In our November newsletter, you will find the following topics: |
|
|
|
|
|
AP: "Consumer credit providers may not request full bank statements" |
On 4 November, the Dutch Data Protection Authority (DDPA) advised against the proposal to grant consumer credit providers the right to request full bank statements from consumers for the purpose of assessing their creditworthiness. According to the DDPA, this constitutes a disproportionate invasion of privacy and is contrary to the principle of data minimisation.
The background is a proposed EU Directive (CCD 2) that introduces stricter rules for consumer credit, including relatively small loans and 'buy now, pay later' services. The DDPA emphasises that bank statements contain sensitive information about, among other things, political preferences, health and religion. According to the DDPA, requesting all data and transactions in bank statements goes beyond what is necessary to carry out creditworthiness assessments and could lead to influencing consumer behaviour.
The DDPA advises consumer credit providers to process only strictly necessary data and advocates privacy-friendly alternatives, such as having standardised reports drafted by banks that only include relevant income and expenditure categories. This prevents organisations from collecting more data than permitted and reduces the risk of violating the GDPR.
The DDPA's position is very similar to the conclusions it drew in its decision to impose a fine on Experian last month. Consumer credit providers may need to review their processes and carefully identify what data they need to assess consumers' creditworthiness. The DDPA proposes that consumer credit providers draw up a code of conduct and submit it to the DDPA for approval. |
|
|
|
| |
|
|
DDPA publishes recommendations for robust data processing agreements for cyberattacks |
On 11 November, the DDPA published three recommendations to strengthen data processing agreements (DPAs) and increase organisations’ digital resilience in the event of cyberattacks. The recommendations were prompted by the DDPA’s investigation into five major incidents which affected more than 1,250 organisations and an estimated 10.5 million individuals.
According to the DDPA, DPAs often do not contain clear arrangements between controllers and processors, obstructing the effective handling of data breaches and increases consequential damages. Amongst other topics, DPAs must include provisions on the processing of personal data, security measures and reporting obligations in the event of data breaches. The DDPA observes that many DPAs do not go beyond the mere repetition of legal requirements pursuant to Article 28 GDPR, creating uncertainty about the roles and responsibilities of the parties.
The DDPA advises organisations to make the arrangements with processors as specific and clear as possible, for example about who takes which steps in case of incidents and how information is exchanged. Additionally, organisations must maintain control over the entire processing chain: after all, even in the case of outsourcing, the controller remains fully responsible for compliance with the GDPR.
Finally, the DDPA emphasises that greater priority must be given to the drafting and regular updating of DPAs within organisations. Regular evaluation of the arrangements made and raising awareness among employees are essential to keep DPAs up to date and effective.
In practice, this means that organisations must tighten up their contract management and proactively negotiate specific provisions in DPAs. This not only reduces their own legal risks but also contributes to a faster and more coordinated response to data breaches. |
|
|
|
| |
|
|
European Commission presents proposal for Digital Omnibus |
On 19 November, the European Commission (Commission) published the long-awaited proposal for the Digital Omnibus Regulation (Digital Omnibus). The Digital Omnibus proposes amendments to a wide range of digital legislation, including the GDPR, the Data Act, the AI Act, the ePrivacy Directive and operational resilience rules such as the DORA and the NIS2 Directive.
The main objectives of the Digital Omnibus are to harmonise legal frameworks and reduce both legal complexity and duplicate obligations. For example, provisions from the Data Governance Act and the Directive on the re-use of public sector information will be incorporated into the Data Act, creating a single, uniform framework for data access and re-use of public sector data. For providers of data processing services under the Data Act, the Digital Omnibus introduces a lighter regime for small and medium-sized enterprises, including exemptions from certain obligations under the Data Act in the context of switching between providers.
An important change in practice is the “single entry point” for incident reporting. This allows organisations to comply with reporting obligations under different frameworks, including the GDPR, NIS2, DORA and eIDAS, via one singular interface. This should significantly reduce their administrative burden and promote consistency in reporting. The European Union Agency for Cybersecurity (ENISA) will be responsible for developing the single-entry point.
