Home / Insight / AVG

AVG

Terug naar Data protection

Het landschap voor privacyregelgeving, in het bijzonder de bescherming van persoonsgegevens, is grotendeels ongewijzigd gebleven sinds 1995. Dit landschap verandert binnenkort ingrijpend. Na uitgebreide onderhandelingen werd namelijk op 4 mei 2016 de Algemene verordening gegevensbescherming (AVG) formeel vastgesteld. De AVG vervangt richtlijn 95/46/EG en daarmee een groot deel van de huidige EU-wetgeving betreffende persoonsgegevensbescherming (hierna: 'gegevensbescherming').

De AVG is rechtstreeks van toepassing in alle EU-lidstaten zonder dat omzetting in nationale wetgeving nodig is. Dit in tegenstelling tot richtlijn 95/46/EG (de Richtlijn bescherming persoonsgegevens, hierna: de Richtlijn), die in Nederland is geïmplementeerd in de Wet bescherming persoonsgegevens. Met ingang van 25 mei 2018 vervangt de AVG dus een groot deel van de nationale wetgeving van de lidstaten op het gebied van gegevensbescherming.

De AVG introduceert nieuwe concepten in de regelgeving, zoals het recht op vergetelheid. Zij bevat uitgebreide nieuwe verplichtingen voor het bedrijfsleven en verandert de rol van de functionaris gegevensbescherming in een onderneming ingrijpend. De rechten voor particulieren zijn aanzienlijk versterkt en de maximale boetes die opgelegd kunnen worden bij niet-naleving zijn exponentieel gestegen tot € 20.000.000 of 4% van de jaarlijkse wereldwijde omzet van een onderneming.

Als u meer informatie wenst over de AVG of de Richtlijn, neem dan contact op met een van de leden van ons Data Protection & Privacy team.

Da­ta Law Na­vi­ga­tor | The Ne­ther­lands
<< back to Over­viewThe con­tent will be pe­ri­o­di­cally up­da­ted by our la­wy­ers but, gi­ven the con­stant­ly evol­ving laws in this area, we can­not gu­a­ran­tee the con­tent is com­ple­te and ac­cu­ra­te.Jump di­rect­ly to Cy­ber Se­cu­ri­ty >> Da­ta Pro­tec­ti­onLast up­da­ted May 2020Risk sca­leme­di­umLaws Ge­ne­ral Da­ta Pro­tec­ti­on Re­gu­la­ti­on (“GD­PR”)Dut­ch GD­PR Im­ple­men­ta­ti­on Act (“DGIA”, in Dut­ch: Uit­voe­rings­wet Al­ge­me­ne ver­or­de­ning ge­ge­vens­be­scher­ming)Dut­ch Te­le­com­mu­ni­ca­ti­ons Act (in Dut­ch: Te­le­com­mu­ni­ca­tie­wet)Au­tho­ri­tyDut­ch Da­ta Pro­tec­ti­on Au­tho­ri­ty (“DDPA”, in Dut­ch: Au­to­ri­teit Per­soons­ge­ge­vens)If ap­pli­ca­ble: sta­ge of le­gis­la­ti­ve im­ple­men­ta­ti­on of GD­PRThe Dut­ch Par­li­a­ment pas­sed the DGIA that be­ca­me ef­fec­ti­ve on 25 May 2018.If ap­pli­ca­ble: lo­cal de­ro­ga­ti­ons as per­mit­ted by GD­PR The DGIA ta­kes a po­li­cy-neu­tral ap­pro­ach to im­ple­men­ta­ti­on of the GD­PR. This means that on­ly exis­ting ex­cep­ti­ons will be main­tai­ned. This ap­plies, for example, to the re­gu­la­ti­on on the pro­ces­sing of a na­ti­o­nal per­so­nal iden­ti­fi­ca­ti­on num­ber and the pro­ces­sing of spe­ci­al ca­te­go­ries of per­so­nal da­ta.Sco­peThe DGIA