The Dutch Data Protection Authority issued a EUR 830,000 (approximately USD 937,000) fine against the Dutch Credit Registration Bureau for violating data subject rights. The fine stems from BKR’s practice of charging fees and discouraging individuals who wanted to access their personal data.
The Dutch Data Protection Authority recently imposed a fine of EUR 525,000 on the Royal Dutch Tennis Association for sharing the personal data of its members with two of its sponsors in June 2018 on the basis of its commercial legitimate interests. In this blogpost, we describe the main implications of the Dutch DPA’s fine and interpretation of legitimate interests – which could affect processing activities of commercial organizations throughout Europe.
In the wake of a recent announcement by a major Dutch bank that it would start providing its customers with personalized advertisements based on their spending patterns, the Dutch Data Protection Authority (DPA) has sent a letter to all Dutch banks urging them to thoroughly review their direct marketing practices. The DPA specifically asked any bank contemplating the use of transaction data for direct marketing to reconsider. In its analysis, the DPA may have introduced a very onerous obligation to re-collect personal data for every single use.
On 19 March 2019, the Dutch Senate approved legislation introducing collective damages actions in the Netherlands (the “Legislation”) which will broaden the regime even further. The Legislation introduces an option to claim monetary damages in a “US style” class action, including for violations of the GDPR. This Legislation together with the mechanisms already available under […]
On 14 March 2019, the Dutch data protection authority announced its fining structure for violations of the European General Data Protection Regulation and the Dutch law implementing the GDPR.
On 7 March 2019 the Dutch Data Protection Authority published guidance that it considers “cookie walls” to violate the GDPR. A cookie wall is a pop-up on a website that blocks a user from access to the website until he or she consents to the placing of tracking cookies or similar technologies. Under current Dutch cookie law, functional and analytical cookies can be used without consent. Tracking cookies like those used for advertising may only be used if a visitor has given consent. According to the Dutch DPA, the use of a cookie wall results in a “take it or leave it” approach. The Dutch DPA explains that this practice is not compliant with the GDPR as consent resulting from a cookie wall is not freely given, because withholding consent has negative consequences for the user as the user is not allowed access to the website.
Profiling and Big Data analytics are set to play a pivotal role in the growth of the digital economy. From cookie-based tracking to people’s interaction through social media, the size and the degree of granularity of our digital footprints have created unprecedented opportunities for business development and service delivery. The scale of data collection, data sharing and data analysis has not gone unnoticed to public policy makers and this has led to the inclusion of special rules addressing profiling in the Regulation. In fact, from the point of view of those businesses seeking to benefit from data analytics, the provisions dealing with profiling are likely to become the most crucial aspect of the entire Regulation. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
On 26 May, the Netherlands First Chamber passed a bill requiring companies to notify the Dutch Data Protection Authority and affected individuals of certain breaches of personal data. As we reported earlier this year, when the bill becomes law, it will be mandatory for all types of data controllers to provide these breach notifications. Failure to notify will be punishable by a maximum fine of 810,000 euros or 10% of the company’s annual turnover (i.e., revenue), whichever is greater. Importantly, the fines may not be limited only to a company’s revenue in the Netherlands, but could be calculated based on its global revenue. Companies should be aware of these increased sanctions and new mandatory notification requirements when addressing a data breach that may involve the personal data of Dutch citizens.
Recently, new rules on cookies came into force in the Netherlands. In addition, the Dutch Second Chamber approved a draft bill to introduce a mandatory data breach notification requirement and to strengthen the Dutch Data Protection Authority’s investigative and fining powers. The new rules apply to all companies acting as a “data controller” within the meaning of the Dutch Data Protection Act. The Dutch First Chamber has announced that it plans to review this draft bill as soon as possible.
On 12 March 2014, the European Parliament voted overwhelmingly in favour of the European Commission’s data protection reform with 621 votes for, 10 against, and 22 abstentions for the proposed General Data Protection Regulation. The vote is significant because it confirms the approval of the European Parliament, one of the required participants in the s0-calle “trilogue” process along with the Commission and the Council, which will not change even if the composition of the Parliament changes following the European elections in May.