In the area of privacy, the Digital Omnibus contains targeted amendments to the GDPR. For example, the definition of personal data is streamlined in line with the recent ruling of the European Court of Justice in the SRB/EDPS case, lists of processing operations for which a DPIA is mandatory or not required will be developed at EU level, and the transparency requirements for low-risk processing operations are lowered. Furthermore, the cookie rules from the ePrivacy Directive are incorporated into the GDPR, with room for machine-readable consent signals and an obligation for browsers to support them. Additionally, an extension is proposed for the deadline to notify data breaches, coming to a maximum of 96 hours.
As there are currently insufficient resources to support compliance, the Commission proposes to postpone the obligations for high-risk AI systems by a maximum of 16 months. An exception to the prohibition on processing special categories of personal data for the development of AI systems has also been introduced, and it is explicitly recognised that the processing of personal data in the context of the development and management of AI systems or AI models may take place on the basis of legitimate interest, provided that all criteria under Article 6(1)(f) GDPR are met.
The Commission's proposal will be negotiated at EU political level in the coming months. The aim is for the Digital Omnibus to apply before summer 2026. |
|
|
|
|
|
|
|
Mandatory provision of e-mail address insufficient for digital accessibility |
On 21 November, the Dutch Supreme Court handed down its judgment in a dispute concerning a mandatory field to provide an e-mail address in an online objection form. The central question was whether the mandatory provision of an e-mail address is equivalent to an acknowledgement by an addressee that they can be reached through electronic means within the meaning of Article 2:14 of the Dutch General Administrative Law Act.
The case concerned additional parking tax assessments by the municipality of Leiden. The plaintiff had lodged an objection against the assessments via a digital contact form and filled in the mandatory fields, including the field requesting his e-mail address. The tax inspector sent the decisions regarding objection to this e-mail address. When the plaintiff later lodged another objection, the tax inspector declared it inadmissible, and the district court of The Hague ruled that the appeal period had expired following the announcement of the decisions regarding objection had been announced to the plaintiff by e-mail.
The plaintiff appealed against the district court's ruling, arguing that he had not received the decisions regarding his objection. He claimed that he had not given the tax inspector permission to provide the decisions by e-mail and that such permission could not be inferred from the mere completion of a mandatory field in the contact form.
According to Article 2:14 of the General Administrative Law Act, an administrative body may send messages electronically insofar as the addressee has indicated that they are sufficiently reachable through this method. This notification can be 'more or less explicit', so long as it is clear to which messages or exchange this notification refers, which electronic means the addressee expressed being open to and at which (electronic) address they are able to receive electronic messages. Moreover, an administrative body may explicitly ask the addressee whether they can be reached by electronic means and whether they wish to continue communication through those means. A practical example is the “Berichtenbox” app of MijnOverheid, where citizens can indicate from which administrative bodies they wish to receive electronic communications.
According to the Dutch Supreme Court, the fact that an e-mail address is known to an administrative body is insufficient to infer that an addressee is also reachable through that address. Similarly insufficient is the fact that an addressee submits an electronic request, and in that process, provides his e-mail address. The Dutch Supreme Court considers it relevant that the form does not state that by filling in the mandatory field, the addressee agrees that communication about a procedure on objection will take place via e-mail from thereon out. The fact that the form states that confirmation of receipt will be sent by e-mail to the disclosed email address does detract from this. The Dutch Supreme Court considers the appeal to be well-founded and refers the case back to the district court of The Hague for further consideration.
The judgment is relevant in the context of mandatory fields for certain data points in online forms. The judgment of the European Court of Justice in the Mousse case of January 2025 shows that mandatory fields for personal data are only permitted if they are objectively necessary. Although the Dutch Supreme Court remains silent on this point, it is doubtful whether a mandatory field for the email address in this case was permissible considering the principle of data minimisation. |
|
|
|
|
|
|
|
Marc Elshof
attorney-at-law | partner
T: +31 70 376 06 87
M:+31 6 46 37 61 08
marc.elshof@barentskrans.nl
|
|
|
|
|
Job Julicher
attorney-at-law
T: +31 70 376 08 10
M:+31 6 27 42 99 77
job.julicher@barentskrans.nl
|
|
|
|
|
Julius Louter
attorney-at-law
T: +31 70 376 06 40
M:+31 6 15 43 37 52
julius.louter@barentskrans.nl
|
|
|
|
|
|
BarentsKrans
The Hague | Amsterdam
+31 70 376 06 06
communicatie@barentskrans.nl
www.barentskrans.nl |
|
|
|
| |
|
|
|
