Data Protection Overview

Transcription

1 Data Protection Overview In the Netherlands, like in other EU countries, the main data protection principles originate from EU legislation: the EU Data Protection Directive (95/46) and the EU e-privacy Directive (2002/58, as amended by Directive 2009/136). These Directives are implemented in the Wet bescherming persoonsgegevens, the Dutch Data Protection Act ('the Act') and in the Dutch Telecommunications Act (Telecommunicatiewet). In addition thereto, in the Netherlands there also exists various other specific legislation, for example which apply to the processing of health data, Social Security Numbers, police data or processing by municipalities. In this Note we will mainly focus on the general rules of the processing of personal data under the Act. 1 Definitions under the Act The main concepts used in the Act are: Personal data: any information relating to an identified or identifiable (living) natural person. The definition of personal data is very broad and also includes a combination of information by which a natural person can be identified. Data subject: the individual to whom personal data relate. Data controller: the natural person, legal person, administrative body or any other entity which, alone or in conjunction with others, determines the purpose of and means for the processing of personal data. Data processor: the person or body which processes personal data for or on behalf of the data controller, without being under direct authority of the data controller. Processing of personal data: any operation or any set of operations concerning personal data, including in any case the collection, recording, organisation, storage, updating or modification, retrieval, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as blocking, erasure or destruction of data. 2 Supervisory Authorities There are various authorities that supervise and enforce compliance with the processing of personal data. The main competent authority is the College bescherming persoonsgegevens, the Dutch Data Protection Authority (DPA) residing in The Hague. The main task of the DPA is to oversee that the processing of personal data takes place in compliance with the Act. Furthermore, the DPA provides advice on various data protection matters, handles notifications and assesses codes and regulations. 3 Applicability of the Act First of all, the Act is applicable when personal data is being processed. If data cannot be traced back to an individual, it is not personal data and the Act does not apply to the processing thereof. Examples are aggregate, anonymous and irreversibly coded data, if it does not contain other information facilitating identification. Van Doorne N.V. is gevestigd te Amsterdam en ingeschreven in het handelsregister onder nummer Van Doorne N.V. is de enige opdrachtnemer van alle werkzaamheden. Op deze werkzaamheden en alle rechtsverhoudingen met derden zijn van toepassing de Algemene Voorwaarden van Van Doorne N.V. en haar dochtermaatschappijen, waarin een beperking van aansprakelijkheid is opgenomen. Deze Voorwaarden, die zijn gedeponeerd ter griffie van de rechtbank te Amsterdam, kunnen worden geraadpleegd op en worden op verzoek toegezonden. Van Doorne N.V. has its registered offices in Amsterdam and is registered with the Commercial Register under number Van Doorne N.V. is the exclusive contracting party in respect of all commissioned work. This work and all legal relations with third parties shall be governed by the General Terms of Van Doorne N.V. and its subsidiaries which include a limitation of liability. These Terms, which have been filed with the District Court at Amsterdam, may be consulted at and will be forwarded upon request. 1 / 6

2 The Act applies to the processing of personal data carried out within the context of an establishment of a data controller in the Netherlands, as well as by or for a data controller that is not established in the European Union, which uses 'automated or non-automated means situated in the Netherlands, unless these means are used only for forwarding personal data.' Such non- EU data controllers may process personal data, provided that they designate a person in the Netherlands to act on their behalf. The Act applies to fully or partly automated processing of personal data and the nonautomated processing of personal data entered or intended to be entered into a file. The Act defines a file as any structured set of personal data, regardless of whether or not the data set is centralised or dispersed along functional or geographical lines. A file should be accessible and relate to different persons. Data processing activities in the course of personal or household activities do not fall under the scope of the Act. For example, completing a personal birthday calendar or keeping a diary cannot be regarded as processing of personal data under the Act. 4 Main obligations of the data controller Under the Act most obligations rest upon the data controller. The data controller is the (legal) person, which alone or with others, determines the purpose and means of the processing of personal data. This topic has further been elaborated by the Article 29 Working Party in its Opinion on the definitions of data controller and data processor (Opinion 1/2010, WP 169). The data controller must ensure that personal data are processed in accordance with the Act. The general principles for legal processing under the Act, reflecting the overall principles of data minimisation, proportionality and subsidiarity, are summarised below. The most important obligations will be discussed further in latter parts of this Note. The processing is for specified, explicit and legitimate purposes. No personal data may be processed than is adequate, relevant and proportional for these purposes; Processing is based on one of the six justification grounds (see The data subjects should be informed of the data processing, the purposes thereof, the identity of the data controller(s) and all other information necessary for fair processing; The personal data must be kept accurate, up-to-date, confidential and adequately secured (in line with the Guidelines of the DPA, which were published in 2013, see The personal data may not be kept longer than necessary for the purposes for which they are processed, unless there is another statutory obligation that requires that the personal will be kept longer; Data processing activities should be notified to the DPA unless an exemption applies (see If personal data is transferred outside the EEA, additional requirements apply (see The data controller should observe the various rights the data subjects may have, such as the right of inspection, correction and opposition rights (see Additional requirements apply for the processing of sensitive personal data (see Data processor agreements (in writing) must be concluded with any data processors, in accordance with the Guidelines of the DPA. 2 / 5

