Boetes SZW aan werkgevers vaak onterecht
As of 25 May 2018, the Personal Data Protection Act ("Wbp") no longer applies. What will then apply? As of that date, the General Data Protection Regulation, or AVG, will enter into force. This privacy legislation applies in the European Union. In English, the AVG is referred to as the General Data Protection Regulation ("GDPR").
Banks will also have to deal with, and comply with, this new privacy legislation. Banks collect and use a lot of personal data. In particular, banks store and use sensitive data such as a citizen service number (BSN) and other financial data of their customers. After all, banks are obliged to identify their customers by presenting proof of identity. A copy of this proof of identity is made and kept in the file. In this way, the bank can demonstrate that it has fulfilled its legal obligation (including the Wwft). In addition, banks use the BSN to exchange data with the Tax and Customs Administration. Also turn your mind to cases where someone has made an incorrect payment and wants this money back. Under certain circumstances, the bank can pass on the name and address details of the receiving party to its customer (the bank's principal).
An article in the Financieel Dagblad (dated 10 April 2018) shows that banks more commonly pass on name and address details to their business clients. Banks will want to have stopped passing on these name and address details as of 1 January 2019. It would appear that there was a great deal of abuse of the name and address details forwarded to them by business clients. In the article referred to above, it emerged that Rabobank had forwarded the name and address details of its client - a Red Cross donor - to the Red Cross, who then asked the donor to make another donation. The Red Cross acknowledged that this had not been possible. This is an improper use of personal data, for which the donor had not given permission.
The AVG is strict. If a provision of the AVG is breached, severe sanctions can be imposed.
Under the AVG, the supervisory authority of the particular Member State has a number of powers. These can be divided into (1) investigative measures, (2) corrective measures, and (3) authorisation and advisory powers. In order to comply with the AVG, each power must be appropriate, necessary and proportionate, and each case must take into account the circumstances of the individual case, respect each person’s right to procedural fairness relating to the imposition of measures and avoid unnecessary and other costs. Additionally, the supervisory authority of the Member State must clearly and unambiguously, in writing, set out the measure it has imposed, stating when the measure was imposed, why the measure was imposed and indicating which (judicial) body an objection/appeal may be lodged to
I will expand on the various powers below.
On the basis of Article 58(1) of the AVG, the supervisory authority in question has the following obligations and powers of investigation:
(i) the obligation to provide information;
(ii) to conduct investigations in the form of data protection checks;
(iii) to carry out a review of the certificates referred to in Article 42 of the AVG;
(iv) to notify the controller of a breach of the AVG;
(v) to obtain access to premises (including business premises).
Investigative powers providing access to sites must ensure that the specific rules of the relevant Member State's procedural law are complied with (including the obligation to obtain judicial authorisation before receiving access to sites).
On the basis of Article 58(2) AVG, the Member State supervisor has the following corrective possibilities/sanctions:
(i) issue a warning to the controller;
(ii) reprimand the controller;
(iii) oblige the controller to comply with the data subject's requests;
(iv) oblige the controller to reconcile the processing of personal data with the AVG within a specified period of time;
(v) require the controller to notify data subjects that there has been a breach of the processing of their personal data;
(vi) impose a temporary or definitive processing restriction or prohibition on the controller;
(vii) rectify or erase personal data relating to data subjects;
(viii) revoke certificate(s);
(ix) impose an administrative fine;
(x) suspend data flows to a recipient in a third country and (or) international organisation.
As the AVG prescribes, all sanctions to be imposed must be not only proportionate but also effective and dissuasive. The measures referred to in (i), (viii) and (x) may be imposed at the same time as the imposition of an administrative fine. The amount of such a fine shall be determined according to the circumstances of the case. Circumstances relevant include the nature, seriousness and duration of the breach, the intentional or negligent nature of the breach, the measures taken by the controller, the extent to which the controller is responsible in view of the technical and organisational measures implemented, previous (relevant) breaches of the AVG, the extent to which the controller helped to remedy the breach, and any other potentially relevant circumstances.
The amount of the fine depends on the infringement committed by the controller. There are a number of possibilities:
Boetes SZW aan werkgevers vaak onterecht
Afwijking van een bestemmingplan
Cannabis products on the Dutch market