
  • Requirement NLX0018
    Source European Interoperability Framework (EIF)
    Category Underlying principle:Preservation of information
    Type Recommendation
    Compliant Yes
    Description Formulate a long-term preservation policy for information related to European public services and especially for information that is exchanged across borders.
    Implications
  • NLX doesn't store any information related to European public services except transaction logs;
  • NLX transaction logs need to be preserved long-term to be able to comply with Dutch legislation.
  • Requirement NLX0019
    Source European Interoperability Framework (EIF)
    Category Underlying principle:Assessment of Effectiveness and Efficiency
    Type Recommendation
    Compliant Yes
    Description Evaluate the effectiveness and efficiency of different interoperability solutions and technological options considering user needs, proportionality and balance between costs and benefits.
    Implications
  • <add explanation why the technology used was selected>
  • Requirement NLX0020
    Source European Interoperability Framework (EIF)
    Category Interoperability governance
    Type Recommendation
    Compliant N/A
    Description Ensure holistic governance of interoperability activities across administrative levels and sectors.
    Implications
  • This is the responsibility of the public administration, relevant trade associations (VNG Realisatie for Dutch municipalities) and the Dutch government.
  • Requirement NLX0021
    Source European Interoperability Framework (EIF)
    Category Interoperability governance
    Type Recommendation
    Compliant N/A
    Description Put in place processes to select relevant standards and specifications, evaluate them, monitor their implementation, check compliance and test their interoperability.
    Implications
  • This is the responsibility of the public administration, relevant trade associations (VNG Realisatie for Dutch municipalities) and the Dutch government.
  • Requirement NLX0022
    Source European Interoperability Framework (EIF)
    Category Interoperability governance
    Type Recommendation
    Compliant N/A
    Description Use a structured, transparent, objective and common approach to assessing and selecting standards and specifications. Take into account relevant EU recommendations and seek to make the approach consistent across borders.
    Implications
  • This is the responsibility of the public administration, relevant trade associations (VNG Realisatie for Dutch municipalities) and the Dutch government.
  • The 'Forum Standaardisatie' (Dutch Standardisation Forum) selects open standards taking into account the relevant EU recommendations.
  • Relevant open standards are published on a 'comply or explain' list which use is mandatory for the public sector.
  • Requirement NLX0023
    Source European Interoperability Framework (EIF)
    Category Interoperability governance
    Type Recommendation
    Compliant N/A
    Description Consult relevant catalogues of standards, specifications and guidelines at national and EU level, in accordance with your NIF and relevant DIFs, when procuring and developing ICT solutions.
    Implications
  • This is the responsibility of the public administration.
  • Requirement NLX0024
    Source European Interoperability Framework (EIF)
    Category Interoperability governance
    Type Recommendation
    Compliant N/A
    Description Actively participate in standardisation work relevant to your needs to ensure your requirements are met.
    Implications
  • This is the responsibility of the public administration and relevant trade associations (VNG Realisatie for Dutch municipalities).
  • Requirement NLX0025
    Source European Interoperability Framework (EIF)
    Category Integrated public service governance
    Type Recommendation
    Compliant N/A
    Description Ensure interoperability and coordination over time when operating and delivering integrated public services by putting in place the necessary governance structure.
    Implications
  • This is the responsibility of the public administration and relevant trade associations (VNG Realisatie for Dutch municipalities).
  • Requirement NLX0026
    Source European Interoperability Framework (EIF)
    Category Integrated public service governance
    Type Recommendation
    Compliant N/A
    Description Establish interoperability agreements in all layers, complemented by operational agreements and change management procedures.
    Implications
  • This is the responsibility of the public administration and relevant trade associations (VNG Realisatie for Dutch municipalities).
  • Requirement NLX0027
    Source European Interoperability Framework (EIF)
    Category Legal interoperability
    Type Recommendation
    Compliant N/A
    Description Ensure that legislation is screened by means of 'interoperability checks', to identify any barriers to interoperability. When drafting legislation to establish a European public service, seek to make it consistent with relevant legislation, perform a 'digital check' and consider data protection requirements.
    Implications
  • This is the responsibility of the public administration and relevant trade associations (VNG Realisatie for Dutch municipalities).
