New EU General Data Protection

On 14 April 2016 the EU Parliament formally adopted the EU General Data Protection Regulation (GDPR). The GDPR will replace the existing Privacy Directive and the corresponding Personal Data Protection Act as from 25 May 2018. From that moment onwards there will be one uniform set of binding regulations applicable within the EU instead of 28 national Acts based on EU legislation. In contrast with the Privacy Directive the GDPR will be have direct legal effect in all Member States. The GDPR imposes more responsibilities for companies processing data, such as among others an obligation to document and in case of risky processing the obligation to undertake a privacy impact assessment. Furthermore in certain circumstances companies processing data need to appoint a so-called Data Protection Officer. In view of the new sanction regime which includes fines of up to 4% of annual worldwide turnover or EUR 20.000.000 million, it is advisable to start preparing for the GDPR now.

Please also note that as of 1 January 2016 the Dutch Data Protection Authority (DPA) can impose a maximum fine of EUR 820.000 and that under certain circumstances companies processing data have a duty to notify the DPA in case of personal data breaches.