Home / Insight / GDPR

GDPR

Go to International

The EU data protection landscape, having remained largely unchanged since 1995, is now on the brink of a radical transformation. After extensive negotiations, the GDPR was formally adopted on 4 May 2016 and is set to replace most EU data protection legislation.

Unlike the current Directive, the GDPR will be directly applicable in all EU Member States without the need for national legislation. It will apply from 25 May 2018.

The GDPR brings new concepts into the regulatory spotlight, including profiling and the right to be forgotten. It imposes extensive new obligations on businesses and transforms the role of the Data Processor. Rights for individuals are significantly strengthened and maximum fines in respect of breaches are increased exponentially to €20,000,000 or 4% of annual worldwide turnover under the GDPR.

If you would like more information on the GDPR or the Directive, please contact one of the members of our Data Protection & Privacy team.

09/09/2021
The Chan­ging Face of Cy­ber Claims
A cy­ber in­sur­ance loss study in Con­tin­ent­al Europe
Data Law Nav­ig­at­or | The Neth­er­lands
Sub­scribe to Data Pro­tec­tion & Pri­vacy Top­ics

Feed

09/09/2021
The Chan­ging Face of Cy­ber Claims
A cy­ber in­sur­ance loss study in Con­tin­ent­al Europe
27/05/2021
GDPR En­force­ment Track­er Re­port
When the GDPR was already in force, but not yet ap­plic­able (and not a single fine had been im­posed yet), much at­ten­tion was paid to the for­mid­able fine frame­work. For many com­pany of­ficers, this caused fear: if I vi­ol­ate the GDPR, I have one foot in jail (or at least my or­gan­isa­tion has to pay EUR 20 mil­lion or 4% of its glob­al an­nu­al turnover, cal­cu­lated for the whole group, if the com­pany is part of one).We be­lieve that facts are bet­ter than fear.The con­tinu­ously up­dated list of pub­licly known GDPR fines in the GDPR En­force­ment Track­er is our 24/7 rem­edy against fear, while the an­nu­al En­force­ment Track­er Re­port is our deep dive and per­mits more in­sights in­to the world of GDPR fines. We are pleased that our ana­lys­is for this second edi­tion of the ET Re­port is based on a lar­ger over­all data set of more than 570 fine cases, 526 of which made it in­to the ed­it­or­i­al team's work­sheet.More in­ter­na­tion­al­We are even more pleased that more in­ter­na­tion­al col­leagues sup­por­ted us this time and provided de­tailed in­put on en­force­ment prac­tice, in par­tic­u­lar for EU mem­ber states in the new mem­ber state in­ter­views (Ed­it­or­'s note: the United King­dom re­mains part of the En­force­ment Track­er Re­port and the En­force­ment Track­er as the UK Gen­er­al Data Pro­tec­tion Reg­u­la­tion en­sures reg­u­lat­ory con­sist­ency re­gard­less of Brexit).Loc­al law and prac­tice mat­ter­After al­most three years of GDPR ap­plic­a­tion, we are not the only ones to have learned one thing: des­pite the GDPR's full har­mon­isa­tion ap­proach, hardly any oth­er area is shaped more by na­tion­al laws and of­fi­cial prac­tice than GDPR fines. This may be a reas­on why Spain still tops the list of coun­tries with the most fines this year.Ex­ec­ut­ive Sum­mary­As we are aware that pri­vacy pro­fes­sion­als are un­likely to have a peace­ful job in these chal­len­ging times, the second edi­tion kicks off with an ex­ec­ut­ive sum­mary for the quick