The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “AP”) announced on March 8, 2016, that two companies agreed to stop processing employees’ personal health data after the AP initiated an investigation into the employers’ practices. The two companies provided their employees with wearable devices (or “wearables”), which allowed the companies to track their employees’ physical activity and sleep patterns. In addition to the two investigations, the AP issued guidance to employers emphasizing that employers are prohibited from engaging in these practice.
Nikolai de Koning
Nikolai de Koning is a financial services lawyer (advocaat) based in Amsterdam. Nikolai is experienced in financial services and banking law, as well as in data privacy (protection). He is experienced in advising on regulatory and compliance aspects relevant to financial institutions, such as insurance companies, investment firms, clearing institutions and central counterparties. Nikolai also advises on Dutch licence and notification requirements and he assists companies in their licence or notification processes with the Dutch financial regulators. He also specialises in privacy issues arising out of online products, data protection and e-commerce.
Dutch Data Protection Authority publishes consultation version of guidelines on breach notice law
On the heels of the enactment of the Dutch breach notice law, the Dutch Data Protection Authority (CBP) published a consultation document with draft guidelines on the breach notice obligation of data controllers in the Netherlands. Under the law, data controllers are required to provide notice of data breaches to the CBP and, under certain circumstances, to the affected individuals. This obligation will take effect on January 1, 2016. The guidelines define a data breach as a security incident that has, or poses a significant risk of having, serious adverse consequences for the protection of personal data.
Breach notice law in the Netherlands takes effect on 1 January 2016
Today the Royal Decree setting the date of entry into force of the Bill on Notification of data leaks was published. The law will take effect on 1 January 2016 and introduces an obligation on data controllers in the Netherlands…
Breach notice becomes law in the Netherlands; 11 things to know
On 26 May 2015, the Dutch Senate passed the Bill on Notification of data leaks. The law imposes an obligation on “data controllers” (the persons or entitis that determine the purpose of and means for processing personal data) in the Netherlands to notify the Dutch Data Protection Authority (CBP) and affected individuals. The law may require data controllers to update agreements with their data processor to account for breach notice obligations. The law also increases fines for violations of the Dutch Data Protection Act (DPA) to up to €810,000 or 10% of the company’s net annual turnover. Both data controllers and data processors (who may be deemed “accomplices” in the breach) may be subject to the fines.
Cybersecurity incident notification bill introduced in the Netherlands
On January 22, 2015, the Netherlands proposed legislation introducing breach notification requirements for critical infrastructure industries, including utilities (electricity, gas and drinking water), telecom, financial services, government (surface-water management bodies) and transport (main ports Rotterdam and Schiphol airport).
The proposed law would require notification in the event of a breach of security or loss of integrity of electronic information systems that are of vital importance to Dutch society (ICT Breaches). Stakeholders have been invited to comment on the Data Processing and Notification Obligation Cybersecurity Act (Wet gegevensverwerking en meldplicht cybersecurity) before March 6, 2015. The bill introduces an obligation to notify the Minister of Security and Justice in the event of an ICT Breach. Notifications would need to be submitted to the Dutch National Cyber Security Centre (National Cyber Security Centrum, the NCSC), a specialized department within the Ministry of Security and Justice.