Privacy & Information Security Law Blog

On October 4, 2024, the Court of Justice of the European Union (“CJEU”) issued its judgment in case KNLTB (C‑621/22). In this judgment, the CJEU was called upon to clarify the concept of “legitimate interests” and, in particular, whether purely commercial interests can be considered as legitimate under the EU General Data Protection Regulation (“GDPR”).

On September 3, 2024, the Dutch Data Protection Authority announced a €30.5 million fine against Clearview AI for the processing of personal data related to its biometric data database.

On August 26, 2024, the Dutch Data Protection Authority as lead supervisory authority announced it has imposed a fine of 290 Million Euros on Uber related to a violation of international transfer requirements under the EU General Data Protection Regulation. 

On May 12, 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) imposed a €525,000 fine on Locatefamily.com for failure to comply with the obligation imposed under Article 27 of the EU General Data Protection Regulation (“GDPR”) to appoint a representative in the EU.

On March 31, 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”), announced a fine of €475,000 for Dutch headquartered online travel agency Booking.com for failure to report a data breach within 72 hours of becoming aware of the incident in 2019.

On November 23, 2020, the Dutch District Court of Midden-Nederland (the “Court”) determined that the concept of a legitimate interest for processing is broader than simply being an interest derived from law, overturning a fine by the Dutch data protection authority (the “Dutch DPA”).

On August 27, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced it approved the “Data Pro Code,” a code of conduct drafted by industry association NLdigital (the “Code”). This Code is the first code of conduct approved by the Dutch DPA under the EU General Data Protection Regulation (the “GDPR”). Adhering to the Code will help organizations active in the Information and Communications Technology sector comply with their obligations under the GDPR. The Code includes, among other things, a series of practical GDPR compliance tools, such as the “Data Pro Statement” that companies may use to inform potential customers of the data protection safeguards they have in place.

On July 6, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) imposed a €830,000 fine on the Dutch Credit Registration Bureau (Stichting Bureau Krediet Registration, “BKR”) for non-compliance with Articles 12(2) and 12(5) of the EU General Data Protection Regulation (the “GDPR”) between May 2018 and March 2019.

On July 1, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published its 2019 annual report (the “Report”). The Report shows that in 2019, the Dutch DPA focused on enforcement actions, after having raised awareness about the EU General Data Protection Regulation (the “GDPR”) in 2018. Below are key findings from the Report.

On May 19, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) announced that the Litigation Chamber had imposed a €50,000 fine on a social media provider for unlawful processing of personal data in connection with the “invite-a-friend” function offered on its platform.

On the second anniversary of the EU General Data Protection Regulation (the “GDPR”), the Belgian Data Protection Authority (the “Belgian DPA”) published a Statement with some key GDPR-related numbers (the “Statement”).

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) recently imposed a €750,000 fine on a company for unlawful processing of employees’ fingerprints for attendance taking and time registration purposes.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) recently published materials regarding the COVID-19 crisis, including recommendations and FAQs for employers and recommendations for employees. In the materials, the Dutch DPA emphasizes that, while fighting the virus and saving lives is the top priority, privacy must not be overlooked and the crisis should not become a prelude to a “Big Brother” society.

On March 3, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced that it had imposed a €525,000 fine on the Royal Dutch Tennis Association (De Koninklijke Nederlandse Lawn Tennisbond, “KNLTB”) for an illegal sale of personal data.

On September 9, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a report on the privacy complaints it received between January 2019 and June 2019 (the “Report”).

On August 12, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced its intent to approve Nederland ICT’s Data Pro Code (the “Code”), a code of conduct for the ICT sector. Nederland ICT represents data processors from the IT sector. Data processors that process personal data on behalf of and for a data controller can join this code of conduct. The draft decision of the Dutch DPA regarding the Code was published in the Official Journal of the Netherlands (the “Staatscourant”) on August 12 and interested parties have six weeks to submit their opinion on the draft decision.

On July 16, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”), announced that it had imposed a fine of €460,000 on a Dutch hospital, HagaZiekenhuis, for insufficient security measures under Article 32 of the EU General Data Protection Regulation (“GDPR”).

On July 1, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, (the “Dutch DPA”)) announced that it had expanded its guidance on data breaches. The updates aim to answer questions about data breaches received by the Dutch DPA from organizations since 2016.

On April 17, 2019, the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (the “Dutch DPA”) issued six recommendations (in Dutch) for companies, to be taken into account when drafting privacy policies for the purpose of Article 24.2 of the EU General Data Protection Regulation (the “GDPR”). Article 24.2 of the GDPR provides the obligation for data controllers to implement privacy policies for accountability purposes, under certain criteria. The published recommendations follow the Dutch DPA’s investigation of companies’ privacy policies. The investigation focused on companies that process sensitive personal data, including health data and data related to individuals’ political beliefs. Alongside the recommendations, the Dutch DPA released a report (in Dutch) summarizing the investigation’s results.

On March 14, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a press release announcing its policy (in Dutch) for calculating administrative fines (the “Policy”).

The Dutch DPA has the power to impose administrative fines for violations of the EU General Data Protection Regulation (“GDPR”), the Dutch law implementing the GDPR, the Police Data Act, the Judicial Data and Criminal Records Act, the Telecommunications Act, the Electronic Identification, Authentication and Trust Services (eIDAS) Regulation and the General Administrative Law Act.

On January 29, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a report (in Dutch) on the personal data breach notifications received in 2018 (the “Report”). The EU General Data Protection Regulation (the “GDPR”) requires data controllers to notify a personal data breach to the competent Data Protection Authority (“DPA”) within 72 hours after becoming aware of it. In the Netherlands, this breach notification requirement has been in place since January 1, 2016. However, the GDPR imposed additional requirements, including: providing certain information in a breach notification; data controllers’ mandatory obligation to notify affected individuals if the breach is likely to result in a high risk to the rights and freedoms of those individuals; companies duty to document any personal data breaches.

