In this month’s issue we will discuss several publications of the Dutch DPA and give you an update on the status of the GDPR and the new EU-U.S. Privacy Shield.

I The Dutch DPA

  1. Dutch municipalities negligent with processing of personal data

The Dutch DPA found that many Dutch municipalities are not sufficiently aware of the conditions under which personal data of citizens may be processed. The Dutch DPA has observed that municipalities regularly wrongfully request citizens to consent to the processing of their personal health data. The Dutch DPA issued recommendations and indicated that it will follow up and investigate whether municipalities have implemented these recommendations.

  1. Dutch DPA issues guidelines on ‘ill employees’

The Dutch DPA updated its guidelines on the processing of personal data of ‘ill employees’. These offer practical guidelines regarding the processing of health data of employees by employers, the company doctor, insurers and other third parties and the exchange of such data amongst those parties.

II European Developments

  1. General Data Protection Regulation (GDPR)

After approval of the EU General Data Protection Regulation on 14 April 2016 by the European Parliament, the GDPR has been published in the Official Journal of the EU on 27 April 2016. The GDPR shall replace the existing EU Data Protection Directive (95/46/EC) and shall take effect on 25 May 2018.

  1. Update on EU-U.S. Privacy Shield

The Article 29 Working Party (29WP) has issued an opinion on the draft adequacy decision of the European Commission on the EU-U.S. Privacy Shield. Although the 29WP welcomes some significant improvements in the Privacy Shield compared to the Safe Harbor principles, it takes the view that the Privacy Shield in its current form (still) does not ensure adequate safeguards for the protection of personal data (equivalent to that of the EU). The 29WP therefore urges the Commission to resolve the concerns raised by the 29WP.