2016 accounted for a real turning point in privacy legislation. In 2016, the mandatory requirement to report data breaches came into force, the General Data Protection Regulation (Algemene Verordening Gegevensbescherming, “AVG”) was adopted, the European Court of Justice ruled that Member States are not authorised to impose general retention requirements on (communication) data, and the EU-US Privacy Shield was agreed on. All this might seem very distant to you, but for many companies, these new rules come with new obligations. At Ovidius, a Taskforce Privacy Law conveys regularly to discuss the most recent developments regarding privacy law. Their insights are at your disposal on our dedicated webpage ‘Privacy law update ‘. This article briefly touches on a number of relevant topics. Other news flashes elaborate further on these subjects.
Back to the basics: what is Privacy law?
The foundation of Dutch privacy law lies within several treaties and also within the Dutch Constitution. In short, these documents stipulate that everyone’s personal lives are to be respected, hence, one has a ‘right to privacy’. In 1995, the
- Personal data may only be processed in accordance with the law, and in a proper and diligent manner;
- Personal data may be collected for specified, explicitly pre-defined and legitimate objectives only. This data may, subsequently, also only be processed for purposes in consistence with those objectives;
- The individual whose personal data is processed (the “data subject”) should, at least be aware of the identity of the organisation or person processing the personal information (the “controller”), as well as to what purpose the data is processed;
- Personal data must be protected in an appropriate manner. Sensitive personal information, such as race, health and religion, is subject to even more stringent rules;
The Wbp was revised as recent as 1 January 2016. One of the most significant amendments relates to the national regulator, the Data Protection Authority (previously College bescherming persoonsgegevens, presently
1 January 2016: mandatory requirement to report data breaches effective
As of 1 January 2016, it is also mandatory to report data breaches. In the period prior to this, late 2015, the DPA published
25 May 2016: the European Privacy Regulation effective
On 25 May 2016, the General Data Protection Regulation (Algemene Verordening Gegevensbescherming, “Privacy Regulation”) came into effect. As of 25 May 2018, this directive substitutes the aforementioned Privacy Directive. Consequently, companies have until then to adapt their operations in line with this Privacy Regulation. More information provided by Ovidius on the Privacy Regulation can be found
1 August 2016: EU-US Privacy Shield into effect
According to the Privacy Directive, personal data may only be transferred to countries outside of the EU if the country in question offers ‘an adequate level of protection’ of personal data; this means that countries that have not implemented the Privacy Directive into their national legislation, must be able to ensure that the level of protection of personal data offered is at least at the same level as within the EU. The level of protection offered by the United States is considered inadequate. Therefore, in 2000, the European Commission and the American government formally agreed to the ‘Safe Harbour principles’. This scheme enabled American companies to comply with the directive through self-certification, whereby, consequently, they did offer an adequate level of protection. On
12 December 2016: end of directive on retention requirements of communication data
In Europe, until 8 April 2014, a directive on the retention of communication data was effective. In a ruling in a case filed by Digital Rights Ireland, the European Court of Justice
What can Ovidius do for you?
The new and ever changing legislation on privacy not only requires companies to scrutinize their contracts with third parties, but also to implement all necessary amendments to their own business operations. This may vary from drawing up a privacy statement for your corporate website, to implementing a protocol to report data breaches. Ovidius will gladly help you with advice and in legal proceedings. Ovidius has, for example, expertise in:
- Providing advice on relevant rules and regulations on the protection of personal data;
- Verifying if your organisation complies with privacy rules and regulations;
- Drafting a privacy policy for your organisation;
- Helping you to come to proper (contractual) agreements on the protection and processing of personal information with your business partners and any third parties you may enlist;
- Advising on international data transfers (for example, with suppliers, or within your global organisation);
- Drafting a privacy disclaimer or cookie policy;
- Drafting a protocol for camera surveillance in the office;
- Drafting a protocol for (supervising) the usage of internet and email;
- Drafting a protocol for data breaches;
- Drafting a consent form to process personal data of your employees;
- Advising on requests to provide data to beneficiaries or to judicial departments;
- Advising on privacy related matters when developing new products or services; and
- Providing legal support in legal proceedings arising from a dispute with a data subject (such as a customer or employee), or in case the Data Protection Authority enforces its authority.