In this month’s issue we will discuss several publications of the Dutch DPA, a legislative proposal as well as give you an update on the status of the GDPR and the new EU-U.S. Privacy Shield.
I The Dutch DPA
1) The Dutch DPA warns employers about use of medical data
The Dutch DPA issued several warnings related to the processing of medical data by employers:
- In one of these warnings, the Dutch DPA states that an employer may not ask employees about the nature and/or cause of their disease when an employee calls in sick. An employer may only process a limited amount of medical data of sick employees, for the purpose of its obligation to continue to pay wages or for reintegration purposes. An employer may, for example, ask for the expected duration of the absence and inquire whether it would be possible for the employee to perform other types of work.
- Another warning relates to the processing of medical data collected through (technical) devices, such as fit bands or wearables, provided by employers to their employees. The Dutch DPA states that employers are allowed to provide such wearables to employees, but that employers should refrain from processing any health data of employees through such devices (even if an employee has given its consent thereto). This means, in practice, that the devices should only be given to employees for personal use.
2) Contact forms on websites
The Dutch DPA has issued a letter to the Royal Dutch Association of Physiotherapy elaborating on security standards that should be taken into account with respect to contact forms on their websites. The Dutch DPA states, among others, that contact forms should comply with the NCSC ICT – security guidelines for web applications (2015). These general guidelines cover aspects such as data classification, access control and vulnerability management and can also be used with respect to contact forms on other types of websites.
II Other Dutch developments
1) Camera monitoring; Dutch Senate approves the use of flexible cameras by municipalities
On 22March 2016, the Dutch Senate approved an amendment of the Dutch Municipalities Act allowing municipalities to use camera monitoring for purposes of maintaining public order. The amended rules gives the mayor the authority to decide on the use of camera monitoring in public spaces on a more flexible basis than under the current legislation (as the cameras used do no longer need to be permanent and can also be used for a specific time period and area). The amended rules should enter into force as per 1 July 2016.
Contrary to previous statements, and in anticipation of the new General Data Protection Regulation, the Dutch DPA stated in its recently published policy rules on camera surveillance (dated 28 January 2016), that camera images of a person do not necessarily qualify as sensitive personal data, even though the images contain racial features.
III European Developments
1) General Data Protection Regulation (GDPR)
Approval of the GDPR may be postponed. Following an informal summit about the GDPR, State Dutch Secretary of Justice Mr Teeven stated that he does not expect approval of the GDPR before the end of 2016 and perhaps not even until early 2017. The main reason for the expected delay is the ongoing disagreement on the qualification of police data.
2) Update on Safe Harbor
After the publication of the draft legal texts of the EU-U.S. Privacy Shield, the DPA of the German city-state Hamburg has expressed its doubts on the Privacy Shield. Other DPAs are still assessing the legal texts and should report their comments to the European Commission by mid-April. The article 29 Working Party also expects to adopt an opinion on the draft legal texts in April. We will keep you updated on this matter.