Tag Archive: data breach

The Netherlands: almost 5500 data breaches notified in 2016

By Richard van Schaik and Róbin de Wit

The Dutch Personal Data Protection Authority (Autoriteit Persoonsgegevens, “AP”) revealed that almost 5500 data breaches have been notified since the legislation on mandatory data breach notification duties entered into force on 1 January 2016. Pursuant to this legislation, it is mandatory for all types of data controllers to notify data breaches to the AP and, under circumstances, also the individuals affected by the data breach.

Remarkable fact is that many notifications relate to breaches whereby data were accidentally received by an unauthorized party, for example through an email that was sent to the wrong recipient. Also, the loss of a USB flash drive or a stolen laptop were frequently occurring breaches over the past year.

The AP confirmed that 4000 of the notifications have been examined in more detail, 100 data controllers received an official warning and tens of investigations are still pending. Earlier this year, the AP chairman already announced that the first serious fine is just a matter of time. Fines in case of an (unreported) data breach can go up to € 820,000 or 10% of the company’s annual turnover.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-almost-5500-data-breaches-notified-in-2016-2/

EU – The right to be forgotten and the role of the Companies Registry

On 8 September 2016, Advocate General Bot released his opinion on the “Camera di Commercio Industria, Artigianato e Agricoltura di Lecce v. Salvatore Manni” c-398/15  (“Manni Case“). If confirmed by the European Court of Justice, the opinion will no doubt shed further light on the construction of the right to be forgotten.


The original plaintiff, Salvatore Manni, is an Italian citizen and former sole director of a building company which went bankrupt. The information about the building company’s bankruptcy and its then sole director had been permanently stored in the Companies Registry (Registro delle Imprese) held by the local Chamber of Commerce (Camera di Commercio), despite the company had been liquidated. Mr Manni claimed that access to the above data from third parties jeopardized certain sales of real estate, and accordingly requested the Companies Registry to anonymize his data or restrict access to the same Registry. The Chamber of Commerce opposed that the Companies Registry is a public database with a specific obligation to provide to everyone (upon specific request) the companies’ main information. The case escalated up to the Italian Supreme Court (Corte Suprema di Cassazione), which referred the issue to the ECJ, asking whether certain personal information (legally) made available by the Companies Registry should after a certain time be erased, or anonymized, or restricted to a limited number of third parties.

The Advocate General’s Conclusions

According to the Advocate General all Companies Registry’s data should be made available with no restriction. Indeed, the Company Law Directive 68/151 requires Member States to take all necessary measures to ensure the compulsory disclosure by a company of a number of limited information and documents, including general details of the legal representatives.

The fundamental function of the Companies Registry is to provide a complete picture of the life and history of a company, allowing anyone to read the information at any time. While acknowledging that any derogation to a (fundamental) data protection right should be limited to the strict necessary, the Advocate General stressed that allowing a public Company Registry to keep track of the whole life of a company (even when such company no longer exists) would not be disproportionate, also taking considering that the information is very limited (i.e. the name of the individuals that had the power to represent the company) and certain rights may be exercised also after the company ceased to operate (for instance for actions against the liquidators, etc.). The  Registry does not play a limited statistical role, it safeguards legal certainty as a mean to encourage market transactions, also through information about who represented a certain company over a certain period of time. While Directive 68/151 does not provide for a period of time after which it is necessary to cancel a certain information, the Advocate General added that it should also not be for the Registry to determine when such information should be restricted or anonymized, as it would otherwise add a discretionary assessment of the legitimate interests of the parties involved, with obvious risks of uneven decisions from the various public Registries.

The Right to be Forgotten is not Absolute

The Advocate General’s analysis echoes the ruling of the Google Spain Case, confirming that the right to be forgotten is not absolute and should be balanced with other fundamental rights, such as freedom of expression or – like in the Manni Case – interests of third parties to gain information on particular persons that held a key position in a company. The right to be forgotten will still require a case-by-case assessment, taking into account the specific type of information, its sensivity for the individual’s private life as well as the interest of the public in having access to that information and the role played by the data subject.

In this case, the essence is that a Companies Registry is not a broadly disseminated newspaper or a social media, and it should be treated accordingly. It is a public registry, aimed at facilitating certain fundamental economic transactions. It is true that, by entering a specific enquiry with the Companies Registry, it is possible gather the information that a certain individual was the sole administrator of a bankrupt company, and this information may, from the perspective of potential buyer, be a determining factor in completing a certain purchase. However, the fact of associating in a public Registry a certain person holding a specific office to a company that was declared bankrupt, is not per se derogatory for such person. A bankruptcy may be due to many factors, including some external market trends.

Albeit the Advocate General took into account the balance between the Company Law Directive (68/151) and the Data Protection Directive (95/46), his views would stand also taking into account the right to be forgotten as devised by Article 17 the European General Data Protection Regulation, which among other things also confirms that the right to be forgotten does not apply for the purposes of archiving in the public interest.

For further information on this opinion, see also here from Cristina Ulessi.  It will no doubt be very interesting to review the ECJ’s final position.




Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-right-to-be-forgotten-and-the-role-of-the-companies-registry/


DLA Piper Shared Insights at Bloomberg Law’s 2016 Outlook on Privacy and Data Security in Washington DC

On February 3rd, the day after announcement of the US-EU Privacy Shield provisional agreement, DLA Piper’s Carol Umhoefer, Jim Halpert and Giangi Olivi discussed EU data protection developments at Bloomberg Law’s 2016 Outlook on Privacy and Data Security, in Washington DC, following a presentation by Shannon Coe, privacy leader at the U.S. Department of Commerce’s International Trade Administration, that summarized the terms of the provisional agreement. Here is a short analysis of the issues they discussed. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/analysis-what-to-expect-from-the-privacy-shield-and-the-general-data-protection-regulation-gdpr/

NETHERLANDS – Legislation on mandatory data breach notification adopted by the Dutch Senate

By Richard van Schaik, Robin de Wit and Charlotte van Triest

On May 26, the Dutch Senate adopted the legislative bill on Data Breach Notifications, thereby amending the Dutch Data Protection Act and the Telecommunications Act (Wetsvoorstel meldplicht datalekken en uitbreiding bestuurlijke boetebevoegdheid Cbp).

Content bill

The bill introduces the mandatory obligation for all types of data controllers to notify data breaches to the Dutch Data Protection Authority (“DPA”) and under circumstances also the obligation to notify the individuals affected by the data breach. Also, the DPA will have the authority to impose increased fines for noncompliance with this obligation.

The obligation to immediately notify the DPA arises in case of a security breach that has or is likely to have serious adverse effects on the protection of personal data. The severity of the potential consequences of the data breach is key when assessing the impact of the data breach. The government’s explanatory memorandum specifically states some factors that have to be taken into account in this assessment, namely: (i) the nature and scope of the data breach; (ii) the nature of the breached personal data; (iii) the extent to which technical measures have been put in place; and (iv) the consequences to the privacy of the individuals affected.

Additionally, data controllers will have the obligation to notify individuals affected by the data breach, but only in case the breach is likely to have adverse effects on the data subject’s privacy. In any case, data controllers will be required to maintain an internal register recording all data breaches that have or could possibly have serious adverse consequences on the protection of personal data.

It should also be noted that the obligation to notify should be separated from the obligation to implement adequate technical security measures , since both serve a different purpose. The DPA is expected to issue guidelines specifying the requirements for the obligation to notify in further detail.

In addition, the bill introduces increased regulatory and investigative powers for the Dutch DPA, thereby becoming the regulatory authority responsible for the oversight based on the Data Protection Act as well as the Telecommunications Act. Under the new bill, in case of a failure to notify or other violations of specific articles of the Data Protection Act the Dutch DPA will be authorized to impose increased fines up to EUR 810,000 or 10% of the company’s annual net turnover per violation, which could also be calculated based on global revenues. Fines will only be imposed following a binding instruction from the DPA, except in case of deliberate violations or violations as a result of serious culpable negligence. The intended purpose of the binding instruction is to offer the alleged offender a chance to restore the suspected data breach and to avoid a serious fine.

At this moment it is unknown when the adopted legislation will enter into force. It is expected that the bill will enter into force on 1 January 2016.

Companies are advised to review whether they comply with the newly imposed notification requirements for data controllers, especially in relation to current data processors’ agreements.

DLA Piper’s global privacy team has helped clients through more than 450 breaches. For further information, please contact Richard van Schaik (richard.vanschaik@dlapiper.com) and Róbin de Wit (robin.dewit@dlapiper.com)

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/netherlands-legislation-on-mandatory-data-breach-notification-adopted-by-the-dutch-senate/

GLOBAL – Connected Cars – Legal risks and opportunities webinar

Connected cars are the fastest growing market within the Internet of Things (IoT), but lead to legal issues in terms of privacy, cybersecurity product liability that will be addressed in our next DLA Piper webinar. Giulio Coraggio Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/connected-car-legal-risks-and-opportunities-webinar/

ITALY: Italian Data Protection Authority – analysis of the first half 2014 and action plan

The Italian Data Protection Authority (Garante) has recently made available the results of the first half 2014 activities: 196 inspections, fines issued in the range of 2,5M Euro (already collected). Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-italian-data-protection-authority-analysis-of-the-first-half-2014-and-action-plan/

EUROPE: Article 29 Working Party Provides Guidance on Personal Data Breach Notification

By Carol Umhoefer & Mathilde Hallé

On March 25, 2014, the Article 29 Working Party (the “WP29”) issued Opinion 03/2014 On Personal Data Breach Notification in order to help data controllers to assess whether to notify data subjects of a personal data breach.

Currently, only providers of telecommunications services are required to notify data subjects in the event of a personal data breach likely to adversely affect such data subjects’ personal data or privacy. Nevertheless, this obligation will be expanded in coming years to all data controllers, whatever their business sectors, with the upcoming adoption of the EU General Data Protection Regulation.

Anticipating the adoption of that Regulation, the WP29 has issued an opinion to provide general guidance for data controllers to assess, on a case-by-case basis, whether a breach is likely to adversely affect the personal data or privacy of data subjects, and therefore should be notified to data subjects.

In this opinion, the WP29 provides examples of data breaches likely to adversely affect the data subjects’ personal data or privacy, and gives some recommendations in terms of appropriate measures that, if implemented beforehand, may prevent such breaches (e.g., using an appropriate encryption product with a sufficiently strong and secret key, etc.). The WP29 also lists some scenarios where notification to data subjects would not be required (e.g., a personal data breach only relating to confidentiality where the data was securely encrypted with a state-of-the-art algorithm).

In addition to these practical examples and recommendations, the WP29 addresses key issues that data controllers may face while considering whether to notify data subjects. In particular, the WP29 underlines the need to notify even if only one data subject is concerned by the breach. In case of doubt regarding the likelihood of adverse effects on the personal data or privacy, the WP29 recommends to “err on the side of caution and proceed with notification“.

For further information, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com) or Mathilde Hallé (mathilde.halle@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-article-29-working-party-provides-guidance-on-personal-data-breach-notification/