read­er (in­clud­ing over­all takeaways, in ad­di­tion to sec­tor-spe­cif­ic ob­ser­va­tions). Hav­ing in­ten­tion­ally op­ted for an on­line-only pub­lic­a­tion, the ET Re­port's Ex­ec­Sum is the only part that you can con­veni­ently down­load (or even print out for bed­time read­ing without a di­git­al device).Num­bers & fig­ures and sec­tor ap­proach­We have put to­geth­er an over­all sum­mary of the ex­ist­ing fines in the "Num­bers and Fig­ures" sec­tion, fol­lowed by tried-and-tested ana­lys­is for the fol­low­ing busi­ness sec­tors:Fin­ance, in­sur­ance and con­sultingAc­com­mod­a­tion and hos­pit­al­ity­Health careIn­dustry and com­mer­ceR­eal es­tate­Media, tele­coms and broad­cast­ing­Pub­lic sec­tor and edu­ca­tion­Trans­port­a­tion and en­ergy­In­di­vidu­als and private as­so­ci­ations plus the over­arch­ing cat­egoryEm­ploy­mentY­our takeawaysThis in-depth ana­lys­is per­mits first con­clu­sions to be drawn as to which busi­ness sec­tors at­trac­ted par­tic­u­larly hefty fines. We also ana­lysed the DPAs' reas­on­ings for the fines. These as­pects to­geth­er al­low us to provide you with key takeaways for each busi­ness sec­tor. Apart from the law­ful­ness of each data pro­cessing op­er­a­tion, bol­ster­ing data se­cur­ity should re­main in the spot­light for every or­gan­isa­tion. There are already rel­ev­ant in­dic­a­tions in terms of data pro­tec­tion lit­ig­a­tion – in par­tic­u­lar, data sub­ject­s' claims for ma­ter­i­al or im­ma­ter­i­al dam­ages un­der Art. 82 of the GDPR are on the rise. This trend is un­likely to stop, be­ing in par­tic­u­lar sup­por­ted by col­lect­ive re­dress mech­an­isms and leg­al tech of­fer­ings that are already in­creas­ing the risks of and re­sources needed for data pro­tec­tion claims man­age­ment.Meth­od­o­logy­We do not re­sort to witch­craft nor do we have pref­er­en­tial ac­cess to GDPR fine in­form­a­tion (at least in most cases, but we are still work­ing on that…) when work­ing in the En­force­ment Track­er en­gine room and pre­par­ing the En­force­ment Track­er Re­port. In ad­di­tion to our ne­ces­sary fo­cus on pub­licly avail­able fines, there are some oth­er in­her­ent lim­its to the data be­hind this whole ex­er­cise. For the "small print", please see our more de­tailed re­marks on meth­od­o­logy. On a more gen­er­al level, al­though we have done our best to break down a com­plex top­ic in­to neat pieces, we have res­isted the tempta­tion to fol­low SEO re­com­mend­a­tions for the whole con­tent pack­age and would ask you to con­sider it a "long read" format if you de­cide to read it in full.What's next?The En­force­ment Track­er Re­port and the En­force­ment Track­er are a work in pro­gress. We highly ap­pre­ci­ate any form of feed­back (prefer­ably con­struct­ive…) and would like to thank every­body who has reached out over the last year. We re­ceived in­ter­est­ing ideas, in­form­a­tion about for­got­ten fines (hid­den deeply in re­mote corners of a sup­posedly com­pletely cap­tured world) and re­com­mend­a­tions for ad­di­tion­al fea­tures (our buck­et list is grow­ing stead­ily), as well as rel­ev­ant con­tri­bu­tions from stake­hold­ers out­side the EU – demon­strat­ing that the data pro­tec­tion land­scape is evolving rap­idly on a glob­al scale and in­ter­faces between na­tion­al/re­gion­al con­cepts are de­vel­op­ing even in the ab­sence of a glob­al data pro­tec­tion law. We have en­gaged with peers from the leg­al pro­fes­sion, pri­vacy pro­fes­sion­als with a more ad­vanced tech back­ground as well as re­search­ers from vari­ous dis­cip­lines. We strongly en­cour­age you to con­tin­ue en­ga­ging with us. And we apo­lo­gise in ad­vance if our feed­back may take some time; the data pro­tec­tion world is not a quiet one right now.Stay safe – and keep on fight­ing, Chris­ti­an Runte, Mi­chael Kamps, ed­it­ors and the en­force­ment track­ing and re­port­ing team
