In this month’s issue we will discuss several publications of the Dutch DPA as well as give you an update on the new EU-U.S. data transfer agreement, the Privacy Shield.
I The Dutch DPA
I.1 Medical data
In an open letter addressed to all the boards of medical institutes in the Netherlands, the Dutch DPA asks for extra attention with regards to the protection of medical data. Apart from external threats, the letter specifically urges institutions to take internal measures to ensure an adequate level of protection. For example, the institution should prevent the unnecessary authorization of employees to medical files.
I.2 Camera Surveillance
The Dutch DPA again emphasizes the fact that employers may only resolve to the use of camera surveillance on their employees if strictly necessary. For example, camera surveillance to tackle fraud may only be used if no other means are available. In addition, the employer will need to discuss the use of camera surveillance with the Works Council.
II Update on Safe Harbor
As a consequence of the Schrems judgment of the European Court of Justice on 6 October 2015, data transfers to the United States on the basis of Safe Harbor are no longer legally valid. Following this judgement (and as briefly mentioned in our previous Newsletter), the European Commission announced on 2 February 2016 that it had reached a political agreement with the United States on a new framework for transatlantic data transfers, named 'EU-U.S. Privacy Shield' (or, unofficially, ‘Safe Harbor 2.0’).
On 29 February 2016 the European Commission has (finally) issued the legal texts (draft adequacy decision and annexes) for this EU-U.S. Privacy Shield. In addition, several supporting documents (FAQs, factsheet) have been published to give a quick overview of recent and future developments.
The proposed documents will now be reviewed by the College of Commissioners. After obtaining the advice of the Article 29 Working Party (29WP) and after consulting a committee composed of representatives of the Member States, the College of Commissioners will either adopt the proposed or request for amendments thereto. The 29WP expects to adopt an opinion on the matter in April.
III General Data Protection Regulation
In December 2015, the EU Commission, Parliament and Council of Ministers reached agreement on the wording of the General Data Protection Regulation (GDPR). The GDPR must, however, still be formally approved by the EU institutions and will then be published in the Official Journal. It is expected that this will take place in the upcoming months. The GDPR will come into force two years and twenty days as from the date of publication in the Official Journal. We will keep you updated on any developments in this respect.