Short Reads

Countdown 7 weeks until GDPR : Will entities be required to report any contraventions of the GDPR to the regulators?

Stibbe - Will entities be required to report any serious contravention

Countdown 7 weeks until GDPR : Will entities be required to report any contraventions of the GDPR to the regulators?

05.04.2018 BE law

Only 7 more weeks to go before the GDPR becomes fully effective. Preparing your company for the application of this new regulation requires a correct understanding of its principles. Each week, we highlight one particular misconception regarding the interpretation of the GDPR.

Will entities be required to report any serious contraventions of the GDPR to the regulators and to data subjects affected?

According to Article 33.1 of the GDPR reporting those contraventions will not be required in all cases, but only if the breach in question implies a risk to the rights and freedoms of the individuals whose data have been affected by the contravention.

The Article 29 Working Party has clarified that there is a “risk to the rights and freedoms” if the breach can lead to physical, material, or non-material damage to the individuals whose data have been breached. Any such risk should appear to be related to a third party’s non-authorized access to the individual’s information, leading to the violation of that individual’s rights to privacy or any other relevant right (e.g., economic loss derived from the use of a credit card number of an individual whose data have been unduly accessed). When evaluating this risk, one should do so on the basis of an objective assessment while taking into account criteria such as the type of breach, the nature, sensitivity, and volume of personal data concerned, the ease of identification, the severity of consequences for individuals, etc.

Hence, according to this approach, incidents that have no consequences on the rights and freedoms of individuals (e.g., loss of information, without any third party having accessed to such data) should not be reported under the GDPR.

Stibbe, together with Chiomenti, Cuatrecasas, GIDE and Gleiss Lutz, have gathered this useful information, reflecting some common misconceptions about the implementation of the GDPR.

Team

Related news

11.10.2018 NL law
Stibbe hosts NGB Extra Seminar about product development and counsel’s role at the interface of new technology and law

Seminar - On 11 October 2018, Stibbe will host the NGB (Dutch Association of Corporate Lawyers) Extra Seminar.  IT/IP lawyers Judica Krikke, Jasper Klopper, Marc Spuijbroek and Frederiek Fernhout will discuss the practical aspects of the development of innovative new products. 

Read more

23.08.2018
ECJ: Facebook fan page administrator is a joint data controller

Short Reads - On 5 June 2018, the European Court of Justice ("ECJ") decided on several preliminary questions that were raised in an administrative proceeding between the German Data Protection Authority ("GDPA") and Wirtschaftsakademie Schleswig-Holstein GmbH ("Wirtschaftsakademie"), a German educational services provider that offers its services through a Facebook fan page. In its decision, the ECJ held, among other things, that Wirtschaftsakademie qualifies as a data controller ex Article 2 under d Directive 95/46/EC[1] ("Privacy Directive").

Read more

02.10.2018
Erik Valgaeren speaks on Software Contracting during an event organised by Beltug.

Speaking slot - Beltug, the Belgian Association of Digital Technology Leaders, organizes a seminar on Software Licences for procurement and legal professionals at the Hotel Abbey in Grimbergen. Erik's presentation will identify key software contract attention points, including how to draft them, the link with copyright laws and the dangers of using language from contracts based on US or English law.

Read more

07.08.2018 NL law
General Data Protection Regulation comes into effect

Short Reads - On 25 May 2018, the European Union's General Data Protection Regulation (GDPR) came into effect. The GDPR replaces the EU's prior directive governing the processing and transfer of personal data, which was in place since 1995. As a regulation, the GDPR is directly applicable in all 28 EU member states and thus removes the need for national implementing legislation. However, the GDPR allows member states discretion in certain areas, as a result of which national legislation may still be implemented. In the Netherlands, the GDPR Implementation Act came into effect on 25 May 2018.

Read more

27.08.2018 BE law
Actualia: Het BIM-referentieprotocol: eerste stap in de (o.m. juridische) omkadering van BIM in België

Articles - “BIM” is niet louter het werken in 3D. BIM is een manier van samenwerken in de bouwsector. Met behulp van digitale technologie (o.a. bouwinformatiemodellen) wordt informatie gestructureerd beschreven, beheerd en uitgewisseld tijdens de volledige levenscyclus van een project (van programmafase tot exploitatiefase).

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring