• Insights

The Netherlands – The GDPR One Year On

Written by
Bronsgeest Deur Advocaten, leading law firm in the Netherlands specialised in HR and employment law.
In the twelve months following the introduction of the GDPR, the Dutch data protection authority has imposed a fine on Uber for breaching its data protection obligations. It has also provided information, guidance and tools relating to the new rules.  

The Dutch Data Protection Authority has not yet imposed GDPR fines as vigorously as many people feared: it started first and foremost by providing information, guidelines and tools about the GDPR on the website.   Only one fine has been imposed: Uber was fined EUR 600,000 for breaching the reporting obligation for data breaches. This data breach took place at the Uber Group in 2016 (since 2016 there was already an obligation to report data breaches in the Netherlands, but with much lower penalties): unauthorised individuals were given access to customers’ and drivers’ personal data (names, email addresses and phone numbers). The Uber group was fined because it did not inform the DPA and the data subjects involved within 72 hours following the discovery of the data breach.

Despite its aim of ending the fragmentation of rules within the EU, the GDPR still allows the possibility for each EU member state to set its own, or further, rules on a number of subjects. The Netherlands decided to implement the GDPR in a ‘policy-neutral’ manner, meaning the Dutch implementation act (‘Uitvoeringswet AVG’) stays as close as possible to the text of the GDPR. More specifically, the Dutch implementation act has not made use of the possibility to introduce separate rules for processing of employees’ personal data. The implementation act applied from 25 May 2018.

The GDPR is slowly gaining attention in labour law. Dutch case law has seen examples in the past year of issues relating, for example, to data subject access requests or privacy claims after negative references from a former employer. The question of the admissibility of evidence obtained in breach of an employee’s privacy has also been examined: based on Dutch case law, even if it is established that evidence used, for example, in a dismissal case was obtained unlawfully by the party relying on it, the court is not generally required to disregard it. The general social interest in the truth coming to light plus the parties’ interest in being able to support their case outweigh the arguments for excluding such evidence unless additional circumstances indicate otherwise.

Philip Nabben
Philip Nabben
Partner - Netherlands
Bronsgeest Deur Advocaten