Tag Archive: compliance

The Netherlands: DPA published phased plan to prepare for GDPR

By Richard van Schaik and Róbin de Wit

Last week, the Dutch Personal Data Protection Authority (Autoriteit Persoonsgegevens, “AP”) published a step-by-step plan for organiations to prepare for the upcoming GDPR. The plan, consisting of 10 steps, reads as follows.


  1. Awareness

As a first step, key players within the organization (e.g. policymakers) need to be aware of the upcoming set of rules. They must assess the impact of the GDPR on current processes, services and products and the adjustments necessary to meet the requirements under the GDPR.

The AP stresses that the implementation of GDPR requirements may be time-consuming. Therefore, the AP strongly recommends to commence as soon as possible with identifying compliance gaps and implement GDPR-proof solutions.


  1. Rights of individuals

Secondly, the AP points out that individuals have more rights under the GDPR in view of their personal data. Therefore, processes that enable individuals to actually exercise such rights should be implemented. Organizations are strongly encouraged to create their own (technical) means to obey requests of individuals, including data portability requests.

The AP emphasizes that individuals may file complaints with the AP regarding the handling of their personal data. The AP is obliged to take each complaint into consideration and to start enforcement action where appropriate.


  1. Records of processing activities

Furthermore, organizations should map their processing activities as the GDPR requires organizations to maintain a record of processing actions that fall under their responsibility. Such records should not only contain information about e.g. the purposes of processing, data subjects involved and the personal data processed, but each category of personal data should also specify the legal basis for processing.


  1. Privacy Impact Assessment (PIA)

As a fourth step, organizations are encouraged to conduct PIA’s in order to identify privacy risks associated with data processing activities. PIA’s serve as a useful tool to identify compliance gaps and take subsequent actions in order to reduce enforcement risks.

The AP stresses that PIA’s are especially valuable with a view to high-risk processing activities, such as activities involving sensitive data.

Also, if an organization is unsuccessful in finding measures to mitigate privacy risks, consultation with the AP is required prior to the start of the relevant processing undertakings.


  1. Privacy by design & privacy by default

In addition, awareness shall be created within the organization where it comes to the principles of ‘privacy by design’ and ‘privacy by default’. Also, it must be verified how these principles should be implemented.

For example, organizations must take measures to ensure that – by default – personal data is only processed insofar necessary in view of the processing purpose(s). The AP clarifies that this means that, e.g.:

  • apps may not process the location of users if such processing is not necessary;
  • tickboxes related to marketing may not be pre-ticked;
  • in case of newsletter subscriptions, organizations may not request to fill out more data than necessary in view of the newsletter request.


  1. Data Protection Officer (DPO)

Organizations may be obliged to appoint a DPO. The AP encourages organizations to identify whether they are subject to this requirement.

If yes, the recruitment and selection procedure should start in due course.

If no, organizations may want to choose to appoint a DPO after all.


  1. Data breach notification duties

The obligation to report data breaches (with the AP and, under circumstances, individuals) will remain largely the same under the GDPR. However, the GDPR contains stricter rules as to the internal recordkeeping of data breaches. All breaches must be documented so that the AP is able to verify that mandatory notification duties have been complied with.

Organizations should make necessary preparations in that respect, and also create data breach awareness amongst employees.


  1. Data processing agreements

As a following step, the AP points out that existing data processing agreements should be examined in order to ensure that the agreements are still adequate and meet the stricter requirements under the GDPR. If not, necessary changes should be agreed upon in time.

Where relevant, new data processing agreements should be drafted with a view to the GDPR requirements.


  1. Lead supervisory authority

If an organization has multiple establishments throughout EU Member States, or if processing activities have an impact on various EU Member States, only one supervisory authority will be competent to act as lead supervisory authority for the cross-border processing. Organizations are encouraged to identify the lead supervisory authority applicable to them.


  1. Consent

As a final step, the AP indicates that the GDPR stricter rules apply to the reliance on consent as the legal basis for processing. Therefore, organizations should evaluate the manner in which consent is requested, obtained and registered, and should amend where necessary.

