The Netherlands – More stringent data protection law and a DPA that is ready to act in 2016
Published 1 February 2016
What does this cover?
The start of 2016 has brought many important data protection developments in the Netherlands.
DPA name change
The name of the Dutch DPA will change from ‘college’ (previously the ‘College bescherming persoonsgegevens’) to ‘authority’ (from 1 January 2016 the ‘Autoriteit persoonsgegevens’). With this name change comes more stringent legislation and an increase in powers.
DPA given new powers to fine
On 1 January 2016 an extension to the Dutch Data Protection Act (the Act) came into force. It equips a newly named DPA with the competence to impose administrative fines of up to EUR 820,000 or 10% of yearly revenue for violations of certain provisions of the Act. Previously the DPA could only impose penalties after warning the offender in advance. This restriction remains to some extent as the DPA may only impose fines without any warning in the case of intentional breach or gross negligence by an organisation. In all other cases the DPA still needs to issue a ‘binding instruction’ before it has jurisdiction to fine.
DPA guidance on fines
In December 2015 we reported on the contents of the DPA’s draft guidelines explaining how it intends to enforce its new fining powers. The final guidelines have since been published and are not significantly different. This means the DPA first determines a ‘basic fine’ within a bandwidth to which the violation concerned is attributed to. Depending upon several factors the DPA may further increase or decrease this ‘basic fine’. The ability to fine may be particularly troublesome for companies that transfer data to the United States following the invalidation of the Safe Harbor regime.
Data breach notifications
Finally the extended Act now includes a duty to notify certain data breaches to the DPA and affected data subjects. Notifications need to be made ‘without undue delay’ where the data breach is likely to have serious detrimental consequences for the protection of personal data. If the breach involves sensitive personal data, notification will always be a requirement. However, the data controller does not have to notify each data breach or security incident, for example, it does not need to notify the data subject if the data controller has taken security measures which render the personal data incomprehensible or inaccessible for those who are not authorised to taking note of them. The DPA has also published guidelines on how it interprets the new data breach notification legislation which takes into account the latest version of the GDPR, stating that a data breach should be notified to the DPA no later than 72 hours after its discovery.
The above means that any organisation whose activities fall under the Act should as a minimum requirement:
- implement technical and organisational security measures to prevent data breaches wherever possible;
- update data processing agreements with suppliers in order to fulfil new data breach notification duties;
- create awareness and provide training among employees, sub-contractors and others third parties for detecting data breaches; and
- establish a plan that enables the organisation to notify detected data breaches to the DPA and data subjects in time.
Article submitted by Nicole Wolters Ruckert and Leonie von Sloten – Kennedy Van der Laan – Amsterdam, The Netherlands
What action could be taken to manage risks that may arise from this development?
Organisations operating in the Netherlands should take any necessary measures to ensure it is compliant with the new more stringent legislation to prevent the possibility of increased enforcement actions by the Dutch DPA.