PGB budget and GDPR — what should the budget holder know?

With a Personal Care Budget (PGB) you receive money to purchase care yourself (Dutch Wmo, Wlz, Jeugdwet, Zvw). Important GDPR implication: YOU become the controller for the care providers you pay — you manage their time declarations, BSN, contracts, health data of your client (often yourself or a family member). What must you arrange? (1) Privacy statement: not for "the public" but for your care providers — what you do with their data, retention. (2) Security: password-protected computer, encrypted backup, not everything on WhatsApp. (3) Retention: 7 years for financial admin (Dutch Awr Art. 52), 5 years for client file (Wlz). (4) Breach procedure: you also have a duty to notify the AP on data breach (typically via SVB PGB portal). SVB helps: SVB PGB Service Centre facilitates admin + care agreements + payment. Much GDPR risk is absorbed, but not all — for example paper files at home are your own responsibility. On a breach: notify AP within 72h (Art. 33). Inform affected care provider on high risk. Representative? With PGB representation (guaranteed help, guardian, mentor) responsibility partially shifts to them. Important detail: if your care provider works for multiple PGB holders, each holder remains separately responsible for the data they hold of that provider.