After the year-end update in December 2016, our Taskforce Privacy Law now looks back at the first half of 2017. Which developments stand out from the previous six months? Ovidius brings you up to speed in this summer update.

10 January 2017: draft text ePrivacy Regulation is published

At the beginning of this year, the European Commission published a draft text for a new ePrivacy Regulation, intended to harmonize privacy legislation with respect to electronic communications. For now, the aim is to have the ePrivacy Regulation enter into force simultaneously with the General Data Protection Regulation (“Privacy Regulation”). Read more on the draft text in our newsflash.

Recently, the European data protection authorities, convened in the Article 29 Working Party (the “WP29”), severely criticized the draft text. In their opinion, the ePrivacy Regulation undermines the level of protection offered under the Privacy Regulation. We have dedicated a separate newsflash to the WP29.

13 April 2017: one year to the Privacy Regulation

In less than one year from now, the Privacy Regulation will enter into force. Organizations have, therefore, approximately 11 months to implement the necessary changes in their daily business. To assist organizations and to provide clarification to certain requirements of the Privacy Regulation, the WP29 regularly publishes guidelines. For example, recently the WP29 published a guideline on the appointment of a Data Protection Officer. Read more on these guidelines in this update and more on the Privacy Regulation here.

The internet consultation for the implementation Act, by means of which the Privacy Regulation will be implemented into Dutch Legislation, was completed on 20 January last. The definitive text of the implementation Act has not yet been made public. In the meantime, the Dutch Data Protection Authority published a ten step plan that can be used to bring your organization up to speed. Ovidius gladly discusses with you what (further) steps can or should be taken in anticipation of 25 May 2018.

10 May 2017: notifications on data breaches in the first three months of 2017

On 10 May 2017, the Dutch Data Protection Authority made public certain information on notifications of data breaches in the first quarter of 2017. Between January and March, over 2300 data breaches were reported; and the Data Protection Authority initiated 135 investigations. Most of the investigated organizations only received a warning. No fines were issued in the first three months of this year.

1 June 2017: Dutch Data Protection Authority needs more capacity

The Privacy Regulation not only presents challenges to organizations, but also to the Dutch Data Protection Authority itself. A report was issued to chart the necessary changes that the Dutch Data Protection Authority will have to implement in order to be prepared for May 2018. The main conclusion of the report, is that the new (European) legislation provides such a significant addition to the tasks already entrusted to the Data Protection Authority, that its current capacity will be insufficient to carry them all out. The Dutch Data Protection Authority will, therefore, require substantial funds to increase its capacity to the required level. The report was presented to the department of justice on 6 April 2017 and was forwarded to the Dutch House of Representatives on 1 June 2017.

8 June 2017: WP29 publishes opinion on data processing at work

Last month, the WP29 published an opinion in which it assesses the balance between the legitimate interests of employers and the reasonable privacy expectations of employees. Although it primarily focuses on the currently applicable Data Protection Directive, the opinion also takes into account the Privacy Regulation. Among others, the WP29 discusses ICT usage at and outside the workplace, processing operations relating to time and attendance, disclosure of employee data to third parties and international transfers of HR and other employee data. We will discuss the opinion in more depth in a separate news flash.

What can Ovidius do for you?

The new and ever changing legislation on privacy not only requires companies to scrutinize their contracts with third parties, but also to implement all necessary amendments to their own business operations. This may vary from drawing up a privacy statement for your corporate website, to implementing a protocol to report data breaches. Ovidius will gladly provide you with the necessary assistance, varying from drafting privacy statements to setting up protocols for notifying data breaches. In the past period, we have, among other, done the following:

• advised on the applicability of certain legislation pertaining to data protection;
• advised on the appointment and registration of a Data Protection Officer;
• assisted and drafted data processing agreements between clients and third parties;
• drafted privacy statements and cookie policies;
• set up protocols for video monitoring in the office and monitoring of the use of internet and e-mail;
• set up a data breach protocol;
• drafted a consent form for employees regarding the processing of their personal data;
• provided advice regarding requests for the correction or removal of personal data.