A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 1 February 2016
The start of 2016 has brought many important data protection developments in the Netherlands.
The name of the Dutch DPA will change from ‘college’ (previously the ‘College bescherming persoonsgegevens’) to ‘authority’ (from 1 January 2016 the ‘Autoriteit persoonsgegevens’). With this name change comes more stringent legislation and an increase in powers.
On 1 January 2016 an extension to the Dutch Data Protection Act (the Act) came into force. It equips a newly named DPA with the competence to impose administrative fines of up to EUR 820,000 or 10% of yearly revenue for violations of certain provisions of the Act. Previously the DPA could only impose penalties after warning the offender in advance. This restriction remains to some extent as the DPA may only impose fines without any warning in the case of intentional breach or gross negligence by an organisation. In all other cases the DPA still needs to issue a ‘binding instruction’ before it has jurisdiction to fine.
In December 2015 we reported on the contents of the DPA’s draft guidelines explaining how it intends to enforce its new fining powers. The final guidelines have since been published and are not significantly different. This means the DPA first determines a ‘basic fine’ within a bandwidth to which the violation concerned is attributed to. Depending upon several factors the DPA may further increase or decrease this ‘basic fine’. The ability to fine may be particularly troublesome for companies that transfer data to the United States following the invalidation of the Safe Harbor regime.
Finally the extended Act now includes a duty to notify certain data breaches to the DPA and affected data subjects. Notifications need to be made ‘without undue delay’ where the data breach is likely to have serious detrimental consequences for the protection of personal data. If the breach involves sensitive personal data, notification will always be a requirement. However, the data controller does not have to notify each data breach or security incident, for example, it does not need to notify the data subject if the data controller has taken security measures which render the personal data incomprehensible or inaccessible for those who are not authorised to taking note of them. The DPA has also published guidelines on how it interprets the new data breach notification legislation which takes into account the latest version of the GDPR, stating that a data breach should be notified to the DPA no later than 72 hours after its discovery.
The above means that any organisation whose activities fall under the Act should as a minimum requirement:
Article submitted by Nicole Wolters Ruckert and Leonie von Sloten – Kennedy Van der Laan – Amsterdam, The Netherlands
Organisations operating in the Netherlands should take any necessary measures to ensure it is compliant with the new more stringent legislation to prevent the possibility of increased enforcement actions by the Dutch DPA.
London - Walbrook
+44 (0)20 7894 6577
Shehana Cameron Perera, Lorraine Ekong, Jade Kowalski, Rhiannon Webster, Ceri Fuller, Khurram Shamsee, Christopher Air, Sophie Devlin
Aleksandar Dimitrov, Neal Pal
Rhiannon Webster, Charlie Christie
Hans Allnutt, Mark Anderson, Gregory Bautista, Anjali Das, Kieran Doyle, Bastian Finkel
Hans Allnutt, Rhiannon Webster
Hans Allnutt, Patrick Hill, Laura Stewart, Lorraine Ekong
Lorraine Ekong, Hans Allnutt
Hans Allnutt, Camilla Elliot
Hans Allnutt, Patrick Hill
Hans Allnutt, Rhiannon Webster, Patrick Hill