3 5 Justification ground The Act includes a list of six justification grounds for processing personal data. Personal data may only be processed if one of these justification grounds is present. 1. Unambiguous consent: The consent of a data subject should be freely given, specific and informed. This means that the scope of the consent is clearly defined and consistent with what the person in the circumstances could expect. Please note that consent may in most cases not be a valid ground in an employment relationship, since there may be an element of subordination. 2. Performance of a contract: The data processing is necessary for the performance of an agreement to which the data subject is a party. 3. Legal obligation: The data processing is necessary in order to comply with a legal obligation to which the data controller is subject. 4. Protecting vital interests: The data processing is necessary for in order to protect a vital interest of the data subject. 5. Performance of a public law duty: The data processing is necessary for the proper performance of a public law duty by the administrative body concerned or by the administrative body to which the data are provided. 6. Legitimate interest: The data processing is necessary for a legitimate interest of the data controller or the recipient(s) of the personal data, provided that the data subject's fundamental rights and freedom would not prevail. 6 Data security The Act requires the data controller to implement the general data security obligations. In assessing the appropriate level of security, the data controller should take into account the state of the art and the costs of implementation. In February 2013, the DPA published detailed policy guidelines that set out its interpretation of what it considers to be 'appropriate' data security measures. This document also provides for guidelines on the arrangements that have to be made between a data controller and a data processor who will process personal data on its behalf. 7 Duty to notify The data controller should, in principle, notify its data processing operations to the DPA, or to an internal Privacy Officer, unless an exemption to the notification duty applies. Such notification should be performed prior to the data processing and in the Dutch language. Exceptions from the notification duty are detailed in the Exemption Decree to the Act. The Exemption Decree lists a large number of commonly accepted data processing activities that are exempted from the notification duty. Furthermore, the Exemption Decree provides for conditions under which an exemption applies. Such conditions may for example relate to the types of data, retention periods and groups of persons that may access the personal data. If the conditions have not been met, the data processing is not exempted and should be notified to the DPA. 8 Transfer of personal data outside the EEA Personal data may be transferred to countries that offer an adequate level of data protection. This is assumed for all EEA countries. Next to that, such level of protection is also present when: It concerns a transfer to one of the countries that have been approved by the European Commission, taking into account the conditions set by the European Commission; It concerns a transfer to a company in the USA that has adhered to the Safe Harbor principles. Please note that the Safe Harbor principles are currently discussed at the EU level; or It concerns a transfer of Air Passenger Name Record (PNR) Data and Terrorist Finance Tracking Programme (TFTP) to the countries designated by the European Commission (currently Australia, Canada and the USA). 3 / 5

