Data Protection & Privacy Update - October 2018
This fall brought the following interesting data protection developments:
Update home market: The Netherlands, Belgium, Luxembourg, Switzerland
Update home markets
Dutch Data Protection Authority publishes information about the rules on direct marketing
On 4 October 2018, the Dutch Data Protection Authority published extensive information about the rules on direct marketing on its website. In this way, the Dutch Data Protection Authority provides clarity about the consequences of the GDPR on approaching (potential) customers.
The Dutch Data Protection Authority distinguishes between the following types of direct marketing, each with its own rules: digital direct marketing (by email, SMS or app), telemarketing and advertising mail.
In most cases, an organization must obtain the consent of the data subject if it wishes to use his or her personal data for direct marketing purposes. No consent may be needed if it concerns existing customers.
Dutch Data Protection Authority publishes policy rules regarding the prioritization of the investigation of complaints
On 1 October 2018, the Dutch Data Protection Authority published policy rules regarding the prioritization of the investigation of complaints.
Pursuant to the GDPR, every data subject has the right to lodge a complaint with the Dutch Data Protection Authority if he or she feels that the processing of his or her personal data violates the GDPR. It also follows from the GDPR that the Dutch Data Protection Authority must – in principle – investigate and respond to each complaint.
Partly because of the fact that the resources of the Dutch Data Protection Authority are limited and the ‘supervisory field is comprehensive’, not all complaints can be subjected to an extensive investigation.
The Explanatory Memorandum to the Dutch Implementation Act states that the Dutch Data Protection Authority is free to make an assessment with regard to the intensity of the investigation of a complaint. In this context, the Dutch Data Protection Authority adopted policy rules on the prioritization of the investigation of complaints, which have been published on 1 October 2018. Please find the policy rules (in Dutch only) here.
On 5 September 2018, a Framework Act implementing and addressing the national substantive aspects of the GDPR has been published in the Belgian State Gazette. This Framework Act adapts national legislation to the GDPR and introduces several specifications and derogations. This Act is supplemented by a second act creating a new public law body, the Information Security Committee, and amending various laws. The second act has been published on 10 September 2018.
The most noticeable provisions of the Framework Act applying to private-sector companies relate to:
- Territorial scope of the Framework Act: it will not apply where the controller is established in another EU Member State even if the processor is located in Belgium, provided however that the processing takes place in that other Member State.
- Age of digital consent: set at 13 years.
- Sensitive data and data relating to criminal convictions and offences: data controllers and processors of genetic, biometric or health data are obliged to (i) designate the categories of persons that are entitled to consult these categories of data and describe their capacity as regards the processing, (ii) draft a list of these categories of persons; and (iii) ensure that these persons are bound by legal or contractual confidentiality obligations. The Framework Act also lays down several substantial public interest grounds which justify the processing of sensitive data and sets out a number of lawful grounds for processing data relating to criminal convictions and offences.
- Data Protection Officer: private organisations which process personal data on behalf of a federal authority or to which a federal authority transfers personal data, are required to designate a DPO, where the processing could lead to a high risk to the rights and freedoms of natural persons (cf. Article 35 GDPR).
- Cease and desist procedure: The Framework Act reintroduces the cease and desist procedure, in which claims for alleged infringements of data protection legislation can be brought before the President of the Court of First Instance. If the President finds that there is an infringement, it may order the infringer to cease the infringing practices and impose penalty payments if the court order has not been respected.
- Sanctions and penalties: besides administrative fines, the Framework Act also contains criminal sanctions, making the infringement of data protection legislation a criminal offence in Belgium (as was also the case pre-GDPR)
Information Security Committee
The former Belgian supervisory authority (the Commission for the protection of privacy – CPP) was composed of several sectoral committees which were tasked to grant prior authorisations for access to government databases or for the exchange of data between such databases. The Act of 3 December 2017 establishing the Belgian Data Protection Authority (the DPA) provided for the dissolution of these sectoral committees as from 25 May 2018. All authorisations previously issued by these committees would nevertheless remain valid, without prejudice to the supervisory powers of the DPA.
However, in a supplementary Act of 25 May 2018 it was decided that two sectoral committees will be retained temporarily: the sectoral committee for Social Security and the sectoral committee of the National Register Number. In the future, these two sectoral committees will be replaced by an Information Security Committee (‘Informatieveiligheidscomité’ – ‘Comité de sécurité de l’information’), which will be composed of a chamber social security and health, and a chamber federal authority. For now, the existing two sectoral committees will be maintained until the members of this new body are appointed.
The Swiss parliament decided to amend certain data protection rules in criminal laws. The purpose of these amendments is to adapt Swiss legislation to the EU Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which Directive is part of the Schengen acquis.
On another hand, the Swiss parliament decided to address the total revision of the Swiss data protection act separately. It will debate the draft of the new law by the end of this year and intends to adopt such total revision by the end of the year 2019.
