06 Jan '23
Since the introduction of the General Data Protection Regulation (GDPR) in 2018, new developments within privacy law have followed in rapid succession. The past year (2022) was no exception. Time to look back and provide an overview of a number of important issues.
Even in 2022 - following the Schrems II case - questions about international data exchange remain on the agenda. In January 2022, a decision by the Austrian Data Protection Authority (DSB) caused much commotion. The DSB ruled that the use of Google Analytics (cookies) was not permissible, because it involves the transfer of data to Google in the United States without adequate safeguards. This made it clear once again that it is insufficient to state on paper that adequate safeguards are in place when data is transferred - adequate safeguards must actually be in place. Also read again this blog.
This judgment was the result of consultations of all national regulators united in the European Data Protection Board (EDPB). The Dutch Personal Data Authority (AP) is also part of this. The AP indicated "early 2022" would also come up with an opinion. However, this judgment has not materialized. However, the AP did warn that the use of Google Analytics may not be allowed.
Now that we have reached the end of the year, however, a remedy for data transfers to the U.S. seems to be on the horizon. This in the form of a adequacy decision, the draft of which has now been published, on Dec. 13. When this adequacy decision becomes final, it will be possible to exchange data with U.S. entities without further measures. Of course, this will then only apply to the exchange of personal data with entities in the United States. For other countries outside the European Economic Area (without an adequacy decision), the principle remains that adequate safeguards must be in place.
This topic has been under discussion for quite some time. Unfortunately, full clarity has still not been obtained as to whether a commercial interest can be a "legitimate interest" (as mentioned in Article 6 AVG) on which processing may be based. However, preliminary questions have now been submitted to the Court of Justice. Whether we can expect answers to these in 2023 remains equally exciting, as the Court takes an average of 17 months to respond to preliminary questions. In the meantime, a thorough case-by-case assessment of the processing basis is required. Read more about this in our earlier blog: Is a commercial interest a legitimate interest | Ploum Rotterdam Law Firm.
The European Court of Justice ("ECJ") ruled on Aug. 1 that data from which information falling into a special category of personal data can be deduced indirectly (Article 9 AVG) must also be treated as data falling into that special category. This is important because the processing of personal data that falls into a special category is subject to stricter rules (in principle, a processing ban). Read more about this topic here: Perhaps processing special personal data sooner than thought | Ploum Rotterdam Law Firm.
At least in 2022, the ECJ responded to questions raised regarding the UBO register. That register recorded data of UBOs (ultimate beneficial owners of companies). This data could then be viewed by anyone and now that this too much affects the privacy of those included in the register, the provision of this information to an unrestricted public has been stopped by the CJEU. The registry is expected to be restored to limited access by competent authorities soon.
It is notable that the AP published a limited number of fines in the past year, compared to last year. Fines were imposed for, among other things, unnecessarily requesting a proof of identity, poor security of and information about processing, unlawful processing of data and the use of a blacklist and for not carrying out a risk analysis for high-risk processing (camera images). The reasons for which fines have been imposed are quite diverse, but by now we see a number of topics recurring such as security measures, risk analyses, assessing processing grounds, reporting data breaches and facilitating data subjects' rights.
There may also eventually be an adjustment to the AP's current fining policies following a publication by the European Data Protection Board (EDPB) on the calculation of fines. This could well lead to (significantly) higher fines. All the more reason to take another close look at your privacy policy.
Do you have questions about processing personal data or would you like to review your organization's processing of personal data? Feel free to contact us at privacy@ploum.nl or read more about our Privacy Helpdesk and the Privacy Quick Scan.
11 Nov 24
14 Oct 24
13 Oct 24
07 Oct 24
13 Aug 24
13 Aug 24
04 Jun 24
13 May 24
02 May 24
08 Apr 24
04 Apr 24
21 Mar 24
Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.
Stay up to date with the latest legal developments in your sector. Fill in your personal details below to receive invitations to events and legal updates that matches your interest.
Follow what you find interesting
Receive recommendations based on your interests
{phrase:advantage_3}
{phrase:advantage_4}
We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.
A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.