4 If personal data would be transferred to a country that is considered not to offer an adequate level of protection, the data transfer is allowed if: A data transfer agreement is concluded with the data recipient(s) outside the EEA. This data transfer agreement should preferably be based on the relevant unaltered Standard Contractual Clauses for the transfer of personal data to third countries (SCC), issued by the European Commission ("data controller / data controller" or "data controller / data processor"). If the data transfer agreement contains the unaltered SCC, no permit of transfer will then be needed. If the concluded data transfer agreement however deviates from the standard SCC a data transfer outside the EEA is only allowed if a permit is requested and obtained from the Dutch Minister of Justice; or Binding Corporate Rules (BCR) for data controllers or data processors are in place. This instrument legitimises the transfer within a corporate group of companies only. If none of the situations mentioned above applies, a data transfer is only allowed if one of the following statutory derogations does apply: The data subject has unambiguously given his or her consent for the transfer; The transfer is necessary for the performance of a contract between the data subject and the data controller(s), or for actions to be carried out at the request of the data subject and which are necessary for the conclusion of a contract; The transfer is necessary for the conclusion or performance of a contract concluded or to be concluded between data controller and third parties in the interests of the data subject(s); The transfer is necessary for the establishment, exercise or defence in law of any right; or The transfer is necessary to protect a vital interest of the data subject. 9 Rights of the data subject The Act provides for various rights that data subjects may invoke. The data subject may request an overview of personal data that the data controller processes of him or her. Next to this inspection right, data subjects may ask the data controller to correct, supplement, delete or block the data processed about them in the event that such data is inaccurate, incomplete or irrelevant for the purposes of the data processing, or is being processed in any other way that infringes a legal provision. The request made by a data subject will have to specify the changes. The data subject should take into account reasonable intervals when exercising its rights. Furthermore, a data controller does not always have to comply with a request. When, for example, state security or the rights and freedoms of other persons are at stake, this may prevail over the rights of the data subject. 10 Sensitive personal data Stricter rules apply to the processing of 'sensitive personal data', defined as personal data concerning a person's religious or philosophical beliefs, race, political opinions, health, sexual life, trade union membership, as well as criminal data and data regarding unlawful or objectionable behavior in the context of an imposed ban relating to that behavior. This stricter rules also apply to 'indirect' sensitive data, such as personal data that is not sensitive itself but from which sensitive characteristics can be derived, e.g. a photo or the fact that a data subject has visited a certain clinic (which is in line with case law on this topic). Generally the processing of sensitive data is prohibited. Per category of sensitive data there are several exemptions to this prohibition. Furthermore there are general exceptions to the prohibition to process sensitive data, among which the explicit consent of the data subject. 4 / 5

5 11 Sanctions To verify compliance with the Act, the DPA has a discretionary power to carry out targeted inspections on its own initiative or following complaints. Such investigations may involve on-site inspection. During such investigations, the company under investigation must provide all necessary information upon request and cooperate with the DPA. The DPA regularly initiates such investigations and publishes the results. Under current law the DPA can impose an administrative fine of up 4,500 for a violation of the obligation to notify (or 8,100, and in case of an intentional breach 20,250 or prison sentence of 6 months). The DPA may also impose an enforcement order to remediate noncompliance. 12 Legislative proposal - Duty to report data leaks and the expansion of the administrative penalty competence of the DPA Recently the Dutch House of Representatives voted in favor of a law introducing a duty to report data breaches (data leaks), which also extends the enforcement powers of the DPA. This proposal has been drafted in the run up to a broader European legislative initiative, the EU General Data Protection Regulation. Next to articles on the notification duty regarding data breaches, the proposal introduces increased enforcement powers for the DPA in relation to imposing fines for noncompliance with the main obligations under the Act. Once this new law is adopted, it will amend both the Act and the Telecommunications Act. The legislative proposal has been referred to the Dutch Senate and it is expected that it will enter into force later this year (2015). According to the proposal, data controllers will be obliged to notify the DPA without undue delay in case of any breach of personal data protection measures, if this could have a severe negative impact on the security of personal data. The data subjects should also be notified if the breach is likely to have a negative impact on their privacy. The proposal furthermore requires data controllers to keep records of all data breaches that they believe pose a serious risk to the affected individuals' privacy. The proposal furthermore seeks to increase the competence of the DPA (which will be renamed into the Authority on Personal Data; Autoriteit Persoonsgegevens) to impose administrative fines, not only for data breaches but also for other violations of the Act. The increased fines may amount up to 810,000 or 10% of the annual turnover of an enterprise. Van Doorne N.V. Your contact Jachthavenweg KM Amsterdam Postbus AG Amsterdam Elisabeth Thole t +31 (0) m +31 (0) thole@vandoorne.com t +31 (0) f +31 (0) info@vandoorne.com Eva de Vries t +31 (0) m +31 (0) vries@vandoorne.com 5 / 5