On January 29, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a report (in Dutch) on the personal data breach notifications received in 2018 (the “Report”). The EU General Data Protection Regulation (the “GDPR”) requires data controllers to notify a personal data breach to the competent Data Protection Authority (“DPA”) within 72 hours after becoming aware of it. In the Netherlands, this breach notification requirement has been in place since January 1, 2016. However, the GDPR imposed additional requirements, including: providing certain information in a breach notification; data controllers’ mandatory obligation to notify affected individuals if the breach is likely to result in a high risk to the rights and freedoms of those individuals; companies duty to document any personal data breaches.

Continue Reading Dutch DPA Publishes 2018 Report on Data Breach Statistics

On January 16, 2019, the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (the “Dutch DPA”), announced that it had requested 30 private organizations provide information about the agreements they have with other entities that process personal data on their behalf. The Dutch DPA indicated that the targeted organizations are mainly in energy, media and trade sectors.

Continue Reading Dutch DPA Investigates the Data Processing Agreements of 30 Organizations

On December 13, 2018, the Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”) (the “Dutch DPA”) published a report on the complaints it has received since the EU General Data Protection Regulation (“GDPR”) became applicable on May 25, 2018 (the “Report”). The GDPR gives data subjects the right to lodge a complaint with the relevant national supervisory authority when they believe that their personal data is processed in a way violative of the GDPR (see article 77 of the GDPR).

View the Report and the press release (in Dutch).

Continue Reading Dutch DPA Publishes Post-GDPR Complaints Report

On November 29, 2017, the EU’s Article 29 Working Party (”Working Party”) announced the establishment of a task force to coordinate the plethora of national investigations throughout the EU into Uber’s 2016 data breach that affected approximately 57 million users worldwide. The task force is being led by the data protection authority (”DPA”) in the Netherlands, where Uber has its EU headquarters, and includes representatives from the DPAs in France, Italy, Germany, Belgium, Spain and the United Kingdom. Continue Reading EU Data Protection Authorities Establish Task Force to Collaborate on Uber Data Breach

On November 23, 2016, Bloomberg BNA reported that the Hague Administrative Court in the Netherlands upheld a decision by the Dutch Data Protection Authority that WhatsApp was in breach of the Dutch Data Protection Act (the “Act”) on account of its alleged failure to identify a representative within the country responsible for compliance with the Act, despite the processing of personal data of Dutch WhatsApp users on Dutch smartphones. WhatsApp reportedly faces a fine of €10,000 per day up to a maximum of €1 million.

On May 23, 2016, half of the EU Member States sent a letter to the European Commission and the Netherlands (which holds the rotating presidency), seeking the removal of barriers to the free flow of data both within and outside the EU to benefit the EU from new data-driven technologies, according to Reuters and EurActive.com. Continue Reading EU Member States to European Commission: Remove Barriers to Data Flows

On January 1, 2016, a Dutch law became effective that (1) includes a general obligation for data controllers to notify the Data Protection Authority (“DPA”) of data security breaches, and (2) authorizes the DPA to impose direct fines for violations of the Data Protection Act.

Continue Reading Dutch Law Includes General Data Breach Notification Obligation and Larger Fines for Violations of the Data Protection Act

On February 3, 2015, the Article 29 Working Party (“Working Party”) published a report on a sweep of 478 websites across eight EU Member States (Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the United Kingdom). The sweep was conducted to assess compliance with Article 5.3 of the e-Privacy Directive 2002/58/EC, as amended by 2009/136/EC.

Continue Reading Article 29 Working Party Reports on Cookie Sweep Results

On June 6, 2011, Hunton & Williams hosted a panel discussion on what organizations in the UK, France, Germany and the Netherlands are doing to comply with the EU’s new cookie law.  The webinar, Consent for Cookies: Preparing for the EU Cookie Law, featured David Evans, Group Manager of Business and Industry of the UK Information Commissioner’s Office, and Hunton & Williams Brussels-based associates Olivier Proust, Dr. Jörg Hladjk and Martijn ten Bloemendal.  The panel was moderated by Bridget C. Treacy, partner in the London office of Hunton & Williams.  Listen to the webinar now.