After the year-end update in December 2016, our Taskforce Privacy Law now looks back at the first half of 2017. Which developments stand out from the previous six months? Ovidius brings you up to speed in this summer update.
10 January 2017: draft text ePrivacy Regulation is published
At the beginning of this year, the European Commission published a draft text for a new ePrivacy Regulation, intended to harmonize privacy legislation with respect to electronic communications. For now, the aim is to have the ePrivacy Regulation enter into force simultaneously with the General Data Protection Regulation (“Privacy Regulation”). Read more on the draft text in our
Recently, the European data protection authorities, convened in the Article 29 Working Party (the “WP29”), severely criticized the draft text. In their opinion, the ePrivacy Regulation undermines the level of protection offered under the Privacy Regulation. We have dedicated a separate
13 April 2017: one year to the Privacy Regulation
In less than one year from now, the Privacy Regulation will enter into force. Organizations have, therefore, approximately 11 months to implement the necessary changes in their daily business. To assist organizations and to provide clarification to certain requirements of the Privacy Regulation, the WP29 regularly publishes guidelines. For example, recently the WP29 published a guideline on the appointment of a Data Protection Officer. Read more on these guidelines in
The internet consultation for the implementation Act, by means of which the Privacy Regulation will be implemented into Dutch Legislation, was completed on 20 January last. The definitive text of the implementation Act has not yet been made public. In the meantime, the Dutch Data Protection Authority published a
10 May 2017: notifications on data breaches in the first three months of 2017
On 10 May 2017, the Dutch Data Protection Authority made public certain information on notifications of data breaches in the first quarter of 2017. Between January and March, over 2300 data breaches were reported; and the Data Protection Authority initiated 135 investigations. Most of the investigated organizations only received a warning. No fines were issued in the first three months of this year.
1 June 2017: Dutch Data Protection Authority needs more capacity
The Privacy Regulation not only presents challenges to organizations, but also to the Dutch Data Protection Authority itself. A report was issued to chart the necessary changes that the Dutch Data Protection Authority will have to implement in order to be prepared for May 2018. The main
8 June 2017: WP29 publishes opinion on data processing at work
Last month, the WP29 published an opinion in which it assesses the balance between the legitimate interests of employers and the reasonable privacy expectations of employees. Although it primarily focuses on the currently applicable Data Protection Directive, the opinion also takes into account the Privacy Regulation. Among others, the WP29 discusses ICT usage at and outside the workplace, processing operations relating to time and attendance, disclosure of employee data to third parties and international transfers of HR and other employee data. We will discuss the opinion in more depth in a separate news flash.
What can Ovidius do for you?
The new and ever changing legislation on privacy not only requires companies to scrutinize their contracts with third parties, but also to implement all necessary amendments to their own business operations. This may vary from drawing up a privacy statement for your corporate website, to implementing a protocol to report data breaches. Ovidius will gladly provide you with the necessary assistance, varying from drafting privacy statements to setting up protocols for notifying data breaches. In the past period, we have, among other, done the following:
- advised on the applicability of certain legislation pertaining to data protection;
- advised on the appointment and registration of a Data Protection Officer;
- assisted and drafted data processing agreements between clients and third parties;
- drafted privacy statements and cookie policies;
- set up protocols for video monitoring in the office and monitoring of the use of internet and e-mail;
- set up a data breach protocol;
- drafted a consent form for employees regarding the processing of their personal data;
- provided advice regarding requests for the correction or removal of personal data.