On January 16, 2019, the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (the “Dutch DPA”), announced that it had requested 30 private organizations provide information about the agreements they have with other entities that process personal data on their behalf. The Dutch DPA indicated that the targeted organizations are mainly in energy, media and trade sectors.

On December 13, 2018, the Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”) (the “Dutch DPA”) published a report on the complaints it has received since the EU General Data Protection Regulation (“GDPR”) became applicable on May 25, 2018 (the “Report”). The GDPR gives data subjects the right to lodge a complaint with the relevant national supervisory authority when they believe that their personal data is processed in a way violative of the GDPR (see article 77 of the GDPR).

View the Report and the press release (in Dutch).

On November 29, 2017, the EU’s Article 29 Working Party (”Working Party”) announced the establishment of a task force to coordinate the plethora of national investigations throughout the EU into Uber’s 2016 data breach that affected approximately 57 million users worldwide. The task force is being led by the data protection authority (”DPA”) in the Netherlands, where Uber has its EU headquarters, and includes representatives from the DPAs in France, Italy, Germany, Belgium, Spain and the United Kingdom.

On November 23, 2016, Bloomberg BNA reported that the Hague Administrative Court in the Netherlands upheld a decision by the Dutch Data Protection Authority that WhatsApp was in breach of the Dutch Data Protection Act (the “Act”) on account of its alleged failure to identify a representative within the country responsible for compliance with the Act, despite the processing of personal data of Dutch WhatsApp users on Dutch smartphones. WhatsApp reportedly faces a fine of €10,000 per day up to a maximum of €1 million ...

On May 23, 2016, half of the EU Member States sent a letter to the European Commission and the Netherlands (which holds the rotating presidency), seeking the removal of barriers to the free flow of data both within and outside the EU to benefit the EU from new data-driven technologies, according to Reuters and EurActive.com.

On January 1, 2016, a Dutch law became effective that (1) includes a general obligation for data controllers to notify the Data Protection Authority (“DPA”) of data security breaches, and (2) authorizes the DPA to impose direct fines for violations of the Data Protection Act.

On March 9, 2015, the Federal Trade Commission announced that it has entered into a Memorandum of Understanding (the “Memorandum”) with the Dutch Data Protection Authority (the “Dutch DPA”).

On February 3, 2015, the Article 29 Working Party (“Working Party”) published a report on a sweep of 478 websites across eight EU Member States (Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the United Kingdom). The sweep was conducted to assess compliance with Article 5.3 of the e-Privacy Directive 2002/58/EC, as amended by 2009/136/EC.

On June 6, 2011, Hunton & Williams hosted a panel discussion on what organizations in the UK, France, Germany and the Netherlands are doing to comply with the EU’s new cookie law.  The webinar, Consent for Cookies: Preparing for the EU Cookie Law, featured David Evans, Group Manager of Business and Industry of the UK Information Commissioner’s Office, and Hunton & Williams Brussels-based associates Olivier Proust, Dr. Jörg Hladjk and Martijn ten Bloemendal.  The panel was moderated by Bridget C. Treacy, partner in the London office of Hunton & Williams. 

On June 6, 2011, join Hunton & Williams for a panel discussion on the implementation of the new EU Cookie Law in the UK, France, Germany and the Netherlands.  EU law on the use of cookies is changing.  Opt-in consent will be required, but specific requirements may differ across the EU.  What are organizations doing to ensure compliance with the new cookie law?  Listen to David Evans, Group Manager of Business and Industry of the Information Commissioner's Office, explain the steps that UK organizations are expected to take.  Learn about cookie compliance in France, Germany and the ...

In a move toward implementation of the EU e-Privacy Directive, on November 3, 2010, the Dutch Minister of Economic Affairs submitted a bill to the Dutch Parliament that would amend the Dutch Telecommunications Act to obligate telecom and internet service providers to provide notification of data security breaches, and require consent for the use of cookies (the “Bill”).

The proposed Bill would require telecom and internet service providers to notify the Dutch Telecom Authority (the “OPTA”) without delay in the event of a security breach involving personal data.  They also would be required to notify affected individuals without delay if the breach is likely to have an adverse effect on the protection of their personal data.  The Bill does not affect initiatives to introduce a broader data breach notification regime applicable to other industries outside the telecom sector.  The Dutch Minister of Justice recently stated that he expects to issue a proposal to implement a more general data breach notification law in 2011.

At a meeting held April 7-9, 2010, the Council on General Affairs and Policy of the Hague Conference on Private International Law adopted a document entitled 'Cross-Border Data Flows and Protection of Privacy' that outlines the organization's possible future work in the area of privacy and data protection law.  The document contains an overview of international data protection initiatives of the last few years, and addresses various cross-border cooperation issues, including problems created by the difficulty of determining applicable law and jurisdiction in cross-border data flows.  In

According to a report issued by the EU Agency for Fundamental Rights (“FRA”), European data protection authorities lack sufficient independence and funding.  In addition, DPAs impose few sanctions for violations of data protection laws.  DPAs “are often not equipped with full powers of investigation and intervention or the capacity to give legal advice or engage in legal proceedings.”  In a number of countries, including Austria, France, Germany, Latvia, the Netherlands, Poland and the UK, “prosecutions and sanctions for violations are limited or non-existing.”  ...

On April 19, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of nine other international data protection authorities took part in an unprecedented collaboration by issuing a strongly worded letter of reproach to Google’s Chief Executive Officer, Eric Schmidt.  The joint letter, which was also signed by data protection officials from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, highlighted growing international concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”