Lawyers and Notary in Leiden and The Hague

25 May 2019 marks the one-year anniversary of the much-discussed General Data Protection Regulation (GDPR) entering into force. Since the Dutch Data Protection Authority (Dutch DPA) also recently published its 2018 annual report, now is a good time to take stock of it all. What has one year of GDPR yielded? Have high fines been imposed and, if so, for what type of violations? And what do you need to watch out for in 2019?

Annual report 2018

As shown in the annual report, 2018 was a hectic year for the DPA. Not only did the GDPR come into force, the DPA also hired many new employees along with setting-up and implementing a new organisational structure.

In the report, the DPA indicates that in 2018 it deliberately chose to focus on promoting compliance with the privacy regulations. Their approach entailed investing heavily in providing information and advice, on the one hand, and seeking to stop any violations instead of imposing sanctions after the fact, on the other hand.

Some headline figures for 2018:

Year-on-year comparison

A comparison of these figures with those of previous years, shows an explosive increase in the number of data breach notifications since this obligation was introduced in 2016. However, enforcement and sanctions (including fines) are increasing slowly.

2014 2015 2016 2017 2018
Data breach notifications 5,700 10,009 20,881
Enforcements 13 17 20 20 17
Penalty 0 0 0 0 1
Collection/recovery 0 0 0 1 2

Elsewhere in Europe

What are regulators doing elsewhere in Europe? Several Member States have already seen the first fines imposed for violations of the GDPR, examples include:

What does 2019 have in store?

In its annual report, the DPA explicitly states that in 2019 the focus will shift from information to enforcement. Enforcement will be stepped up in 2019. While the DPA currently still often focuses on ending any (possible) violation when dealing with a complaint, 2019 will see it initiating investigations and imposing sanctions more often. The DPA’s stated areas of focus for 2019 include: i) security measures and the legal bases for processing personal data in the healthcare sector, ii) unreported data breaches and iii) trade in personal data.

Please contact Jeroen van Helden ( or 071-5815310) if you have any questions about the GDPR or related laws and regulations.

*The infringements often date from the pre-GDPR era and are therefore assessed and sanctioned according to the Personal Data Protection Act and not the GDPR.

Time is running out. If the deadline is not extended, the UK will leave the EU on 29 March 2019, with or without a deal. For many organizations it is unclear what the effects of Brexit will be on the protection of personal data processed in the UK. What are the implications for transferring personal data to the UK? The implications of transferring personal data will depend on whether or not a deal is reached by the end of March.

Deal scenario

If the British leave with a deal, then the GDPR will remain in force until the end of 2020. This means that, until then, nothing will change with regard to the transfer of personal data to the UK.

However, given the current circumstances, the chance of a no-deal scenario continues to grow and becomes more likely every day. It is therefore vital to start preparing for a no-deal Brexit now.

No-deal scenario

A no-deal Brexit will have a major impact on the transfer of personal data to the UK – regardless of whether the transfer is for instance to the UK branch of a multinational or a British cloud provider. In the event of a no-deal Brexit, the UK will be considered to be a ‘third country’ after 29 March 2019 and will be subject to the rules that are applicable to the transfer of personal data outside the EU.

Personal data may no longer be transferred freely to the UK; data transfer will need to be based on one of the following instruments:

The Commission could also consider (in a so-called adequacy decision) that the level of data protection in the UK is in line with European legislation. However, in the event of a no-deal Brexit, an adequacy decision will not be available immediately and the aforementioned instruments will have to be used, at least for the time being.

Five-step preparation

Because different rules will immediately become applicable after 29 March in the event of a no-deal Brexit, it is imperative to start taking steps immediately to prepare for this situation. According to the European Data Protection Board you can do this by means of the following five steps:

  1. Make an inventory, showing if and what personal data transfers are made to organisations (or branches) in the UK.
  2. Choose an instrument; determine which instrument is the best for your situation. For example, in the case of a multinational with a branch in the UK, creating or updating Binding Corporate Rules might be an option; whereas with data processors the Standard Contractual Clauses of the European Commission could be used.
  3. Make sure that whatever instrument you decide on is ready to use on 30 March 2019 (or as of the new deadline if the deadline is extended);
  4. Keep an internal record of the fact that personal data are transferred to the UK, for example, in the processing register and the internal privacy policy.
  5. Amend the privacy statement for data subjects to inform data subjects about the transfer to ‘outside the EU’.

Data transfers from the UK

A no-deal Brexit will not lead to any changes in the reverse situation, i.e. personal data transfers from the UK to an EU country. The British government has stated that data can be freely transferred from the UK to the EU, as is currently the case.

As Brexit may become a reality this month, there is no time to lose in making preparations.

If you have any questions, please contact Natascha van Duuren