ap­plies to the pro­ces­sing of per­so­nal da­ta (whol­ly or part­ly by au­to­ma­ted means and to the pro­ces­sing other than by au­to­ma­ted means of per­so­nal da­ta which form part of a fi­ling sy­s­tem or are in­ten­ded to form part of a fi­ling sy­s­tem):in the con­text of ac­ti­vi­ties of an es­ta­blish­ment of a con­trol­ler or pro­ces­sor in the Ne­ther­lands; andof da­ta sub­jects in the Ne­ther­lands by a con­trol­ler or pro­ces­sor not es­ta­blis­hed in the Eu­ro­pean Union, whe­re the pro­ces­sing ac­ti­vi­ties are re­la­ted to:of­fe­ring goods or ser­vi­ces to such da­ta sub­jects in the Ne­ther­lands, ir­res­pec­ti­ve of whe­ther pay­ment is re­qui­red from them; or the mo­ni­to­ring of their be­ha­vi­our in so far as this be­ha­vi­our ta­kes pla­ce within the Ne­ther­lands.The DGIA does not ap­ply to the pro­ces­sing of da­ta:in the cour­se of a pu­re­ly per­so­nal or hou­se­hold ac­ti­vi­ty;by or on be­half of the in­tel­li­gen­ce and se­cu­ri­ty ser­vi­ces;which is gover­ned by or pur­su­ant to the Per­sons Da­ta­ba­se Act;for the im­ple­men­ta­ti­on of the Ju­di­ci­al In­for­ma­ti­on and Cri­mi­nal Re­cords Act;for the im­ple­men­ta­ti­on of the Elec­ti­on Act;by the ar­med for­ces if the Mi­nis­ter of De­fen­ce de­ci­des that the da­ta pro­ces­sing is for the pur­po­ses of de­ploying or ma­king avai­la­ble the ar­med for­ces to main­tain or pro­mo­te the in­ter­na­ti­o­nal legal or­der;car­ried out so­le­ly for jour­na­lis­tic, ar­tis­tic or li­tera­ry pur­po­ses.Pe­nal­ties/en­for­ce­mentSanc­ti­ons un­der the GD­PR:Fi­nan­ci­al pe­nal­ties are the pri­ma­ry sanc­ti­on against the con­trol­ler and the pro­ces­sor, thus, against the com­pa­ny.Pe­nal­ties:Up to EUR10 mil­li­on or up to 2% of to­tal glo­bal sa­les for com­pa­nies (in ca­se of in­va­lid con­sent of child­ren, vi­o­la­ti­on of pri­va­cy by de­sign, etc.);Up to EUR20 mil­li­on or up to 4% of to­tal glo­bal sa­les for com­pa­nies (in ca­se of vi­o­la­ti­on of prin­ci­ples (in­clu­ding con­sent), in­ad­mis­si­ble trans­fer to third coun­tries, etc.).Re­gi­stra­ti­on/no­ti­fi­ca­ti­on In ac­cor­dan­ce with Ar­ti­cle 36 GD­PR: the con­trol­ler shall con­sult the su­per­vi­so­ry au­tho­ri­ty pri­or to pro­ces­sing whe­re a da­ta pro­tec­ti­on im­pact as­sess­ment (un­der Ar­ti­cle 35 GD­PR) in­di­ca­tes that the pro­ces­sing would re­sult in a high risk in the ab­sen­ce of me­a­su­res ta­ken by the con­trol­ler to mi­ti­ga­te the risk.Main obli­ga­ti­ons and pro­ces­sing re­qui­re­mentsThe main obli­ga­ti­ons and pro­ces­sing re­qui­re­ments are iden­ti­cal the pro­vi­si­ons as set out in the GD­PR.Da­ta sub­ject rightsIn ac­cor­dan­ce with Chap­ter III GD­PR.Pro­ces­sing by third par­tiesIn ac­cor­dan­ce with Ar­ti­cle 28 GD­PR.Trans­fers out of Coun­tryIn ac­cor­dan­ce with Chap­ter V GD­PR.Da­ta Pro­tec­ti­on Of­fi­cerIn ac­cor­dan­ce with Ar­ti­cles 37-39 GD­PR.The DGIA