Also, organizations should be able to demonstrate that valid consent has been obtained from individuals to process their personal data. Moreover, it must be as easy to withdraw consent as to give it. Therefore, organizations should have appropriate (technical) tools in place to make sure stricter consent requirements under the GDPR are observed.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-dpa-published-phased-plan-to-prepare-for-gdpr/

EUROPE: ECJ – Dynamic IP addresses may constitute personal data

By Jan Pohle and Jan Spittka

In its landmark decision in the case Breyer v. Federal Republic of Germany (decision dated 19 October 2016, case number C-582/14), the European Court of Justice (ECJ) not only ended the long and tricky debate whether dynamic IP addresses constitute personal data even if the data controller processing the IP addresses does not hold the means to link it to the respective data subject. The court also came to the conclusion the provisions of German law dealing with the processing of personal data in the online environment do not comply with the EU Data Protection Directive (Directive 95/46/EC) as these provision do not provide for a statutory permission to process personal data based on a balancing of interest between legitimate interest of the data controller and the interest of the data subjects.



The case has been presented to the ECJ by the German Federal Court of Justice (Bundesgerichtshof – “BGH“). The claimant Mr. Breyer had sued the German Federal Department of Justice and Consumer Protection (Bundesministerium für Justiz und Verbraucherschutz – “BMJV“) to cease-and-desist the registration and storing of his dynamic IP address after visiting the BMJV’s websites. The BMJV argued that IP addresses have to be retained after the end of the visit of the website to protect itself against cyberattacks. The BGH asked the ECJ whether dynamic IP addresses constitute personal data with respect to an “online media service provider” (i.e. the operator of a website), if only a third party (here the internet service provider) holds the additional data necessary to identify a visitor of this website. Furthermore, the BGH asked whether the operator of a website has the possibility to collect and subsequently use visitors’ personal data in order to ensure the general operability of its website.

Ruling of the ECJ

The ECJ decided that a dynamic IP address does not only constitute personal data with respect to the internet service provider (which has the means to link the IP address to the individual behind the address in any case), but also with respect to the operator of a website, if this website operator has legal means to identify the visitor with the help of additional information from the visitor’s internet service provider. The ECJ confirmed this with respect to German law. Although the operator of a website does not have any direct claims against an internet service provider to provide the name of an individual behind an IP address, the court found it to be sufficient, if the website operator can obtain the information required to identify the visitor of the website from the internet provider via a competent authority which requests the information to prepare criminal proceedings, e.g. in the event of cyberattacks. As a consequence, the processing of IP addresses by website operators is subject to and has to comply with the applicable member state data protection requirements. Beyond this specific case, the ECJ has provided sufficient tools to determine whether information constitutes personal data, if the information cannot be directly linked to an individual, but only by using additional information which is held by a third party. According to the ECJ, this is not the case, if  the identification of the data subject was

  •  prohibited by law or
  •  practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.

The classification of dynamic IP addresses as personal data required the ECJ to have a closer look on the German data protection rules dealing with the processing of personal data in the online environment. Currently applicable law allows the processing of personal data without the data subject’s consent only in specific comprehensive cases. A general provision which provides for the possibility of a balancing of interest in a particular case is not included. According to the ECJ, this lack of a statutory permission is not complaint with Article 7 lit. f) of the Data Protection Directive. This finding also has a fundamental impact going beyond the case at hand as all member state data protection laws now have to be reviewed whether they allow for balancing of interests, at least in individual cases.


The decision of the ECJ forces all operators of websites, irrespective of whether they are public administration or private businesses, to review the collection, processing and use of IP addresses in connection with their websites. However, the ECJ has also strengthened IT security as it pointed out that member state law has to provide for the possibility to process personal data without consent for cybersecurity purposes.

Jan Spittka and Jan Pohle

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/ecj-dynamic-ip-addresses-constitute-personal-data-and-german-law-not-compliant-with-data-protection-directive-by-jan-spittka-and-jan-pohle/

FRANCE: CNIL Adopts New “Compliance Pack” for the Insurance Sector

In November 2014, the French Data Protection Authority (“CNIL”) issued a new “compliance pack” for the insurance sector, following consultations with trade associations.

