Category: The Netherlands

WhatsApp required to appoint a representative in The Netherlands

16. December 2016


On the 22nd November, the Administrative Court of the Hague confirmed the fine imposed by the Dutch DPA to WhatsApp. In 2012, the Dutch DPA investigated WhatsApp because it had not yet appointed a representative in the Netherlands, according to current Dutch Data Protection legislation. As WhatsApp had still not complied with its obligation to appoint a representative in the EU in 2014, it imposed a fine of 10.000€ for each day of non-compliance.

The Dutch DPA remarked that WhatsApp had the obligation to appoint a representative in The Netherlands because it acted as Data Controller, as it was processing personal data of Dutch citizens. When a user searched for a contact in order to send a WhatsApp message to this contact, WhatsApp accessed this information and stored it in its U.S. servers. Therefore, WhatsApp had to be considered as a data controller in terms of the EU Directive on Data Protection and the Dutch Data Protection Act.

Current situation according to the EU Directive

The Dutch Administrative Court based its argumentation on the following key aspects:

  • WhatsApp is a controller, as already admitted by the company at oral argument.
  • The equipment used by Dutch data subjects, this is the mobile device, is located in Dutch territory. Moreover, according to previous positions of the WP 29 and other EU Courts, mobile devices are also considered as equipment in terms of data processing.
  • WhatsApp argued that Dutch Data Protection Act imposes additional requirements than those imposed by the EU Directive, so that a representative appointed by a data controller has also to comply with the Dutch Data Protection Act. However, the Dutch Court clarified that the extension of the responsibility of the Data Controller to the representative aims at filling legal gaps regarding the application of the data protection principles. The Court also specified that an agreement between the data controller and the representative may be needed in these cases, in order to agree on liability issues.
  • WhatsApp also argued that it should have been requested to appoint just one representative in the EU, as foreseen in the GDPR. The Dutch Administrative Court pointed out that WhatsApp had no representative in any other EU Member State.
  • Finally, WhatsApp alleged that it could not find a party willing to asume this role, but the Court rejected this argument as it has no legal basis.

Will this change with the GDPR?

With the GDPR the requirement to appoint a representative in the EU will change in two ways:

  • Also processors will be subject to this obligation
  • it will be possible to appoint one single representative for all the EU operations.

Under the GDPR it will be mandatory to appoint a representative for those controllers or processors who are based in a third country and they offer goods or services to data subjects in the EU or if behavior monitoring of these data subjects takes place in the EU.

Moreover, the GDPR distinguishes between the representative and the role of the DPO. The requirements to appoint each of them are different but it may occur that a company is obliged to appoint both, only a representative, or a DPO.

The new Dutch data breach notification obligation: 1.500 notifications in 2016

17. May 2016

From the 1st January 2016, data controllers located in The Netherlands are obliged to notify serious data breaches according to the Amendment made to Art. 34 of the current Dutch Data Protection Act. This obligation implies:

  • Notifying the Dutch DPA in the cases where there is a considerable probability that the breach hast serious adverse effects on the privacy if the affected individuals; and
  • Notifying the data subjects affected if there is a considerable probability that the privacy of the data subject is negatively affected.

According to a representative of the Dutch DPA, already 1.500 data breach notifications have been received since the new rule entered into force. This is not surprising for the Dutch DPA, as currently more than 130.000 organizations located in the Netherlands are subject to the data breach notification obligation. However, the Dutch DPA suspects that the number of occurred data breaches is actually higher.

In order to review the notifications, the Dutch DPA has implemented a software that separates the notifications that require action from the DPA from those that do not require additional action. The ones that do not require additional action are archived for future references, while the formers are further examined by the Dutch DPA. Nevertheless, the DPA has examined all received notifications, in order to identify the main sources of data breaches, which result to be based on one of the following reasons:

  • Loss of devices that were not encrypted; or
  • Disposal of information without observing adequate security measures, such as the use of a shredder or the disposal in locked containers; or
  • Insecure transfer of information, especially related to sensitive data; or
  • The access by unauthorized third parties to data bases and personal data.

This shows that most of data breaches occur because organizations do not implement adequate technical and organizational security measures or they do not follow the existing obligations regarding IT security and data protection, or employees are not trained in theses aspects.

Moreover, two-thirds of the reports were subject to a further investigation by the Dutch DPA and actions have been already taken against around 70 organizations. Also, in some cases additional information was required from the organization or the individuals had to be notified about the data breach. Information to data subjects is required if sensitive personal data is affected by the breach, the Dutch DPA has enumerated some of the data categories that are included in the definition of sensitive personal data: financial information, data that may lead to an stigmatization or exclusion of the data subject, user names, passwords or data that can be misused for identity fraud.

The new GDPR also regulates the obligation to notify data breaches. According to the Regulation, the DPA should be always notified, unless it is unlikely that the breach results in a risk for the privacy of data subjects. Furthermore, data subjects should be directly notified if the breach could result in a high risk for their privacy, so that the regulation of data breaches in the GDPR is stricter than that in The Netherlands regarding the notification to data subjects.