Category: The Netherlands

Dutch Data Protection Authority: Randomly selected companies will be subject to GDPR-compliance investigations

31. July 2018

This month, the Data Protection Authority (DPA) of the Netherlands has launched an investigation according to Art. 57 (1) a GDPR which obliges the supervisory authorities to “monitor and enforce compliance” with the EU General Data Protection Regulation (GDPR). The Dutch DPA thereby verifies compliance with Art. 30 GDPR (records of processing activities) in 30 randomly selected large companies of the private sector (i.e. which have more than 250 employees) rooted in 10 different branches: industry, water supply, construction, retail, hospitality, travel, communications, finance, business services, and health care across the Netherlands. Its investigative powers in terms of this investigation derive from Art. 58 (1) a GDPR which enables the DPAs “to order the controller and the processor, and, where applicable the controller’s or the processor’s representative, to provide any information the supervisory authority requires for the performance of its tasks”.

For those investigations it is not necessary that a complaint has been lodged or any other indication of non-compliance occurs. In particular, the Dutch DPA regularly carries out such “ex officio” investigations focusing on certain enforcement priorities depending on the sector or the topic. With their investigation strategy they aim to focus on the compliance with certain requirements of the GDPR that may typically create adequate safeguards in organizations to issue and maintain compliance with the general Principles of the GDPR (Art. 5 et seqq GDPR).

Therefore, the authorities decided for the private sector that the records of processing activities (Art. 30 GDPR) are the key drivers for GDPR compliance, since these records eventually enable an organization knowing about what personal data they process and for which purposes. Since the results of the investigation will most probably be published anonymously (e.g. numbers and other details of the violation in specific sectors), they might hope to create a ripple effect on other organizations of the respective sectors.

A prediction of the crucial penalties that may be the result of this “ex officio” investigations of the Dutch DPA is basically not possible, as the organizations involved and the state of their GDPR compliance are unknown. But it might be interesting that the Dutch DPA is also allowed to issue a so-called “enforcement notice under penalty” according to the Dutch GDPR Execution Act if an organization has been established non-compliant. This enforcement notice can contain an order for the respective organization to comply and demonstrate compliance within a fixed time frame. For each day or week that they fail to comply with such an order, a fixed penalty may apply.

Such an enforcement order may be issued in the event of a violation of Art. 30 GDPR that is not likely to result in a risk for the data subjects. Where the investigation shows that non-compliance may result in a risk for the freedoms and rights of the data subjects or is potentially deemed unfair, the penalty could also result in the maximum category of possible fines.

 

Category: GDPR · The Netherlands

WhatsApp required to appoint a representative in The Netherlands

16. December 2016

Background

On the 22nd November, the Administrative Court of the Hague confirmed the fine imposed by the Dutch DPA to WhatsApp. In 2012, the Dutch DPA investigated WhatsApp because it had not yet appointed a representative in the Netherlands, according to current Dutch Data Protection legislation. As WhatsApp had still not complied with its obligation to appoint a representative in the EU in 2014, it imposed a fine of 10.000€ for each day of non-compliance.

The Dutch DPA remarked that WhatsApp had the obligation to appoint a representative in The Netherlands because it acted as Data Controller, as it was processing personal data of Dutch citizens. When a user searched for a contact in order to send a WhatsApp message to this contact, WhatsApp accessed this information and stored it in its U.S. servers. Therefore, WhatsApp had to be considered as a data controller in terms of the EU Directive on Data Protection and the Dutch Data Protection Act.

Current situation according to the EU Directive

The Dutch Administrative Court based its argumentation on the following key aspects:

  • WhatsApp is a controller, as already admitted by the company at oral argument.
  • The equipment used by Dutch data subjects, this is the mobile device, is located in Dutch territory. Moreover, according to previous positions of the WP 29 and other EU Courts, mobile devices are also considered as equipment in terms of data processing.
  • WhatsApp argued that Dutch Data Protection Act imposes additional requirements than those imposed by the EU Directive, so that a representative appointed by a data controller has also to comply with the Dutch Data Protection Act. However, the Dutch Court clarified that the extension of the responsibility of the Data Controller to the representative aims at filling legal gaps regarding the application of the data protection principles. The Court also specified that an agreement between the data controller and the representative may be needed in these cases, in order to agree on liability issues.
  • WhatsApp also argued that it should have been requested to appoint just one representative in the EU, as foreseen in the GDPR. The Dutch Administrative Court pointed out that WhatsApp had no representative in any other EU Member State.
  • Finally, WhatsApp alleged that it could not find a party willing to asume this role, but the Court rejected this argument as it has no legal basis.

Will this change with the GDPR?

With the GDPR the requirement to appoint a representative in the EU will change in two ways:

  • Also processors will be subject to this obligation
  • it will be possible to appoint one single representative for all the EU operations.

Under the GDPR it will be mandatory to appoint a representative for those controllers or processors who are based in a third country and they offer goods or services to data subjects in the EU or if behavior monitoring of these data subjects takes place in the EU.

Moreover, the GDPR distinguishes between the representative and the role of the DPO. The requirements to appoint each of them are different but it may occur that a company is obliged to appoint both, only a representative, or a DPO.

The new Dutch data breach notification obligation: 1.500 notifications in 2016

17. May 2016

From the 1st January 2016, data controllers located in The Netherlands are obliged to notify serious data breaches according to the Amendment made to Art. 34 of the current Dutch Data Protection Act. This obligation implies:

  • Notifying the Dutch DPA in the cases where there is a considerable probability that the breach hast serious adverse effects on the privacy if the affected individuals; and
  • Notifying the data subjects affected if there is a considerable probability that the privacy of the data subject is negatively affected.

According to a representative of the Dutch DPA, already 1.500 data breach notifications have been received since the new rule entered into force. This is not surprising for the Dutch DPA, as currently more than 130.000 organizations located in the Netherlands are subject to the data breach notification obligation. However, the Dutch DPA suspects that the number of occurred data breaches is actually higher.

In order to review the notifications, the Dutch DPA has implemented a software that separates the notifications that require action from the DPA from those that do not require additional action. The ones that do not require additional action are archived for future references, while the formers are further examined by the Dutch DPA. Nevertheless, the DPA has examined all received notifications, in order to identify the main sources of data breaches, which result to be based on one of the following reasons:

  • Loss of devices that were not encrypted; or
  • Disposal of information without observing adequate security measures, such as the use of a shredder or the disposal in locked containers; or
  • Insecure transfer of information, especially related to sensitive data; or
  • The access by unauthorized third parties to data bases and personal data.

This shows that most of data breaches occur because organizations do not implement adequate technical and organizational security measures or they do not follow the existing obligations regarding IT security and data protection, or employees are not trained in theses aspects.

Moreover, two-thirds of the reports were subject to a further investigation by the Dutch DPA and actions have been already taken against around 70 organizations. Also, in some cases additional information was required from the organization or the individuals had to be notified about the data breach. Information to data subjects is required if sensitive personal data is affected by the breach, the Dutch DPA has enumerated some of the data categories that are included in the definition of sensitive personal data: financial information, data that may lead to an stigmatization or exclusion of the data subject, user names, passwords or data that can be misused for identity fraud.

The new GDPR also regulates the obligation to notify data breaches. According to the Regulation, the DPA should be always notified, unless it is unlikely that the breach results in a risk for the privacy of data subjects. Furthermore, data subjects should be directly notified if the breach could result in a high risk for their privacy, so that the regulation of data breaches in the GDPR is stricter than that in The Netherlands regarding the notification to data subjects.