05/03/2021
Data pro­tec­tion and cy­ber­se­cur­ity laws in Neth­er­lands
Data pro­tec­tion 1. Loc­al data pro­tec­tion laws and scope Gen­er­al Data Pro­tec­tion Reg­u­la­tion ("GDPR") (Alge­mene Ver­or­den­ing Gegevens­bes­cherm­ing)The Dutch GDPR Im­ple­ment­a­tion Act ("DGIA") (Uit­vo­er­ing­swet...
Comparable
22/10/2020
CMS launches data breach app
CMS launches its Breach As­sist­ant app, a tech­no­logy plat­form that gives busi­nesses af­fected by a po­ten­tial data breach or oth­er cy­ber in­cid­ent a head­start dur­ing the first crit­ic­al hours. CMS has de­veloped...
11/05/2020
AI in Life Sci­ences
Ar­ti­fi­cial in­tel­li­gence is not new: the term it­self was coined over 60 years ago. However, the con­ver­gence of data volume, pro­cessing power and tech­nic­al cap­ab­il­ity has con­vinced many that the AI era...
04/05/2020
5 mis­con­cep­tions about the GDPR data breach no­ti­fic­a­tion
In 2019, the Dutch Data Pro­tec­tion Au­thor­ity (DDPA) re­ceived 26.956 data breach no­ti­fic­a­tions. The ma­jor­ity of these breaches were no­ti­fied by or­gan­isa­tions act­ive in health sec­tor (mostly hos­pit­als...
16/03/2020
Em­ploy­ment and com­mer­cial as­pects of Coronavir­us
The situ­ation re­gard­ing COV­ID-19 (Coronavir­us) is de­vel­op­ing world­wide. Com­pan­ies are now faced with unique chal­lenges and vari­ous con­cerns, in­clud­ing many leg­al ques­tions. What ob­lig­a­tions do em­ploy­ers...
05/03/2020
Coronavir­us: em­ploy­er meas­ures and policies
COV­ID-19, the dis­ease as­so­ci­ated with the coronavir­us that has dom­in­ated glob­al news in re­cent weeks, is be­ing battled on many fronts with spe­cif­ic meas­ures de­signed to re­duce its ef­fects. Al­though the...
16/12/2019
CMS is re­leas­ing its ‘Shar­ing is (S)caring’ Pod­cast Series
What are the key tech­nic­al, policy, com­mer­cial and eth­ic­al build­ing blocks that must be in place to meet the needs of a di­git­al so­ci­ety that is not only in­clus­ive, sus­tain­able, com­mer­cially vi­able, but...
11/12/2019
Shar­ing is (S)caring: Your face is a weapon
Many will already be fa­mil­i­ar with 'fa­cial re­cog­ni­tion'. The term is reg­u­larly seen in news stor­ies, with com­munit­ies such as San Fran­cisco ban­ning the use of it by their po­lice de­part­ments. If you use...
10/09/2019
Token­ized As­sets: De­vel­op­ing an Eco­sys­tem for Di­git­al Real Es­tate As­sets
Block­chain tech­no­logy maybe chan­ging the real es­tate sec­tor soon­er than you think. Real es­tate pro­fes­sion­als and block­chain ex­perts will dis­cuss the ex­pect­a­tions, im­pact, obstacles and risks. The pan­el­ists...
21/08/2019
Token­ized As­sets: An In­vestor’s Per­spect­ive
What as­set classes are best suited to token­iz­a­tion? How to per­suade man­age­ment in­to token­ized in­vest­ments? Private in­vestor Robert Nass; Maven11 Head of In­vest­ments and Trad­ing, Balder Bomans; Frijt CEO...