By Carol Umhoefer and Mathilde Hallé

The CNIL has started promoting compliance packs as a new tool for regulating the processing of personal data in specific sectors. The packs, adopted by the CNIL after stakeholder consultations, are intended to offer actionable information (notably with respect to CNIL filings) to comply with French data protection law.

The new compliance pack for the insurance sector has been prepared in collaboration with several major trade associations representing the largest French insurance groups. The pack includes (i) two preexisting Simplified Standards for the insurance industry, No. 16 relating to insurance policy management and No. 56 relating to client data management (both revised on July 11, 2013, see our previous post here), as well as (ii) three more recent Single Authorizations: Single Authorization No. 31 for the collection of social security numbers and access to the French National Directory of Identification of the Individuals (adopted on January 23, 2014), Single Authorization No. 32 for the collection of data concerning criminal offenses, (adopted on January 23, 2014), and Single Authorization No. 39 for the implementation by the insurance sector of anti-fraud measures (adopted on July 17, 2014).

The compliance pack also includes several practical information sheets to enable insurers and other professionals in the sector to better understand the legal framework applicable to personal data collection and processing in connection with their business.

The compliance pack also announces the creation of a “compliance club” in which the CNIL will to continue to work with the main stakeholders to develop and adapt filing requirements to regulatory  changes.

Readers will recall that Simplified Standards enable companies without internal data protection officers that choose to adhere to the conditions set forth in such Standards to make simplified filings with the CNIL, thus avoiding having to file the much more detailed normal filing. Similarly, the Single Authorization procedure allows companies that intend to process personal data for certain specific purposes to  implement such processing in compliance with French data protection law if they self-certify to the CNIL that the processing will comply with the specific conditions set forth by the CNIL. Insurance, capitalization, and reinsurance companies and insurance intermediaries that already filed on the basis on the aforementioned Simplified Standards and Single Authorizations are not required to make any additional filing with the CNIL.

Should you have any further questions regarding to the above, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com) or Mathilde Hallé (mathilde.halle@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-cnil-adopts-new-compliance-pack-for-the-insurance-sector/

Global: App providers, beware of sweeping privacy watchdogs!

By Patrick Van Eecke & Julie De Bruyn

The Global Privacy Enforcement Network (GPEN) is organizing an international privacy sweep between 12 and 18 May 2014, specifically targeted at mobile applications, involving 27 data protection authorities around the world .

Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/global-app-providers-beware-of-sweeping-privacy-watchdogs/

Belgium: Beware of the barking Privacy Watchdog, she’s biting.


By Patrick Van Eecke and Julie De Bruyn (DLA Piper – Brussels)

The quietness in the privacy landscape in Belgium is about to drastically change.  Reason for the change of pace are the recent major data breaches that were published by the media. The Privacy Commission announced it will establish a dedicated task force to carry out proactive audits focusing on different sectors, such as financial and insurance institutions, hospitals and other health providers, and telecom operators.

Draft Belgian legislation will grant the Privacy Commission the power to independently impose monetary fines and other sanctions, such as the blocking of access to certain databases by non-compliant companies, or the withdrawal of the permits to make use of such (public) databases. The expansion of powers would transform the Privacy Commission from passive bystander to an actual ‘Privacy Police’.

Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/belgium-beware-of-the-barking-privacy-watchdog-she-starts-biting/

FRANCE: The French Data Protection Authority (CNIL) Issues NEW Guidance on Cookies

By Carol Umhoefer, Jeanne Dauzier & Mathilde Hallé

The CNIL has issued new guidance on cookies compliance, marking a clear departure from its previous position and effectively adopting an opt-out approach consistent with the UK’s Information Commissioner’s Office (ICO).

