March 2019 has been quite active for the Dutch Data Protection Authority ("Dutch DPA"). The Dutch DPA started by providing guidance on the use of cookie walls. Just one week later, it published its modified fining policy rules and finally, the Dutch DPA released a news report in which it explains the rules about alcohol and drug tests on employees during working hours.
Cookie walls which require visitors to accept tracking cookies are prohibited
On 7 March 2019, the Dutch DPA published a news report about tracking cookies. In particular, the Dutch DPA indicated that websites which only allow visitors access if they agree to tracking cookies are violating the GDPR. This means the use of cookie walls which require visitors to accept tracking cookies is prohibited. These cookie walls do not provide visitors with the possibility to 'freely give' their consent to tracking cookies, because, if they withhold their consent, they will not be able to access the website. The Dutch DPA announced that it will intensify its monitoring of compliance with this prohibition. Website operators using cookie walls which include tracking cookies should consider themselves warned.
Fining policy rules for 2019 in the Netherlands
On 14 March 2019, the Dutch DPA published an update to its fining policy rules ('Boetebeleidsregels Autoriteit Persoonsgegevens 2019'). This policy is used by the Dutch DPA to decide the level of administrative fines in the event of violations of the GDPR and the GDPR Implementation Act ('Uitvoeringswet AVG'). The Dutch DPA may also impose fines for violations under the Police Data Act and the Judicial and Procedural Data Act, and for certain violations of the Telecommunications Act, the eIDAS Regulation and the General Administrative Law Act.
For each statutory maximum fine in these laws (the GDPR provides for fines of up to EUR 20 million or 4% of the company's global annual turnover), the Dutch DPA classified the violations into three or four fine categories. The classification is based on the gravity and intrusiveness of the violation and the relationship with the other standards in data protection laws. The Dutch DPA has set a basic fine for each category, starting from EUR 100,000 up to EUR 725,000. These amounts are applied as a starting point for the Dutch DPA to calculate the fine in each individual case.
However, the Dutch DPA can still deviate from the fining policy rules and impose higher fines than those in the categories above, if the limits of the categories are not "deemed appropriate". Furthermore, the modified fining policy is temporary and only applies in the Netherlands. The Dutch DPA indicated it is still awaiting the results of the efforts of the European Data Protection Board ('EDPB') to set EU-wide fining guidelines for the GDPR.
Alcohol and drugs tests employees
On 15 March 2019 the Dutch DPA released a news report about the use of tests for alcohol, drug and medicine during working hours. The Dutch DPA indicated that employees may only be tested for the use of alcohol and drugs if there is a specific legal basis to do so.
If an employer carries out any of these tests without a specific legal basis, they are in breach of the GDPR. The main reason for this position is that the results of these tests contain health data, which is a special category of personal data that may not be processed without a sufficient legal basis.
Currently, only one legal basis exists for testing employees. This applies to pilots, skippers and train drivers, where there is a risk that they are using alcohol or drugs shortly before work or while at work: the Alcohol, Drugs and Medicines Decree (only in Dutch). In addition to the legal basis requirement, the employer must implement safeguards to minimise violations of the employee's privacy rights. The Dutch DPA has indicated that, as an alternative to alcohol and drug testing, a pro-active HR policy could also be an effective way to discourage the use of alcohol and drugs shortly before or during working hours.