Welcome to Penrose Privacy and data protection law
Penrose advises companies and institutions about privacy and personal data protection matters pursuant to Dutch and European laws and regulations. We draft and provide advice on privacy related agreements and statements and we provide assistance with internal audits and privacy compliance procedures. In the event of a data breach, we offer immediate assistance with regard to measures and potential liabilities claims. Below, we have outlined some of the privacy-related issues that we encounter on a daily basis.
Others also searched for:
Privacy and Compliance
The development of new technologies and data-driven applications is moving at fast speed. The increasingly strict laws and regulations that govern the use of personal data present a challenge. That said, sound compliance with Dutch pivacy rules may also be seen as an opportunity to distinguish your organisation.
What are personal data according to Dutch law? The combination of first and last name is usually self-evident, but what about a business email address or an IP address?
With the introduction of the new privacy legislation (the GDPR or General Data Protection Regulation), the use of personal data within Europe became subject to stricter rules and extended supervision of compliance. The supervision thereon is by the Data Protection Authorities of all EU member states. In the Netherlands this is the Authority for Personal Data.
In essence, the GDPR requires the processing of personal data to be lawful, legitimate and transparent. In this context, the controller of the data has a number of obligations in the Netherlands, such as:
- safeguarding the privacy by design principle;
- implementing appropriate technical and organisational measures to ensure the protection and the security of personal data;
- having the correct privacy documentation in order (e.g. data processor agreements and privacy statements).
Privacy statements, processing agreements and cookies
The GDPR not only demands the lawful and legitimate processing of personal data, the organisation must also be able to demonstrate compliance therewith on the basis of documentation. For example, internal privacy and security policies, processor agreements, privacy statements and cookie statements.
Personal data breach
A personal data breach is a breach of information security that results in the unauthorised access to personal data. The breach can be intentional and unlawful, for example through hacking, phishing or other forms of cybercrime. However, the breach may also happen accidentally, e.g. by sending personal data to the wrong recipient or forgetting a laptop or USB stick containing personal data in public transport.
Companies and organisations, under certain circumstances, are obliged to report the data breach to the Dutch Data Protection Authority and in some cases also to the data subject(s) whose personal data is involved. If the data leak is caused by the processor of the personal data, proper processor agreements regarding timely notification and cooperation are important for the controller to be able to comply with the GDPR obligations. In addition, the question of liability for any damages will also be relevant.
Personal data in mergers and acquisitions
In preparation for a merger or acquisition, documents containing personal data, for example of employees or customers, are often shared (as part of due diligence). Both from the perspective of the seller and the (potential) buyer, it is important to pay attention to the Dutch privacy and data protection aspects in this regard.