  • Requirement NLX0028
    Source European Interoperability Framework (EIF)
    Category Organisational interoperability
    Type Recommendation
    Compliant N/A
    Description Document your business processes using commonly accepted modelling techniques and agree on how these processes should be aligned to deliver a European public service.
    Implications
  • This is the responsibility of the public administration and relevant trade associations (VNG Realisatie for Dutch municipalities).
  • Requirement NLX0029
    Source European Interoperability Framework (EIF)
    Category Organisational interoperability
    Type Recommendation
    Compliant N/A
    Description Clarify and formalise your organisational relationships for establishing and operating European public services.
    Implications
  • This is the responsibility of the public administration.
  • Requirement NLX0030
    Source European Interoperability Framework (EIF)
    Category Semantic interoperability
    Type Recommendation
    Compliant N/A
    Description Perceive data and information as a public asset that should be appropriately generated, collected, managed, shared, protected and preserved.
    Implications
  • This is the responsibility of the public administration, ministries and relevant trade associations (VNG Realisatie for Dutch municipalities)
  • Standardisation of semantic interoperability is of major importance, but generally speaking not for NLX. With regards to NLX logging there needs to be semantic and syntactical standardisation but not for administrative data processed through APIs.
  • Requirement NLX0031
    Source European Interoperability Framework (EIF)
    Category Semantic interoperability
    Type Recommendation
    Compliant N/A
    Description Put in place an information management strategy at the highest possible level to avoid fragmentation and duplication. Management of metadata, master data and reference data should be prioritised.
    Implications
  • This is the responsibility of the public administration, relevant trade associations (VNG Realisatie for Dutch municipalities) and the Dutch government.
  • Requirement NLX0032
    Source European Interoperability Framework (EIF)
    Category Semantic interoperability
    Type Recommendation
    Compliant N/A
    Description Support the establishment of sector-specific and cross-sectoral communities that aim to create open information specifications and encourage relevant communities to share their results on national and European platforms.
    Implications
  • This is the responsibility of the public administration and relevant trade associations (VNG Realisatie for Dutch municipalities)
  • Requirement NLX0033
    Source European Interoperability Framework (EIF)
    Category Technical interoperability
    Type Recommendation
    Compliant Yes
    Description Use open specifications, where available, to ensure technical interoperability when establishing European public services.
    Implications
  • Technical interoperability is ensured via the use of open technical specifications.
  • Requirement NLX0034
    Source European Interoperability Framework (EIF)
    Category Conceptual model for integrated public services
    Type Recommendation
    Compliant Yes
    Description Use the conceptual model for European public services to design new services or reengineer existing ones and reuse, whenever possible, existing service and data components.
    Implications
  • NLX is setup as a modular infrastructure and comprises of loosely coupled service components interconnected through shared a common infrastructure.
  • Requirement NLX0035
    Source European Interoperability Framework (EIF)
    Category Conceptual model for integrated public services
    Type Recommendation
    Compliant Yes
    Description Decide on a common scheme for interconnecting loosely coupled service components and put in place and maintain the necessary infrastructure for establishing and maintaining European public services.
    Implications
  • NLX is the implementation of such a common scheme.
  • Interconnectivity is provided by standardised API-Gateways and a combination of private (GGI Network) and public (Internet) networks
  • Requirement NLX0036
    Source European Interoperability Framework (EIF)
    Category Conceptual model for integrated public services
    Type Recommendation
    Compliant Yes
    Description Develop a shared infrastructure of reusable services and information sources that can be used by all public administrations.
    Implications
  • NLX is an open source inter-organisational system facilitating federated authentication, secure connecting and protocolling in a large-scale, dynamic API landscape.
  • Requirement NLX0037
    Source European Interoperability Framework (EIF)
    Category Conceptual model for integrated public services
    Type Recommendation
    Compliant Yes
    Description Make authoritative sources of information available to others while implementing access and control mechanisms to ensure security and privacy in accordance with the relevant legislation.
    Implications
  • Authoritative sources can publish their services and make them accessible to consumers through NLX;
