Today, May 25, 2018, we have come to the last GDPR Update of the current series. During the past 16 months, we have discussed various important topics with regard to the GDPR. For an overview, please see the end of this update.
There has been much public debate surrounding the implementation of the new privacy legislation. The abbreviation 'GDPR,' the date of May 25, 2018 and the prospect of €20 million fines have been all over the media, leading to anxiety within many organizations, from globally operating enterprises to local sports clubs.
WP29 publications
We have not been the only ones to publish updates on the GDPR; during the past months, the Article 29 Working Party (the WP29) has not been silent either. The WP29 is an overarching data protection body consisting of local supervisory authorities. It regularly publishes guidelines and opinions on (the interpretation of) various data protection concepts. Although these documents are not legally binding, they do give useful and important insights as to how the supervisory authorities interpret important provisions and principles of the GDPR.
The WP29 has published guidelines on consent, transparency, data breaches, data protection officers, the lead supervisory authority, privacy impact assessments, the right to data portability, profiling and automated decision-making and application and setting of administrative fines. (A guideline on the territorial scope of the GDPR is in the making, but it would have been welcome if the WP29 had issued this earlier.)
The transparency guidelines and the guidelines on consent have proven to be of particular significance for our clients' operations.
The WP29's transparency guidelines focus on the content of organizations' privacy notices, giving a sharper outline to the requirements as set out in articles 13 and 14 GDPR, as well as on the way and form in which data subjects should be informed about the content of these notices. We highly recommend consulting these guidelines when preparing GDPR-compliant privacy notices. Further, the WP29's transparency guideline prescribes that data subjects must be actively informed on revisions of the privacy policy, including any revisions made in view of the GDPR, as well as any subsequent material amendments. Possible ways of actively informing data subjects include sending data subjects an e-mail, providing them with a hardcopy version of the policy or implementing a pop-up at the organization's website displaying the latest changes. WP29's guidance explicitly sets out that merely publishing the new version of the privacy notice on a website and requiring the data subject to check regularly for changes is not sufficient.
Looking at WP29's consent guidelines, it becomes clear that controllers should avoid relying on consent as the legal basis for data processing as much as possible, as obtaining valid consent is not at all straightforward. The definition of consent consists of a number of criteria, and the controller should comply with all of them. The WP29 explicitly states that relying on consent should be avoided in the employment context in particular. (However, we understand that certain EU member states do in fact require employers to obtain consent, hindering a harmonized approach across the EU.)
The WP29's non-binding guidelines and opinions are not always in alignment with common business practices. Moreover, the guidelines are sometimes stricter than the GDPR's wording. Our experience is that supervisory authorities tend to follow these guidelines closely. In addition, Dutch case law on data protection matters (under the Directive) shows that the Dutch courts attach significant importance to WP29 guidance and opinions.
Enforcement activities by supervisory authorities
A large part of the abovementioned public debate focused on potential enforcement activities by supervisory authorities. Organizations seem to be most worried about being fined, accompanied by negative publicity risks.
This anxiety is strengthened by the Dutch supervisory authority's (and other local supervisory authorities') silence with regard to its envisaged enforcement activities. To date, the Dutch supervisory authority (Autoriteit Persoonsgegevens) has not publicized any policies with regard to GDPR enforcement and the imposition of fines in The Netherlands.
We have been receiving many questions from clients who want to understand whether supervisory authorities will start imposing administrative fines immediately after 25 May. As discussed in our GDPR Update on sanctions, we believe this is not to be expected. Organizations that are well underway with implementation of the GDPR today, will likely be subject to other corrective measures prior to being fined. However, supervisory authorities do have the authority to impose fines without warning, and they have clearly left open this possibility.
Final remarks
When looking to implement the GDPR properly, creativity is key: There is little guidance on how various newly introduced requirements should work in practice. The guidance that is available can be found in the recitals of the GDPR, WP29 guidelines, existing policies and guidelines of supervisory authorities and parliamentary documents.
Enforcement activities and binding decisions of supervisory authorities in the coming period will provide additional insight in the interpretation and implementation of the GDPR.
We will continue to provide you with regular updates on the GDPR and the way it is enforced, as well as with relevant developments in the field of personal data protection (e.g. the draft e-Privacy Regulation). Stay tuned!
Please click here to subscribe to our monthly updates on the GDPR.
Overview of subjects
| January 2017 | Territorial scope of the GDPR(Dutch) |
| February 2017 | The Concept of Consent |
| March 2017 | Sensitive Data |
| April 2017 | Accountability, Privacy by Design and Privacy by Default |
| May 2017 | Rights of Data Subjects (information notices) |
| June 2017 | Rights of Data Subjects (access, rectification and portability) |
| July2017 | Rights of Data Subjects (erasure, restriction, objectand automated individual decision-making) |
| August 2017 | Data Processors |
| September 2017 | Data Breaches and Notifications |
| October 2017 | Data Protection Officers |
| November 2017 | Transfer of Personal Data (outside the EEA) |
| December 2017 | Regulators (competence, tasks and powers) |
| January 2018 | One Stop Shop |
| February 2018 | Sanctions |
| March 2018 | Processing of Personal Data in the Employment Context |
| April 2018 | Profiling and Retail |
| May 2018 | Overview |
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
