Photo of Floortje Nagelkerke (NL)

Over four years in the making, the EU General Data Protection Regulation (GDPR) was finally published in the EU Official Journal on May 4, 2016, giving a concrete application date. It will apply directly in all EU Member States beginning May 25, 2018. The GDPR will repeal and replace Directive 95/46/EC and its Member State implementing legislation.

Together with the Directive on the Processing of Personal Data for the Purpose of Crime Prevention, the GDPR presents the most ambitious and comprehensive changes to data protection rules around the world in the last 20 years. The final official texts can be found here.

The GDPR rules apply to almost all private sector processing by organizations in the EU or by organizations outside the EU that target EU residents. The export regime will ensure the GDPR’s impact is felt where such organizations transfer personal data to the EU. The maximum fines for non-compliance are the higher of €20 million (approximately $23 million U.S. dollars) and 4% of the organization’s worldwide turnover.

The concept of accountability is at the heart of the GDPR rules: it means that organizations will need to be able to demonstrate that they have analysed the GDPR’s requirements in relation to their processing of personal data and that they have implemented a system or program that allows them to achieve compliance.

To assist our clients with navigating the GDPR’s requirements, we have developed a GDPR Checklist, linked below, and have planned introductory events and master classes to be held via webinar, and in-person in London, Paris, Frankfurt, Munich, and Amsterdam. Registration information may be found below.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “AP”) announced on March 8, 2016, that two companies agreed to stop processing employees’ personal health data after the AP initiated an investigation into the employers’ practices. The two companies provided their employees with wearable devices (or “wearables”), which allowed the companies to track their employees’ physical activity and sleep patterns. In addition to the two investigations, the AP issued guidance to employers emphasizing that employers are prohibited from engaging in these practice.

On the heels of the enactment of the Dutch breach notice law, the Dutch Data Protection Authority (CBP) published a consultation document with draft guidelines on the breach notice obligation of data controllers in the Netherlands. Under the law, data controllers are required to provide notice of data breaches to the CBP and, under certain circumstances, to the affected individuals. This obligation will take effect on January 1, 2016. The guidelines define a data breach as a security incident that has, or poses a significant risk of having, serious adverse consequences for the protection of personal data.

On 26 May 2015, the Dutch Senate passed the Bill on Notification of data leaks. The law imposes an obligation on “data controllers” (the persons or entitis that determine the purpose of and means for processing personal data) in the Netherlands to notify the Dutch Data Protection Authority (CBP) and affected individuals. The law may require data controllers to update agreements with their data processor to account for breach notice obligations. The law also increases fines for violations of the Dutch Data Protection Act (DPA) to up to €810,000 or 10% of the company’s net annual turnover. Both data controllers and data processors (who may be deemed “accomplices” in the breach) may be subject to the fines.

On January 22, 2015, the Netherlands proposed legislation introducing breach notification requirements for critical infrastructure industries, including utilities (electricity, gas and drinking water), telecom, financial services, government (surface-water management bodies) and transport (main ports Rotterdam and Schiphol airport).

The proposed law would require notification in the event of a breach of security or loss of integrity of electronic information systems that are of vital importance to Dutch society (ICT Breaches). Stakeholders have been invited to comment on the Data Processing and Notification Obligation Cybersecurity Act (Wet gegevensverwerking en meldplicht cybersecurity) before March 6, 2015. The bill introduces an obligation to notify the Minister of Security and Justice in the event of an ICT Breach. Notifications would need to be submitted to the Dutch National Cyber Security Centre (National Cyber Security Centrum, the NCSC), a specialized department within the Ministry of Security and Justice.