GDPR update: overview



Today, May 25, 2018, we have come to the last GDPR Update of the current series. During the past 16 months, we have discussed various important topics with regard to the GDPR. For an overview, please see the end of this update.

There has been much public debate surrounding the implementation of the new privacy legislation. The abbreviation ‘GDPR,’ the date of May 25, 2018 and the prospect of €20 million fines have been all over the media, leading to anxiety within many organizations, from globally operating enterprises to local sports clubs.

WP29 publications

We have not been the only ones to publish updates on the GDPR; during the past months, the Article 29 Working Party (the WP29) has not been silent either. The WP29 is an overarching data protection body consisting of local supervisory authorities. It regularly publishes guidelines and opinions on (the interpretation of) various data protection concepts. Although these documents are not legally binding, they do give useful and important insights as to how the supervisory authorities interpret important provisions and principles of the GDPR.

The WP29 has published guidelines on consent, transparency, data breaches, data protection officers, the lead supervisory authority, privacy impact assessments, the right to data portability, profiling and automated decision-making and application and setting of administrative fines. (A guideline on the territorial scope of the GDPR is in the making, but it would have been welcome if the WP29 had issued this earlier.)

The transparency guidelines and the guidelines on consent have proven to be of particular significance for our clients’ operations.

The WP29’s transparency guidelines focus on the content of organizations’ privacy notices, giving a sharper outline to the requirements as set out in articles 13 and 14 GDPR, as well as on the way and form in which data subjects should be informed about the content of these notices. We highly recommend consulting these guidelines when preparing GDPR-compliant privacy notices. Further, the WP29’s transparency guideline prescribes that data subjects must be actively informed on revisions of the privacy policy, including any revisions made in view of the GDPR, as well as any subsequent material amendments. Possible ways of actively informing data subjects include sending data subjects an e-mail, providing them with a hardcopy version of the policy or implementing a pop-up at the organization’s website displaying the latest changes. WP29’s guidance explicitly sets out that merely publishing the new version of the privacy notice on a website and requiring the data subject to check regularly for changes is not sufficient.

Looking at WP29’s consent guidelines, it becomes clear that controllers should avoid relying on consent as the legal basis for data processing as much as possible, as obtaining valid consent is not at all straightforward. The definition of consent consists of a number of criteria, and the controller should comply with all of them. The WP29 explicitly states that relying on consent should be avoided in the employment context in particular. (However, we understand that certain EU member states do in fact require employers to obtain consent, hindering a harmonized approach across the EU.)

The WP29’s non-binding guidelines and opinions are not always in alignment with common business practices. Moreover, the guidelines are sometimes stricter than the GDPR’s wording. Our experience is that supervisory authorities tend to follow these guidelines closely. In addition, Dutch case law on data protection matters (under the Directive) shows that the Dutch courts attach significant importance to WP29 guidance and opinions.

Enforcement activities by supervisory authorities

A large part of the abovementioned public debate focused on potential enforcement activities by supervisory authorities. Organizations seem to be most worried about being fined, accompanied by negative publicity risks.

This anxiety is strengthened by the Dutch supervisory authority’s (and other local supervisory authorities’) silence with regard to its envisaged enforcement activities. To date, the Dutch supervisory authority (Autoriteit Persoonsgegevens) has not publicized any policies with regard to GDPR enforcement and the imposition of fines in The Netherlands.

We have been receiving many questions from clients who want to understand whether supervisory authorities will start imposing administrative fines immediately after 25 May. As discussed in our GDPR Update on sanctions, we believe this is not to be expected. Organizations that are well underway with implementation of the GDPR today, will likely be subject to other corrective measures prior to being fined. However, supervisory authorities do have the authority to impose fines without warning, and they have clearly left open this possibility.

Final remarks

When looking to implement the GDPR properly, creativity is key: There is little guidance on how various newly introduced requirements should work in practice. The guidance that is available can be found in the recitals of the GDPR, WP29 guidelines, existing policies and guidelines of supervisory authorities and parliamentary documents.

Enforcement activities and binding decisions of supervisory authorities in the coming period will provide additional insight in the interpretation and implementation of the GDPR.

We will continue to provide you with regular updates on the GDPR and the way it is enforced, as well as with relevant developments in the field of personal data protection (e.g. the draft e-Privacy Regulation). Stay tuned!

Overview of subjects

January 2017 Territorial scope of the GDPR(Dutch)
February 2017 The Concept of Consent
March 2017 Sensitive Data
April 2017 Accountability, Privacy by Design and Privacy by Default
May 2017 Rights of Data Subjects (information notices)
June 2017 Rights of Data Subjects (access, rectification and portability)
July2017 Rights of Data Subjects (erasure, restriction, objectand automated individual decision-making)
August 2017 Data Processors
September 2017 Data Breaches and Notifications
October 2017 Data Protection Officers
November 2017 Transfer of Personal Data (outside the EEA)
December 2017 Regulators (competence, tasks and powers)
January 2018 One Stop Shop
February 2018 Sanctions
March 2018 Processing of Personal Data in the Employment Context
April 2018 Profiling and Retail
May 2018 Overview


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:


Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.