  • NLX implements delegated authorisation enabling data owners to implement local access and control mechanisms.
  • Requirement NLX0038
    Source European Interoperability Framework (EIF)
    Category Conceptual model for integrated public services
    Type Recommendation
    Compliant N/A
    Description Develop interfaces with base registries and authoritative sources of information, publish the semantic and technical means and documentation needed for others to connect and reuse available information.
    Implications
  • This is the responsibility of the public administration;
  • NLX supports the publishing of semantic and technical means and documentation needed for others to connect and reuse available information.
  • Requirement NLX0039
    Source European Interoperability Framework (EIF)
    Category Conceptual model for integrated public services
    Type Recommendation
    Compliant N/A
    Description Match each base registry with appropriate metadata including the description of its content, service assurance and responsibilities, the type of master data it keeps, conditions of access and the relevant licences, terminology, a glossary, and information about any master data it uses from other base registries.
    Implications
  • This is the responsibility of the public administration and relevant trade associations (VNG Realisatie for Dutch municipalities)
  • Requirement NLX0040
    Source European Interoperability Framework (EIF)
    Category Conceptual model for integrated public services
    Type Recommendation
    Compliant N/A
    Description Create and follow data quality assurance plans for base registries and related master data.
    Implications
  • This is the responsibility of the data owner.
  • Requirement NLX0041
    Source European Interoperability Framework (EIF)
    Category Conceptual model for integrated public services
    Type Recommendation
    Compliant N/A
    Description Establish procedures and processes to integrate the opening of data in your common business processes, working routines, and in the development of new information systems.
    Implications
  • This is the responsibility of the public administration.
  • Requirement NLX0042
    Source European Interoperability Framework (EIF)
    Category Conceptual model for integrated public services
    Type Recommendation
    Compliant N/A
    Description Publish open data in machine-readable, non-proprietary formats. Ensure that open data is accompanied by high quality, machine-readable metadata in non-proprietary formats, including a description of their content, the way data is collected and its level of quality and the licence terms under which it is made available. The use of common vocabularies for expressing metadata is recommended.
    Implications
  • This is the responsibility of the data owner.
  • Requirement NLX0043
    Source European Interoperability Framework (EIF)
    Category Conceptual model for integrated public services
    Type Recommendation
    Compliant N/A
    Description Communicate clearly the right to access and reuse open data. The legal regimes for facilitating access and reuse, such as licences, should be standardised as much as possible.
    Implications
  • This is the responsibility of the data owner.
  • Requirement NLX0044
    Source European Interoperability Framework (EIF)
    Category Conceptual model for integrated public services
    Type Recommendation
    Compliant Yes
    Description Put in place catalogues of public services, public data, and interoperability solutions and use common models for describing them.
    Implications
  • All services provided through NLX will be published in (a) catalogue(s).
  • Requirement NLX0045
    Source European Interoperability Framework (EIF)
    Category Conceptual model for integrated public services
    Type Recommendation
    Compliant N/A
    Description Where useful and feasible to do so, use external information sources and services while developing European public services.
    Implications
  • This is the responsibility of the service provider.
  • Requirement NLX0046
    Source European Interoperability Framework (EIF)
    Category Conceptual model for integrated public services
    Type Recommendation
    Compliant N/A
    Description Consider the specific security and privacy requirements and identify measures for the provision of each public service according to risk management plans.
    Implications
  • Assessing the specific security and privacy risks for a service is the responsibility of the public administration, ministries and relevant trade associations (VNG Realisatie for Dutch municipalities);
  • NLX will support the various eIDAS security levels (low, substantial, high).
  • Requirement NLX0047
    Source European Interoperability Framework (EIF)
    Category Conceptual model for integrated public services
    Type Recommendation
    Compliant Yes
    Description Use trust services according to the Regulation on eID and Trust Services as mechanisms that ensure secure and protected data exchange in public services.
    Implications
  • All services provided through NLX will be protected in accordance with the EU eIDAS regulation.
  • Regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS)

    The eIDAS directive provides for secure and protected data exchange during the delivery of public services. It ensures that people and businesses can use their own national electronic identification schemes (eIDs) to access public services in other EU countries where eIDs are available and creates a European internal market for eTS - namely electronic signatures, electronic seals, time stamp, electronic delivery service and website authentication - by ensuring that they will work across borders and have the same legal status as traditional paper based processes.

    The eIDAS regulation:

    • lays down the conditions under which Member States recognise electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State;
    • lays down rules for trust services, in particular for electronic transactions; and
    • establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificate services for website authentication.

    This eIDAS Regulation applies to electronic identification schemes that have been notified by a Member State, and to trust service providers that are established in the European Union. The Regulation does not apply to the provision of trust services that are used exclusively within closed systems resulting from national law or from agreements between a defined set of participants and does not affect national or Union law related to the conclusion and validity of contracts or other legal or procedural obligations relating to form.

    Number NLX0048
    Source eIDAS
    Category article 8: Assurance levels of electronic identification schemes
    Type Mandatory
    Compliant Yes
    Description An electronic identification scheme notified pursuant to Article 9(1) shall specify assurance levels low, substantial and/or high for electronic identification means issued under that scheme. The assurance levels low, substantial and high shall meet respectively the following criteria:
  • assurance level low shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a limited degree of confidence in the claimed or asserted identity of a person, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of misuse or alteration of the identity;
  • assurance level substantial shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a substantial degree of confidence in the claimed or asserted identity of a person, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of misuse or alteration of the identity;
  • assurance level high shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a higher degree of confidence in the claimed or asserted identity of a person than electronic identification means with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent misuse or alteration of the identity.
  • Implications
  • NLX will have to support configurations which enables using different assurance levels for APIs.
  • Number NLX0049
    Source eIDAS
    Category article 15: Accessibility for persons with disabilities
    Type Mandatory
    Compliant Yes
    Description Where feasible, trust services provided and end-user products used in the provision of those services shall be made accessible for persons with disabilities.
    Implications
  • The API Discovery user interface which publishes the NLX API's must comply with "WCAG 2.0 Success Criterion 1.1.1 Non-text content" as specified in the EN 301 549 v1.1.2 standard.
  • Standard - EN 301 549 v1.1.2: "Accessibility requirements suitable for public procurement of ICT products and services in Europe"

    Requirements intended to be used as the basis for an accessible ICT procurement toolkit. The present requirements will primarily be useful for public procurers to identify the requirements for their purchases, and also for manufacturers to employ it within their design, build and quality control procedures.

    Number NLX0050
    Source EN 301 549
    Category Web pages
    Type Recommendation (Mandatory after implementation in 2018 of Dutch legislation: 'Wet Digitale Overheid' and 'AMvB: Besluit digitale toegankelijkheid')
    Compliant Yes
    Description Functional accessibility requirements applicable to ICT products and services, together with a description of the test procedures and evaluation methodology for each accessibility requirement in a form that is suitable for use in public procurement within Europe, in support of Mandate 376. Incorporates WCAG2 for web pages.
    Implications
  • The API Discovery user interface which publishes the NLX API's must comply with "WCAG 2.0 Success Criterion 1.1.1 Non-text content" as specified in the EN 301 549 v1.1.2 standard.
  • The EU General Data Protection Regulation (GDPR)

    The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data privacy.

    Number NLX0051
    Source EU General Data Protection Regulation (GDPR)
    Category Right to Access
    Type Mandatory
    Compliant Yes
    Description Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
    Implications
  • Although personal data is processed through the APIs published on NLX none of that data is stored by NLX;
  • The right to access data used by the API's will be offered to subjects by the API provider and not NLX;
  • NLX maintains transaction logs. These logs contain personal data if API's have been accessed that access personal data. If this is the case then the Right to Access applies to this data applies. NLX will provide means for citizens to access their personal data in an electronic format.
  • Number NLX0052
    Source EU General Data Protection Regulation (GDPR)
    Category Right to be Forgotten
    Type Mandatory
    Compliant N/A
    Description Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
    Implications
  • Although personal data is processed through the APIs published on NLX none of that data is stored by NLX;
  • NLX maintains transaction logs. These logs contain personal data if API's have been accessed that access personal data. The transaction logs are used to provide a way to audit trail the transactions in the federated network. The integrity of these logs is paramount for these audit trails. The Right to be Forgotten will therefore not apply to the NLX transaction logs.
  • Number NLX0053
    Source EU General Data Protection Regulation (GDPR)
    Category Data Portability
    Type Mandatory
    Compliant N/A
    Description GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller.
    Implications
  • Although personal data is processed through the APIs published on NLX none of that data is stored by NLX;
  • NLX maintains transaction logs. These logs contain personal data if API's have been accessed that access personal data. The Data Portability right does not apply to the transaction log records. These records depict service calls which have been handled by the service provider. While in some cases these log records can be related to persons they do not constitute data which is transferrable to other parties.
  • Number NLX0054
    Source EU General Data Protection Regulation (GDPR)
    Category Privacy by Design
    Type Mandatory
    Compliant Yes
    Description Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically - 'The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects'. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
    Implications NLX is designed and build based on the following privacy by design principles
  • Minimize: Limit as much as possible the processing of personal data
  • Separate: Distribute or isolate personal data as much as possible, to prevent Correlation
  • Abstract: Limit as much as possible the detail in which personal data is Processed
  • Hide: Prevent personal data to become public or known
  • Inform: Inform data subjects about the processing of their personal data
  • Control: Provide data subjects control about the processing of their personal data
  • Enforce: Commit to processing personal data in a privacy friendly way, and enforce this
  • Demonstrate: Demonstrate you are processing personal data in a privacy friendly way.
  • NLX does not store any (personal) data, except for identifying numbers in transaction logs. Data stored in the transaction logs is limited to the data which is needed for audit trailing.