Approach Authority in 2018

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) reported in December 2018 that it had received almost 10.000 complaints under the GDPR. These were mainly related to an alleged violation of privacy rights, the transfer of personal data to third parties and/or the collection of unnecessary personal data. Up until now the Authority has mainly focused on ending possible violations by educating organisations and pushing for corrective measures. In a few cases an order has been imposed (een last onder dwangsom) to force an organisation to comply, as well as a fine for (not timely notifying) a security breach under the former privacy legislation. Corrective measures imposed include: the UWV (an organisation responsible for the implementation of social regulations) being required to implement a multi-factor authentication to protect health data in an online portal, the National Police being required to improve certain security measures, and the tax authorities no longer being allowed to use the citizen service number in the Value Added Tax identification number of self-employed persons as of 1 January 2020.

Processing health data on a large scale

The GDPR contains a number of obligations for parties that process sensitive data on a large scale or that have processing sensitive data on a large scale as their core activity. In this scope, the Authority explained that for organisations that have healthcare as their core activity, it considers all hospitals, joint GP practices (huisartsenposten) and care provider groups (e.g. joint cooperations that offer the same care, such as paediatric care) to process sensitive personal data on a large scale by default. For single GP practices and institutions for specific medical care, the threshold for large scale is 10,000 patients (registered or annually cared for on average).

Concrete numbers in light of the open norms of the GDPR are very much welcomed. And in our view, this opinion in any case shows that large companies that process sensitive data of their personnel, such as data on disabilities, will probably not process sensitive data on a large scale within the meaning of the GDPR.

PSD2 in NL

On 4 December 2018, the Dutch implementation act for PSD2 was accepted by the Dutch Senate (Eerste Kamer). We are now awaiting an implementation date, which is expected in the near future.

PSD2 should have been implemented in Dutch law on 13 January 2018. One of the reasons for the delay was the Dutch Data Protection Authority's view that the supervision of the processing personal data under PSD2 should lie fully within its scope and not within the scope of the Dutch National Bank (De Nederlandsche Bank). A compromise has been found in granting the Authority exclusive continuous supervision with respect to the explicit consent requirement of Article 94(2) PSD2 (in addition to the GDPR supervision of the general personal data processing activities of each payment service provider). PSD2 related privacy issues, especially in the field of silent party data (see "the EU"), remain an ongoing concern in the Dutch media.