pro­vi­des that the da­ta pro­tec­ti­on of­fi­cer must main­tain the se­cre­cy of any in­for­ma­ti­on that be­co­mes known to him or her pur­su­ant to a com­plaint by or re­quest from a da­ta sub­ject, un­less the da­ta sub­ject agrees to dis­clo­su­re.Se­cu­ri­tyIn ac­cor­dan­ce with Ar­ti­cle 32 GD­PR.Breach no­ti­fi­ca­ti­onIn ac­cor­dan­ce with Ar­ti­cles 33-34 GD­PR.The da­ta breach no­ti­fi­ca­ti­on obli­ga­ti­on to­wards da­ta sub­jects does not ap­ply to fi­nan­ci­al com­pa­nies as re­fer­red to in the Fi­nan­ci­al Su­per­vi­si­on Act (in Dut­ch: Wet op het Fi­nan­ci­eel Toe­zicht).Di­rect Mar­ke­tingIn sum­ma­ry, as re­fer­red in ar­ti­cle 11.7 of the Te­le­com­mu­ni­ca­ti­ons Act:By fax, e-mail and SMS: pri­or con­sent re­qui­red (opt-in);By means of te­lep­ho­ne or other means: al­lo­wed un­less so­me­o­ne op­ted-out. Al­so, be awa­re of the exis­ten­ce of the "do not call me re­gis­ter" (Bel-me-niet Re­gis­ter) and the "mail fil­ter" (Post­fil­ter).The­re are a num­ber of spe­ci­fic ex­cep­ti­ons to the re­qui­re­ment of con­sent:If the user is a legal en­ti­ty or a na­tu­ral per­son ac­ting in the exer­ci­se of its/his pro­fes­si­on or bu­si­ness, no pri­or con­sent shall be re­qui­red for the trans­mis­si­on by means of elec­tro­nic mail of un­so­li­ci­ted com­mu­ni­ca­ti­ons for com­mer­ci­al, ide­a­lis­tic, or cha­ri­ta­ble pur­po­ses:a. If the sen­der when trans­mit­ting the com­mu­ni­ca­ti­on ma­kes use of elec­tro­nic con­tact de­tails in­ten­ded and pro­vi­ded by the user and said con­tact de­tails ha­ve been used in ac­cor­dan­ce with the pur­po­ses at­ta­ched to said con­tact de­tails by the user; orb. If the user is ba­sed out­si­de the Eu­ro­pean Eco­no­mic Area and the ru­les re­gar­ding the sen­ding of un­so­li­ci­ted com­mu­ni­ca­ti­ons in the coun­try con­cerned ha­ve been com­p­lied with.A par­ty that has ac­qui­red elec­tro­nic con­tact de­tails for elec­tro­nic mes­sa­ges in the con­text of the sa­le of its pro­duct or ser­vi­ce may use said da­ta to trans­mit com­mu­ni­ca­ti­ons for com­mer­ci­al, ide­a­lis­tic, or cha­ri­ta­ble pur­po­ses with re­gard to its own si­mi­lar pro­ducts or ser­vi­ces if, when the con­tact de­tails we­re ac­qui­red, the cus­to­mer was clear­ly and ex­pli­cit­ly gi­ven the op­por­tu­ni­ty to ob­ject, free of char­ge and in a sim­ple man­ner, to the use of said elec­tro­nic con­tact de­tails and, if the cus­to­mer did not avail himself of said op­por­tu­ni­ty, he is of­fe­red the op­por­tu­ni­ty du­ring eve­ry in­stan­ce of com­mu­ni­ca­ti­on, to ob­ject, on the sa­me con­di­ti­ons, to the fur­ther use of his elec­tro­nic con­tact da­ta.Coo­kiesAs re­fer­red in ar­ti­cle 11.7a of the Te­le­com­mu­ni­ca­ti­ons Act:Using coo­kies or si­mi­lar tech­ni­ques is on­ly al­lo­wed if the user has been pro­vi­ded with clear and com­ple­te in­for­ma­ti­on in ac­cor­dan­ce with the Per­so­nal Da­ta Pro­tec­ti­on