COVID-19: Global Data Privacy & Security Survey
As COVID-19 quickly spreads across the globe and has now been officially declared a pandemic, many companies are facing difficult business and legal challenges and are required to make some urgent decisions in order to keep their workforce safe and ensure business continuity. Data plays a crucial role in containing the spread of the virus but not every data processing can be justified on that basis. A balance must be found between protecting public health and personal privacy.
Baker McKenzie is pleased to provide you with a guide designed to assist employers assess whether or not certain data processing they may consider in light of COVID-19 is compliant with data privacy regulation.
Click here to access the guide, which features high-level views on five common questions companies are facing from Baker McKenzie lawyers from 13 countries.
Fine issued by Dutch DPA against sports association
The Dutch Data Protection Authority (Dutch DPA) issued a 525K EUR fine under the General Data Protection Regulation against the Dutch National Tennis Association. This fine was imposed for the – allegedly – unauthorized sale of member data to the Association’s sponsors. The sponsors have contacted a selection of the members by mail or phone, where after some of the members have complained about this contact without their consent. The Dutch DPA ruled that the sale of member data by the Association to its sponsors could not be based on a lawful processing ground. This case illustrates that complaints and press coverage seems to be important triggers to the Dutch DPA to start investigation and move to direct enforcement. Also, the Dutch DPA elaborates on the processing ground of “further use”, which is clearly considered as alternative to achieve lawfulness. The Association has announced it will appeal the fine decision. However, with view to Dutch administrative law, a decision is not expected before 2021.
The full decision can be found here (only available in Dutch)
As we introduced in our previous Ahead of Privacy – Update, the GDPR Enforcement Tracker provides a comprehensive overview of the EU enforcement actions since the introduction of the GDPR in May 2018, including this “new” fine of the DDPA. Our GDPR Enforcement Tracker can be found here.
The Dutch DPA receives an increasing number of data breach notifications
In 2019, The Dutch Data Protection Authority (“Dutch DPA”) received 29% more data breach notifications comparing to the year before. In European context, the Netherlands is leading with its number of data breach notifications, together with Germany and the United Kingdom. According to the Dutch DPA, organizations seems to be more and more aware of data breach notification requirements of the GDPR.
Similar to 2018, most of the data breach notifications were reported by the financial sector (30%), the healthcare sector (28%) and the public administration sector (17%). The majority of the data breaches followed from the sending or handing over personal data to the wrong recipient.
Throughout the year, the Dutch DPA completed several investigations onto organizations into data breaches and its (lack of) notifications. Although until now the Dutch DPA has taken less far reaching actions, the investigations could give rise to sanctions, including fines.
More information can be found here (available in Dutch).
International Data Transfer – Series of blogs
Since 2013, the Court of Justice of the European Union (“CJEU”) have been looking at the legitimacy of international data transfer from the EU to third-countries. At this moment, the CJEU is evaluating the Standard Contractual Clauses, which have been the bedrock of cross border personal data transfers outside the EU for many years. The Advocate General (advising the CJEU) concluded that the Standard Contractual Clauses should not be invalidated, but that reliance on the Standard Contractual Clauses requires companies to undertake certain additional measures to assure compliance. In particular, data exporters need to make their own assessment as to whether the data importer is able to materially comply with all Standard Contractual Clauses requirements.
Baker McKenzie’s Privacy Team published a series of blogs, on which we will focus more specifically on the applicability, pros and cons of transfer mechanisms, including Standard Contractual Clauses, Privacy Shield, Binding Corporate Rules and other lawful transfer options.
See for the latest data transfer update here.
Insurer may not demand phone number from intended customers
In January this year, the Financial Services Complaints Board (in Dutch: Klachteninstituut Financiële Dienstverlening) (“KiFiD”) ruled that rejecting an application for insurance because the intended customer did not provide a telephone number infringes the GDPR. The KiFiD found that the insurer did not demonstrate the necessity to process a telephone number of the insured customer for the performance of an insurance contract. The argument that it is an “extra service” to call the insured in case of important matters, cannot lead to the required necessity. Especially because the customer did indicate that he was best reached by e-mail, there was no legitimate purpose to process its telephone number.
Case available here (only available in Dutch).
Dutch legislation on Governments’ anti-fraud system infringes fundamental (privacy) rights
The Dutch government’s System Risk Indication (“SyRI”) is able to detect and combat fraud in areas such as benefits, allowances and taxes. According to the Dutch Government, SyRI is a technical infrastructure allowing data to be linked and analyzed anonymously in a secure environment in order to generate risk reports.
In 2018, a number of civil society organizations committed to privacy started legal proceedings against the Dutch government to stop the use of SyRI. The underlying legislation enabling the SyRI system would infringe human rights, including privacy rights. The District Court ruled on the lawfulness of SyRI by assessing whether the legal basis of SyRI contravenes higher law. In her assessment, the District Court used fundamental principles of the GDPR to give more substance to the European Convention on Human Rights, under which the principle of transparency, dataminimalisation, integrity and confidentiality.
In the end, the District court ruled that the SyRI-legislation is insufficiently comprehensible and verifiable. The court considered that new technological solutions could play an important role in fraud prevention, but only as long as it insures a fair balance between efficiency of the technology and the right to respect for private life.
In response to this judgement, the Dutch Employee Insurance Agency (UWV) has announced it will investigate whether their fraud system does comply with (privacy) laws. Case available here.
If you wish to know more about this update, or discuss other data privacy topics, feel free to contact the Amsterdam Privacy Team.