Tag Archive: Netherlands

The Netherlands: almost 5500 data breaches notified in 2016

By Richard van Schaik and Róbin de Wit

The Dutch Personal Data Protection Authority (Autoriteit Persoonsgegevens, “AP”) revealed that almost 5500 data breaches have been notified since the legislation on mandatory data breach notification duties entered into force on 1 January 2016. Pursuant to this legislation, it is mandatory for all types of data controllers to notify data breaches to the AP and, under circumstances, also the individuals affected by the data breach.

Remarkable fact is that many notifications relate to breaches whereby data were accidentally received by an unauthorized party, for example through an email that was sent to the wrong recipient. Also, the loss of a USB flash drive or a stolen laptop were frequently occurring breaches over the past year.

The AP confirmed that 4000 of the notifications have been examined in more detail, 100 data controllers received an official warning and tens of investigations are still pending. Earlier this year, the AP chairman already announced that the first serious fine is just a matter of time. Fines in case of an (unreported) data breach can go up to € 820,000 or 10% of the company’s annual turnover.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-almost-5500-data-breaches-notified-in-2016-2/

The Netherlands: change in whistleblowing legislation

By Richard van Schaik and Róbin de Wit


As from 1 July 2016, the Dutch Whistleblowers Act (Wet Huis voor klokkenluiders, “Act”) will come into force, introducing statutory legal protection for whistleblowers. Important change is that it becomes obligatory for companies employing 50 or more employees to establish an internal whistleblowing policy as per 1 July 2016.

An overview of the changes and implications for your organization is provided below.


  1. Implementing an internal whistleblowing policy

Companies with at least 50 employees are obliged to establish a whistleblowing policy on how notifications of suspected misconduct within the organization will be dealt with. Employees (including freelancers, trainees or volunteers) having reasonable grounds to believe that wrongdoing whereby the public interest is at stake exists within the organization, must know where and how they can report this.

Although organizations are free to tailor a whistleblowing policy to their needs, the following information is mandatory to include:

  • Information about how internal notifications are dealt with;
  • Information about what would qualify as a suspicion of misconduct;
  • Information about the designated representative within the organization to whom the notification can be addressed;
  • Information that the notification shall treated confidential upon request;
  • Information that an (internal or external) advisor can be consulted in confidence.

Organizations need to make sure that employees are properly informed about the content of the whistleblowing policy and the legal protections enjoyed by whistleblowers. In case a concern was raised in good faith, whistleblowers are protected from disciplinary measures.

Furthermore, the organization needs to obtain the consent of the Works Council when adopting the policy. Early involvement of the Works Council is strongly recommended.


  1. House for whistleblowers

Next to having a mandatory internal policy in place, the Act also introduces a new external administrative body for the benefit of whistleblowers: the House for Whistleblowers (“House”). This body provides for an advisory department and an investigation department.

In short, the advisory department supports whistleblowers and advise them upon request. Although employees are in principle required to report any suspected misconduct internally first, they can turn to the House in case internal reporting can reasonably not be expected or in case the internal report has not been adequately handled. When reported to the House, the investigation department may further investigate the matter and may draw up an analysis of findings and recommendations for the organization at stake.


  1. Conclusion: the impact of the Act on your organization

With the introduction of the Act, organizations need to have a closer look to their current policies. If no whistleblowing policy is yet in place, an internal procedure needs to be implemented and employees need to be informed about its content. But even if there is already a whistleblowing scheme in place, it is worthwhile to review the existing procedure as the Act contains additional compulsory requirements. DLA Piper has extensive experience in drafting and implementing whistleblowing procedures and would be grateful to be of assistance in tailoring a compliant policy to the needs of your organization.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-change-in-whistleblowing-legislation/

Dutch DPA confirms emergency session Article 29 WP

Yesterday, the Dutch DPA (‘CBP’) provided a short statement in relation to the European Court of Justice’s Safe Harbor decision. The CBP states that for some time now, European data protection regulators have been of the opinion that extra guarantees were required with respect to the transfer of personal data to the US. The ECJ judgement underlines the fact that protection of personal data is fundamental right. According to the CBP, it is important that data protection regulators can, at all times, investigate independently and – as a result thereof – protect the rights of EU citizens, whose data are processed worldwide. The CBP confirms that later this week,  the Article 29 Data Protection Working Party is meeting in an emergency session. For more news, reference is made to yesterday’s Article 29 WP press release.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/dutch-dpa-confirms-emergency-session-article-29-wp/

NETHERLANDS: Cookies regulation: Dutch Parliament agrees on exceptions and bans

By: prof. mr. J.J.C. Kabel

Last Tuesday, the Dutch Parliament agreed on amendments to the current cookies regulation in Article 11.7a Telecommunications Act (TA). Art. 11.7a TA contains the Dutch implementation of Article 5, par. 3 Directive 2002/58/EG. The amendments provide for (a) one more explicit exception to the required prior informed consent rule for the placing of cookies and similar software and for (b) a ban on the use of cookie walls by public agencies.  These amendments must still be approved by the Senate. 

(a) Current legislation provides for one exception only:  cookies which are strictly necessary for the provision of an information society service requested by the subscriber or user. All cookies that are not strictly necessary for the essential operation of the service required prior informed consent. Current legislation therefore did not further differentiate between cookies with no or little impact on the user’s privacy and other cookies. Placing of both cookies required prior consent.

The new exception relates to cookies that have little or no impact on the privacy of the internet user. One may think of first party analytic cookies, affiliate or performance cookies used for the purpose of paying affiliates or cookies used for testing the effectiveness of certain banners. These cookies are not strictly necessary for the operation of the service but they are useful for the provision of information about the quality or the effectiveness of these services and, if not used for other purposes, will have little impact on the privacy of the user.  The exception values the significance of consent, by restricting this instrument to serious cases and not for cases which do not infringe the privacy of the user.

Serious cases concern tracking cookies placed by third parties. An amendment requiring explicit consent for the placing of these cookies was rejected by Parliament. Consent must be informed and prior to the placing of cookies. It can be fulfilled by further clicking on parts of the website after the user is completely informed about the placing of cookies and its purposes. If the party responsible for the placing of cookies aims at collecting, combining or analysing data about the use of different information services by the user in order to treat these users differently, the said data are, subject to presumption of rebuttal, supposed to be personal data in the sense of the Dutch Data Protection Act (DPA). Consent then must comply with the requirements of the DPA which could imply explicit consent.

(b) the Parliament also accepted an amendment by one of its members on the use of cookie walls. According to the new Article 11.7a, par. 4a TA access to services of the information society delivered by public agencies shall not be dependent of prior consent. With this amendment, public agencies cannot refuse users who do not wish to pay for access to public services, by giving away their personal data.  As these services are already paid for by public resources, users should not, according to the explanatory note at this amendment, be forced to pay twice with their personal data. 

For further information, please contact Richard van Schaik (richard.vanschaik@dlapiper.com), Jan Kabel (jan.kabel@dlapiper.com) and Róbin de Wit (robin.dewit@dlapiper.com)

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/cookies-regulation-dutch-parliament-agrees-on-exceptions-and-bans/