Short Reads

Don't take the ACM's digital inspection guidelines too literally

Don't take the ACM's digital inspection guidelines too literally

Don't take the ACM's digital inspection guidelines too literally

04.04.2019 NL law

The Dutch Authority for Consumers and Markets' (ACM) digital inspection guidelines should be on every company's reading list. However, they should not be taken too literally; at least according to the recent ruling from the Court of Appeal in The Hague.

Even though the ACM, contrary to its own inspection guidelines, had not handed over the names of all the employees targeted for inspection, it should have been clear to the raided company that the ACM also wanted to collect and secure data from five former CEOs and CCOs. As a result, the ACM could use the data from these individuals, even though they were not explicitly mentioned, without it going against its own inspection guidelines.

The ACM's inspection guidelines provide that ACM officials should hand over the names of individuals targeted for inspection to the company subject to the dawn raid (Article 2.1(4)). Even though the ACM neglected to do this in respect of five former CEOs and CCOs, it nonetheless proceeded to collect data from these employees. The ACM claimed that it had selected the five former employees prior to the dawn raid, and that it had taken back-up tapes from the premises because the email boxes of these five individuals were no longer digitally available. Before taking these tapes, the ACM had verified with the company that the tapes did actually contain the email boxes of the five individuals.

The Court of Appeal found that the company had not sufficiently substantiated that the ACM had either taken the back-up tapes for other reasons, or simply taken them without any further explanation. It should therefore have been clear to the company that the five former CEOs and CCOs were part of the ACM's inspection. Different to the District Court's earlier ruling [see our November 2018 Newsletter], the Court of Appeal therefore ruled that the ACM had not violated its own inspection guidelines. Article 2.1(4) of the inspection guidelines aims to enable companies subject to dawn raids to determine the scope of their duty to cooperate and rights of defence. This determination is possible if it is clear to the company which individuals are targeted for data collection, even if these individuals were not explicitly mentioned before collecting their data.

Companies are therefore advised not only to read the ACM's inspection guidelines carefully, but also remain vigilant of other ways in which the ACM clarifies its inspection goals and factor these developments into their dawn raid response strategy.

 

 

This article was published in the Competition Law Newsletter of April 2019. Other articles in this newsletter:

Team

Related news

24.09.2021 EU law
Digital Law Up(to)date: (1) the download of a software with a permanent licence can constitute a “sale of goods”; (2) alert of the BEUC regarding the privacy policy of WhatsApp and its new term of use

Articles - In this blog, we briefly present two interesting news in the field of digital law: (1) a judgment of the CJEU considering that the download of a software with a permanent licence can constitute a “sale of goods”, and (2) an alert of the BEUC regarding the privacy policy of WhatsApp and its new terms of use.

Read more

09.09.2021 BE law
Digital Law Up(to)date: (1) Parliamentary initiatives about cyber attacks; (2) ‘Zero tariff’ options before the CJEU; and (3) Council of State, GDPR and encryption

Articles - In this blog, we briefly present three interesting news in the field of digital law: (1) Parliamentary initiatives to tackle cyber attacks (2) "Zero tariff" options and open internet access do not mix! (3) Council of State, GDPR and encryption: validation of a decision of the Flemish Authorities

Read more

26.08.2021 EU law
Facebook/Belgian DPA: Landmark ruling on cross-border enforcement under the GDPR

Short Reads - On 15 June 2021, the CJEU delivered an important judgment on the one-stop-shop mechanism. While the CJEU reinforced that the lead supervisory authority is the sole interlocutor in cross-border processing operations, it also contributed to the effective enforcement of the GDPR by reiterating the conditions under which supervisory authorities other than the lead supervisory authority can bring enforcement actions against such processing operations.

Read more

13.09.2021 NL law
Adopting the new Standard Contractual Clauses to secure international personal data transfers

Short Reads - Recently, the European Commission issued an implementing decision on standard new contractual clauses (“SCCs”) for the transfer of personal data to countries outside the European Economic Area. Organisations need to use the new SCCs from 27 September 2021 and onwards. Transitional periods apply for existing international data transfer agreements. To meet their obligations under the General Data Protection Regulation, organisations need to make the appropriate changes in time.

Read more