Author

Wouter Seinen

Browsing

 The Hague’s district court has ruled that loot boxes qualify as a game of chance under the Dutch Betting and Gaming Act (BGA). The decisive factor in its assessment is the definition of a ‘prize’. For the BGA to apply, not only an element of chance is required, but the prize must represent ‘economic value’. Economic value is considered present if players can transfer the virtual goods involved between individual accounts. In addition, if such…

BCRs as a robust alternative to Privacy Shield and SCCs Binding corporate rules are considered the “gold standard” for international data transfers, primarily as they constitute the only data transfer mechanism that carries individual regulatory approval. As all concerned supervisory authorities have participated in the review and approval process, it seems unlikely that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis. BCRs are also not…

Introduction Recently, the European Commission published its evaluation report on the first two years of the General Data Protection Regulation (GDPR). The Commission focused on, in particular, two themes in its evaluation, being (1) international data transfers and (2) the cooperation and consistency among the European supervisory authorities. As to the latter, the Commission is of the opinion it should definitely be improved. With regard to international data transfer the Commission focuses on the review…

It has been two years since the GDPR came into force on 25 May 2018 and during that time, we have seen more guidance published at an EU level as well as from data protection authorities in Member States which has impacted how organisations approach areas of GDPR compliance. We have also seen enforcement action from data protection authorities across the EU and UK. There have also been other significant developments, over the past two…

On March 2, 2020, the Dutch Data Protection Authority (DDPA) published its notice of a monetary penalty notice, issued under the General Data Protection Regulation against the Dutch National Tennis Association. A fine in the amount of € 525,000 was imposed for the – allegedly – unauthorized sale of member data to the Association’s sponsors. This decision is relevant as it is the first monetary fine issued by the DDPA which relates to (direct) marketing…

At the doorstep of 2020, advocate general Hendrik Saugmandsgaard Øe (a.g.) rendered his opinion in the so called “Schrems II case” and opined on how European Court of Justice should deal with the GDPR’s regime for international data transfers. See here for a summary on the Schrems II case. In a series of blogs, we further elaborate on the consequences of that opinion and the impact it may have on the current international data transfer…

The European Union’s highest court, the Court of Justice of the European Union (CJEU), is evaluating the legitimacy of the EU standard contractual clauses (SCC). SCCs have been the bedrock of cross-border personal data transfers outside the EU for many years. Today, the advocate general (a.g.) has rendered an opinion on the Schrems II case. By way of brief background, Schrems II is a case before the Court of Justice of the European Union (CJEU)…

On 27 January, the data protection authority in the Netherlands (“Dutch DPA”) published its main policy priorities (so called “themes”) for the year 2017. Apart from the GDPR, the themes include: profiling, special / sensitive personal data and data security. For companies doing business in the Netherlands, the Dutch DPA’s enforcement agenda is relevant, as it is one of the very few sources to rely on when trying to assess enforcement risks and exposure. Here…

Effective 2016, Netherlands’ businesses must notify the Dutch data protection authority (“DPA”) and sometimes individuals if they suffer certain data breaches that involve personal data under their control. Companies will have to take this seriously, as failure to notify may lead to fines up to €500,000 (or potentially higher).Who Is Affected?The notification duty applies to data controllers that have an establishment in the Netherlands and process personal data in the context of that establishment. It…