Luxembourg laws implementing the GDPR published
On 1 August 2018, the following two Luxembourg laws implementing the GDPR have been published:
- Law on the protection of individuals with regard to the processing of personal data in criminal and national security matters; and
- Law of 1 August 2018 on the organisation of the National Commission for Data Protection and implementing the GDPR, amending the Labor Code and the amended Law of 25 March 2015 laying down the salary scheme and the conditions and procedures for the advancement State officials.
Electoral prospection and data protection
With a view to the legislative elections to be held on 14 October 2018 in Luxembourg, the National Commission for Data Protection (CNPD) intends to recall and clarify the provisions applicable to political prospecting during an election period, in particular the conditions for using the data from electoral lists, in compliance with the GDPR.
The Luxembourg Electoral law of 18 February 2003 provides that “every citizen may request in writing a copy of the updated electoral lists. The citizens' data contained in the lists cannot be used for purposes other than electoral purposes”. The data contained in these lists include the surname, forenames, address, place and date of birth of the electors, and, if applicable, the nationality and surname and first names of the spouse. Some Luxembourg political parties have made use of this right and have used the data from these lists for political prospecting during previous election periods.
In this context, the CNPD states that the establishment of the list of claims and electoral lists constitutes a processing of personal data within the meaning of Article 4 (2) of the GDPR. This processing is implemented by the college of burgomasters and aldermen, which therefore meets the definition of controller in the meaning of Article 4 (4) of the GDPR.
The law determines the purpose of the processing within the meaning of Article 5 paragraph (1) under (b) of the GDPR by providing that the electoral lists can only be used for electoral purposes. This means that the lists can first be used for the recognition of the status of elector of natural persons fulfilling the conditions set out in Title I of the Electoral law. Further, data of electoral lists can be used for political prospecting purposes during election periods by political parties.
The CNPD does not question the lawfulness of the purpose of the prospection of registered voters, in particular to send them the political programs, within the limits of the electoral purpose laid down by the Electoral law.
If the candidates and their political parties have a legitimate concern to approach the voters and to expose to them their programs within the framework of their electoral campaign, it should be remembered that they must not use for this purpose files that they would have obtained outside any legal or regulatory basis from public bodies or institutions. In particular, non-profit associations must not disclose the list of their members to third parties without the consent of the persons concerned. The CNPD also recalls that a political survey by phone or email (or any other means of electronic communication) can only be done if agreed by the people contacted.
In the field of political prospecting by sending postal mail on the basis of data not collected directly from the persons concerned, the CNPD recalls that, under the obligation of information arising from Article 14 GDPR, political parties must provide, at the latest at the time of the first communication, that is to say in the prospecting letter or in the annex, the following information to the persons concerned:
- identity and contact details of the controller (the political party or the local or regional section of the political party);
- origin of the processed data (electoral lists);
- purpose of the data processing (political prospecting in the context of the election);
- retention period (the deletion of data within a reasonable time after the elections);
- existence of the data protection rights of citizens;
- means of contact to exercise their rights.
Finally, the CNPD draws the attention, more generally, to the obligations incumbent upon any data controller. Political parties must ensure that they comply with the general principles of data protection, including the principles of accountability, fairness, transparency, security, data retention and minimisation of data. Finally, the CNPD states that excessive profiling of citizens that would be disproportionate to the electoral purpose must be avoided, in particular by reconciling electoral lists with voter data from other files. The CNPD does not dispute the possibility of performing sorting and selection operations on the lists, depending on the age or address of the electors. Nevertheless, the CNPD warns against sorting that can target people on the basis of their real or supposed origins, especially on the basis of names or the place of birth.
Certification scheme GDPR - CARPA
Certifications represent a new opportunity for data controllers and processors to demonstrate that their processing operations comply with GDPR. Convinced of the added value that certification can offer, the CNPD has taken a particularly proactive approach in developing, jointly with industry professionals, a certification scheme.
Thus, the scheme called 'GDPR-CARPA' was submitted for public consultation in June 2018.The purpose of this communication is to provide data controllers and processors as well as potential certification bodies with an overview of the work carried out and the approach that the CNPD intends to take subsequently.
The CNPD has focused its work on two pillars:
The first pillar concerns the certification criteria to be met by an organization that wishes some of its data processing to be certified.
The second pillar concerns the approval criteria to be met by an organization wishing to act as a certification body. While the GDPR-CARPA certification scheme, subject to public consultation, already included a description of these criteria, the CNPD decided to continue developing them, in particular to align them with the guidance on accreditation currently being developed by the European Data Protection Board (EDPB). These criteria will be published by the CNPD probably towards the end of this year or beginning of 2019.
First feedback on data breaches
Since 25 May 2018, a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of personal data must be handled in accordance with the requirements of Articles 33 and 34 of the GDPR.
With a view to transparency, and in order to raise the awareness of data controllers and processors, the CNPD shares on its website its first feedback on the violations that have been notified to the CNPD since the entry into force of the GDPR.