Act and has gi­ven con­sent for the ac­ti­on con­cerned. Howe­ver, this ru­le does not ap­ply if:the coo­kie is used for the so­le pur­po­se of car­rying out com­mu­ni­ca­ti­ons over an elec­tro­nic com­mu­ni­ca­ti­ons net­work;the coo­kie is strict­ly ne­ces­sa­ry to pro­vi­de an in­for­ma­ti­on so­ci­e­ty ser­vi­ce re­quested by the user; orthe coo­kie is used to ob­tain in­for­ma­ti­on about the qua­li­ty or ef­fec­ti­ve­ness of a ser­vi­ce pro­vi­ded, on the con­di­ti­on that this has on­ly li­mi­ted im­pact on the user's pri­va­cy.Use­ful linksWeb­si­te Dut­ch Da­ta Pro­tec­ti­on Au­tho­ri­tyDut­ch GD­PR Im­ple­men­ta­ti­on Act textDut­ch Te­le­com­mu­ni­ca­ti­ons Act text Cy­ber Se­cu­ri­tyLast up­da­ted April 2020Risk Sca­leme­di­um*This as­sess­ment is ba­sed on the as­sump­ti­on that the CA will en­ter in­to for­ce with si­mi­lar pro­vi­si­ons as the cur­rent CA con­sulta­ti­on draft.Laws and re­gu­la­ti­onsThe Net­work and In­for­ma­ti­on Sys­tems Se­cu­ri­ty Act ("NIS­SA", Wet be­vei­li­ging net­werk- en in­for­ma­tie­sys­te­men)The NIS­SA im­ple­ments NIS Di­rec­ti­ve (EU) 2016/1148.Ap­pli­ca­ti­on The NIS­SA ap­plies to:"di­gi­tal ser­vi­ce pro­vi­ders" (within the me­a­ning of the NIS Di­rec­ti­ve) with a main es­ta­blish­ment in the Ne­ther­lands, ex­clu­ding small and mi­cro en­ter­pri­ses; andde­sig­na­ted "vi­tal ope­ra­tors" in the Ne­ther­lands, di­vi­ded in:"ope­ra­tors of es­sen­ti­al ser­vi­ces" (within the me­a­ning of the NIS Di­rec­ti­ve); andope­ra­tors of other ser­vi­ces of which the con­ti­nui­ty is of vi­tal im­por­tan­ce for the Dut­ch so­ci­e­ty.The de­sig­na­ti­on of vi­tal ope­ra­tors can be found in the Net­work and In­for­ma­ti­on Sys­tems Se­cu­ri­ty De­cree ("NISSD", Be­sluit be­vei­li­ging net­werk- en in­for­ma­tie­sys­te­men).Di­gi­tal ser­vi­ce pro­vi­ders not es­ta­blis­hed in the EU must ap­point a re­pre­sen­ta­ti­ve that acts on its be­half. The re­pre­sen­ta­ti­ve may be ad­dres­sed with re­gard to the NIS­SA ba­sed obli­ga­ti­ons.Au­tho­ri­tyThe com­pe­tent au­tho­ri­ty for di­gi­tal ser­vi­ce pro­vi­ders is the Mi­nis­ter of Eco­no­mic Af­fairs and Cli­ma­te (Mi­nis­ter van Eco­no­mi­sche Za­ken en Kli­maat). The Ra­dio­com­mu­ni­ca­ti­ons Ag­en­cy Ne­ther­lands (Agent­schap Te­le­com, part of the Mi­ni­stry of Eco­no­mic Af­fairs and Cli­ma­te) acts as su­per­vi­sor.With re­gard to ener­gy and di­gi­tal in­fra­struc­tu­re, the com­pe­tent au­tho­ri­ty is the Mi­nis­ter of Eco­no­mic Af­fairs and Cli­ma­te. The Ra­dio­com­mu­ni­ca­ti­ons Ag­en­cy Ne­ther­lands acts as su­per­vi­sor.With re­gard to (i) trans­port and (ii) the sup­ply and dis­tri­bu­ti­on of drin­king wa­ter, the com­pe­tent au­tho­ri­ty is the Mi­nis­ter of In­fra­struc­tu­re and Wa­ter Ma­na­ge­ment (Mi­nis­ter van In­fra­struc­tuur en Wa­ter­staat). The Hu­man En­vi­ron­ment and Trans­port In­spec­to­ra­te (In­spec­tie Leef­om­ge­ving en Trans­port) acts as su­per­vi­sor.For ban­king and the fi­nan­ci­al in­fra­struc­tu­re, the com­pe­tent and su­per­vi­sing au­tho­ri­ty is the Dut­ch Cen­tral Bank (De Ne­der­land­sche Bank).For the he­alth sec­tor, the com­pe­tent au­tho­ri­ty is the Mi­nis­ter for He­al­th­ca­re. The He­alth and Youth Ca­re In­spec­to­ra­te (In­spec­tie Ge­zond­heids­zorg en Jeugd) acts as su­per­vi­sor.Key obli­ga­ti­ons NIS­SA:So­me spe­ci­fic fi­nan­ci­al in­sti­tu­ti­ons de­sig­na­ted by the Dut­ch Cen­tral Bank are exemp­ted from part of the obli­ga­ti­ons re­fer­red to in this sec­ti­on.foot­no­teDi­gi­tal ser­vi­ce pro­vi­ders and ope­ra­tors of es­sen­ti­al ser­vi­ces must im­ple­ment ap­prop­ri­a­te and pro­por­ti­o­na­te tech­ni­cal and or­ga­ni­za­ti­o­nal me­a­su­res to ma­na­ge the risks po­sed to the se­cu­ri­ty of their net­work and in­for­ma­ti­on sys­tems and the pos­si­ble im­pacts of se­cu­ri­ty in­ci­dents. They must al­so im­ple­ment ap­prop­ri­a­te me­a­su­res to pre­vent and mi­ti­ga­te the im­pact of such se­cu­ri­ty in­ci­dents.De­sig­na­ted vi­tal ope­ra­tors must no­ti­fy the Na­ti­o­nal Cy­ber Se­cu­ri­ty Cen­tre ("NC­SC", part of the Mi­ni­stry of Se­cu­ri­ty and Jus­ti­ce), ac­ting as Com­pu­ter Se­cu­ri­ty In­ci­dent Res­pon­se Team "CSIRT") of:(i) any in­ci­dent with a sig­ni­fi­cant im­pact on the con­ti­nui­ty of the es­sen­ti­al ser­vi­ces;(ii) any se­cu­ri­ty in­ci­dent in their net­work and in­for­ma­ti­on sys­tems which may ha­ve se­rious ad­ver­se ef­fects on the con­ti­nui­ty of their ser­vi­ce.If an ope­ra­tor of an es­sen­ti­al ser­vi­ce uses a di­gi­tal ser­vi­ce pro­vi­der, an in­ci­dent at such di­gi­tal ser­vi­ce pro­vi­der must be no­ti­fied by such ope­ra­tor to the com­pe­tent au­tho­ri­ty for the sec­tor of such ope­ra­tor if the in­ci­dent has a sig­ni­fi­cant im­pact on the con­ti­nui­ty of the ser­vi­ce.Di­gi­tal ser­vi­ce pro­vi­ders must no­ti­fy the Mi­nis­ter of Eco­no­mic Af­fairs and Cli­ma­te (as com­pe­tent CSIRT) and Ra­dio­com­mu­ni­ca­ti­ons Ag­en­cy Ne­ther­lands (as com­pe­tent au­tho­ri­ty) of any in­ci­dent which may ha­ve se­rious ad­ver­se ef­fects on the pro­vi­si­on of their ser­vi­ces.Pe­nal­ties/En­for­ce­mentThe com­pe­tent au­tho­ri­ties ha­ve se­ve­r­al kinds of ge­ne­ral in­ves­ti­ga­ti­ve po­wers.Fi­nes can be im­po­sed with a maxi­mum of EUR 1m or EUR 5m de­pen­ding on the vi­o­la­ti­on.NIS­SA ba­sed su­per­vi­si­on and en­for­ce­ment on­ly ap­plies to ope­ra­tors of es­sen­ti­al ser­vi­ces and di­gi­tal ser­vi­ce pro­vi­ders (e.g. not in­clu­ded are ope­ra­tors of other ser­vi­ces of which the con­ti­nui­ty is of vi­tal im­por­tan­ce for the Dut­ch so­ci­e­ty).Is the­re a na­ti­o­nal com­pu­ter emer­g­en­cy res­pon­se team (CERT) or com­pu­ter se­cu­ri­ty in­ci­dent res­pon­se team (CSIRT)?Yes. NC­SC is the CSIRT for vi­tal ope­ra­tors. NC­SC is al­so the Point of Con­tact res­pon­si­ble for coo­r­di­na­ting is­sues re­la­ted to the se­cu­ri­ty of net­work and in­for­ma­ti­on sys­tems and cross-bor­der coo­p­e­ra­ti­on at EU le­vel.The Dut­ch Mi­ni­stry of Eco­no­mic Af­fairs is the CSIRT for di­gi­tal ser­vi­ces.Is the­re a na­ti­o­nal in­ci­dent ma­na­ge­ment struc­tu­re for res­pon­ding to cy­ber se­cu­ri­ty in­ci­dents?Yes. Du­ring a cy­ber cri­sis, the Na­ti­o­nal Ma­nu­al on De­ci­si­on-ma­king in Cri­sis Si­tu­a­ti­on is ap­plied (hy­per­link in­clu­ded be­low). NC­SC plays a key role in such cy­ber cri­ses.The Na­ti­o­nal Di­gi­tal Cri­sis Plan (hy­per­link in­clu­ded be­low) is a cy­ber-spe­ci­fic ela­bo­ra­ti­on of the Na­ti­o­nal Ma­nu­al on De­ci­si­on-ma­king in Cri­sis Si­tu­a­ti­on.Use­ful linksNC­SC : htt­ps://en­glish.nc­sc.nlNIS­SA text: htt­ps://wet­ten.over­heid.nl/BW­BR0041515/2019-01-01NISSD text:  htt­ps://wet­ten.over­heid.nl/BW­BR0041520/2019-01-01Web­si­te for di­gi­tal ser­vi­ce pro­vi­ders to no­ti­fy com­pe­tent au­tho­ri­ty: htt­ps://www.agent­schap­te­le­com.nl/do­cu­men­ten/for­mu­lie­ren/2018/no­vem­ber/8/mel­den-van-in­ci­dent-on­der-de-wet-be­vei­li­ging-net­werk--en-in­for­ma­tie­dien­sten The Ne­ther­lands Na­ti­o­nal Hand­book on De­ci­si­on-Ma­king in Cri­sis Si­tu­a­ti­ons: htt­ps://www.rijks­over­heid.nl/do­cu­men­ten/bro­chu­res/2013/04/26/na­ti­o­naal-hand­boek-cri­sis­be­sluit­vor­mingNa­ti­o­nal Di­gi­tal Cri­sis Plan htt­ps://www.nctv.nl/do­cu­men­ten/pu­bli­ca­ties/2020/02/21/nctv-na­ti­o­naal-cri­sis­plan-di­gi­taal-_-web­ver­sie << back to Over­view
Sub­scri­be to Da­ta Pro­tec­ti­on & Pri­va­cy To­pics

Feed

Toon alleen
08 mei 2020
Da­ta Law Na­vi­ga­tor | Over­view
Find he­re in­for­ma­ti­on about da­ta pro­tec­ti­on and cy­ber se­cu­ri­ty laws in va­rious coun­tries world­wi­de: Al­ba­nia, Au­stria, Bel­gi­um, Bosnia and Her­zeg­o­vi­na, Bul­ga­ria, Cro­a­tia, Czech Re­pu­blic, Fran­ce, Ger­ma­ny, Hong Kong, Hun­ga­ry, Ita­ly, Luxem­bourg, Mexi­co, Mon­te
05/03/2020
Co­ro­na­vi­rus: be­leid en maat­re­ge­len door werk­ge­ver
16/12/2019
CMS is re­lea­sing its ‘Sha­ring is (S)ca­ring’ Pod­cast Se­ries
23/10/2019
Mo­bi­li­ty as a Ser­vi­ce: de (on)mo­ge­lijk­he­den van GD­PR
Pod­cast
16/10/2019
Mo­bi­li­ty as a Ser­vi­ce: be­taal­mo­ge­lijk­he­den
Pod­cast
23/09/2019
Da­ta Pro­tec­ti­on & Pri­va­cy: een greep uit de re­le­van­te ont­wik­ke­lin­gen -...
23/09/2019
Uit­ge­licht: Reik­wijd­te van het in­za­ge­recht
14/08/2019
Cu­ra­to­ren Slo­ter­vaart­zie­ken­huis over pa­ti­ënt­ge­ge­vens en de im­pact van de...
15/07/2019
'Pri­va­cy­toe­zicht­hou­ders zijn zich be­wust van de pro­ble­men, hand­ha­ving zal...
ED­PO-op­rich­ter Ja­ne Murp­hy over de AVG en or­ga­ni­sa­ties bui­ten de EER
23/05/2019
Een jaar AVG: wha­t's next?
10/04/2019
De im­pact van de AVG op de mo­bi­li­teits­in­du­strie
28/11/2018
Au­to­ri­teit Per­soons­ge­ge­vens be­boet Uber voor over­tre­den meld­plicht da­ta­lek­ken