In October 2011, and again in April 2012, the CNIL issued recommendations that interpreted French law as requiring express opt-in acceptance of cookies. In a decision dated December 5, 2013, the CNIL has now taken an opt-out approach to consent requirements:

  • The CNIL recommends posting a dedicated banner on the home page that states that by continuing to use the website, the user agrees to have cookies set on his/her terminal. The banner also needs to state the exact purpose(s) of the cookie(s), as well as the possibility to refuse cookies or modify cookies settings by clicking on a dedicated link. The banner is to remain displayed as long as the user stays on the home page. According to the CNIL, a cookie may never be placed if the user goes to the home page but does not browse the website (except when an express consent has otherwise been given), or if he/she clicks on the link in the banner to modify the cookies settings and refuses all cookies. 
  • By clicking on the link displayed on the banner, users must be provided with complete, clear and legible information about how to accept or refuse cookies. The user’s consent is valid only if the information provided is sufficient. To limit the risk of invalid consent due to unclear or insufficient information, it is recommended not to use any complex legal or technical terminology.

According to the CNIL, the user’s consent shall be considered valid for a maximum of 13 months. As a consequence, cookies cannot have a longer life. Upon the expiration of this period, the user’s consent must be obtained again.

The CNIL guidance also stresses that all actors involved in the process of setting cookies, such as website publishers and commercial partners e.g., advertising agencies, are liable for compliance with all cookies laws. As a consequence, users are entitled to exercise their rights of access and opposition against any such person who holds, directly or indirectly, cookies that include personal data.

The CNIL has not modified its previous position that cookies that are strictly necessary for the provision of a service requested by the user (e.g., session cookies, authentication cookies or basket cookies) are exempted from the consent requirement. However, the CNIL now also acknowledges an exception for cookies used exclusively to measure web traffic that do not allow user identification. For this type of cookie, users must be informed and have the possibility to refuse cookies, but their prior consent is not required. Moreover, if such cookies enable the geolocation of the user via her/his IP address, the information gathered cannot be more specific than the city where she/he is located.

Finally, the CNIL acknowledges that French law provides that user consent may result from web browser settings, but considers such consent is valid only if (i) the user has been given the opportunity to modify the browser settings and (ii) the user has been informed, before his/her terminal is accessed or any cookie is set, of the cookies’ purpose and how to refuse them. The CNIL further considers that, in the current state of technology, web browser settings preferences for non-HTTP cookies  (such as “flash” or “web bugs” cookies) are insufficient and user consent must be based on information provided in a banner, as explained above.

Should you have any further questions regarding to the above, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com), Jeanne Dauzier (jeanne.dauzier@dlapiper.com) or Mathilde Hallé (mathilde.halle@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-the-french-data-protection-authority-cnil-issues-new-guidance-on-cookies/

GLOBAL: Data Protection and Privacy Compliance Considerations For Retailers

By Carol Umhoefer

It’s obvious that retail e-sales raise issues around personal data collection and processing:  Compiling customer lists and preferences, tracking and profiling site visitors and app users, generating revenue from static and mobile ad servers, targeting offers to customers on the right devices at the right time, accurate online order fulfillment and useful after-sales service all depend on personal data processing.

But brick and mortar retailers are also capturing and processing more personal data, such as data from customers, employees, landlords, security systems and multiple service providers, even the neighborhood seamstress. And as these traditional retailers create their own virtual sales networks, the opportunities to capitalize on both in-store and on-line customer data multiply in tandem with the risks associated with hacking and data loss.

The price of getting data protection wrong is high. Retailers may pay dearly if they misuse customer lists, lose employee data, or are “named and shamed” by a regulator for having failed to meet basic data protection requirements. Moreover, Asian and South American countries are adopting European-inspired data protection laws while the EU moves to strengthen its own laws with reforms that will introduce significant new fines for companies that fail to comply.

Retailers’ first step toward compliance should be taking stock of data protection and privacy practices in stores, warehouses, security stations, back offices and the data centers where personal data is continuously processed. Retailers should examine their data handling at every point from collection to processing, replication, storage, transfer and eventual destruction, as well as their obligations under applicable regulations, laws and contracts, with a view to devising compliance solutions that are tailored to the operational realities of the industry, the retailer’s specific needs, and the risks associated with regulatory enforcement.

Should you have any further questions regarding to the above, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/global-data-protection-and-privacy-compliance-considerations-for-retailers/