Privacy

Do you have questions regarding privacy? Legaltree also stands ready with broad experience in privacy in applications, personal data in the health sector, transfer of data, the use of client data, requests for inspection of government authorities and data breaches.

The importance of privacy compliance has been increased by the European privacy legislation (the General Data Protection Regulation / GDPR) which has been in effect since 25 May 2018. With Legaltree, you have specialised expertise on your side, with experience which has been gained, amongst others, in the health sector, IT and in retail, ranging from multinationals to small and medium-sized businesses.

What subjects can Legaltree assist you with?

• Processors agreements
• Compliance with the GDPR
• Patient data and professional secrecy
• Employee data
• Data breaches
• Exchange of data
• Privacy in the cloud
• Data export
• Direct marketing
• Other privacy questions

Processors agreements

Do you outsource activities with personal data to an external supplier or service provider? In that case, this is usually called a ‘processors relationship’. Consider, for example, having data hosted, placing data in an online application, the expansion of the management or the use by a call centre. You then have the statutory obligation to conclude a ‘processors agreement’ with the external party (the ‘processor’). The specialists of Legaltree have had broad experience in the drafting, reviewing and negotiating of processors agreements. Even when it is not always clear whether there is an external supplier or service provider processor, Legaltree is here to assist you.

GDPR compliance

As from 25 May 2018, the General Data Protection Regulation (in Dutch: de Algemene Verordening Gegevensbescherming: AVR)(the ‘GDPR’). The GDPR is a European regulation which became immediately applicable in all the countries of the European Union. This new privacy legislation is accompanied with new obligations in the area of privacy compliance. Furthermore, the GDPR has introduced substantial penalties. Legaltree can assist you with GDPR matters which play a role within your organisation.

Patient data and the professional secrecy

Professional secrecy is coming increasingly under pressure. On the basis of ever more rules, health providers must breach their duty of professional secrecy. The number of parties which have an interest in patient data, such as health insurers, municipalities, police and the judiciary is also growing. But where is the limit? Ask Legaltree.

Data of patients are being increasingly processed electronically. Patient data are what is called ‘special personal data’. Special personal data may only be used in a limited number of cases. Extra requirements also apply as concerns security/safeguards and thus also the processes whereby access is acquired to the patient data. That applies particularly if use is made of Internet applications. What may and must happen to patient data? Who is given access to the data within the organisation? And must the patient always give consent to the transferring of patient data to third parties? What rules apply to scientific research? What do you do with a claim from a surviving relative to surrender the medical file in order to demonstrate that the deceased was not compos mentis at the time of changing of the will? Legaltree is here to assist you.

Employee data

Employees are entitled to protection of their personal data. Due to being dependent on the employer, it is even more essential to consider whether it is necessary to collect certain personal data. What does the right to privacy of the employee entail at the introduction of camera surveillance, e-mail control, central employee data bases or the screening of candidates and employees? If a Works Council is in place, the right for it to provide advice or even a right to consent is often applicable.

Data breaches

Since 1 January 2016, it has become obligatory to report data breaches in the Netherlands: these are incidents whereby personal data have been released, affected, lost or have become accessible to unauthorised persons. This has not changed substantially with the introduction of the GDPR. A data breach which meets with certain criteria must be reported to the supervisory authority (the Personal Data Authority) and sometimes, also to the persons whose data this concerns. If it is not reported whereas reporting is mandatory, the organisation risks a substantial penalty. Keeping an internal manual in which it is determined when a data breach must be reported is a good remedy to prevent penalties.

Exchange of data

It is sometimes necessary to exchange personal data with other parties, or if you have received an order to do so from a government authority. In order to follow the privacy rules, it is important to verify whether the exchange of the data is, in fact, in conformity with the statutory rules.

Privacy in the cloud

If personal data is placed ‘in the cloud’ – usually by making use of a Saas solution – then other privacy aspects play a role. Security is a point for attention, but also the control which the controller (verantwoordelijke partij) has over the data, what happens to them at termination of the contract and where the data are to be stored. Having this is take place, for example, outside of the European Economic Area (all EU countries including Norway, Iceland and Liechtenstein), is, in principle, not permitted.

Data export

Personal data may not, in principle, be transferred from the European Economic Area to a country outside of this area which does not apply a ‘suitable level of protection’. It is assumed that some countries do apply a suitable level of protection, and that others do not. It must then be examined whether a legislative exemption can be invoked. Another mechanism for transfer may also be possible, such as the concluding of model agreements.

Direct marketing, online privacy

Specific rules apply to the use of e-mail addresses and telephone numbers for the sending of commercial messages. Usually, an ‘opt-in’ is necessary, but sometimes an ‘opt-out’ will suffice for, for example, commercial messages for similar services or products. In addition, privacy is increasingly becoming an important point of attention in the online processing of personal data. What data may be requested of users of apps and websites and what rules apply to this? How do you inform the app and website users? Do you accept cookies and, if so, must permission be requested? The specialists at Legaltree can assist you in such matters.

Contact

Here below is a list of the partners who are specialised in privacy law: