Nov 92017

Dutch Data Protection Authority Confirms That Notifications Are No Longer Required

Wim Nauwelaerts
, , , ,

On 6 November 2017, the Dutch Data Protection Authority (‘”DPA”) issued a statement in which it confirms that controllers subject to Dutch data protection law will – in most cases – no longer need to notify their data processing activities to the DPA.  The General Data Protection Regulation (“GDPR”), which becomes applicable on 25 May 2018, abolishes the system of DPA notifications and replaces it with the requirement to keep internal records of data processing operations. Until that date, controllers can still submit notifications if they wish to do so, but in general the DPA will no longer enforce compliance with the notification requirement in the law.

By way of exception, controllers will still be required to notify the DPA in the event of high-risk data processing involving, for instance, ID numbers or personal data relating to criminal convictions. In those cases, the DPA will conduct a preliminary investigation into to the data processing, with a view to establishing whether the processing activity complies with Dutch data protection law.  Controllers can only engage in the data processing once they have received the green light from the DPA.

To some extent, this consultation requirement will continue to exist after 25 May 2018.  Under the GDPR, controllers will be obliged to carry out a data protection impact assessment (“DPIA”) if the processing potentially involves a high risk for the rights and freedoms of individuals.  If the DPIA indicates that the processing would result in a high risk that the controller cannot mitigate, the controller will first have to consult the DPA. The Dutch DPA has indicated that it will issue additional guidance on the need for DPIAs and consultation in the near future.

The Dutch DPA’s position on notification requirements is likely to be followed by DPAs in other EU Member States as 25 May 2018 comes nearer.  However, those DPAs will expect that controllers who longer notify their data processing activities already comply with the GDPR’s recordkeeping requirements in advance of 25 May 2018.

Wim Nauwelaerts

wnauwelaerts@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.