Cloud computing services comprise a wide range of services. The concept "cloud computing services" covers services that allow access to a scalable and elastic pool of shareable computing resources. In the Netherlands, the concept of cloud computing is governed by the NIS Directive (Security of Network and Information Systems Directive (EU) 2016/1148). The Directive was implemented into national law on 17 October 2018 by means of the Security of Network and Information Systems Act (SNISA).

The Directive offers provisions to boost the overall level of cybersecurity in the EU and secures the continuity of cloud computing services. Cloud service providers must comply with the security and notification obligations listed below. The following obligations are also applicable to essential services and digital services operators, and, therefore, have an impact on the services operators who use cloud services themselves.

• Security: cloud service providers must identify possible risks to the network and information systems they use and take measures to ensure an appropriate level of security. When identifying the appropriate and proportionate technical and organisational measures, the cloud service provider should approach information security in a systematic way, using a risk-based approach. Network and information systems should contain precautions in order to protect the availability, integrity, confidentiality and authenticity of the stored, sent or processed data from those network and information systems.
• Notification: cloud service providers are obliged to notify without delay incidents with a significant impact on the provision of the cloud computing services offered in the EU. The supervising authorities for the Netherlands are the Radiocommunications Agency Netherlands and the Cyber Security Incident Response Team.

In order to qualify as a cloud service provider as meant in the Directive, a provider must employ 50 employees or more and/or have a balance sheet total or turnover of EUR10 million or more on annual basis.

In the Netherlands cloud computing services are indirectly governed by the Dutch Civil Code (DCC) and the GDPR ((EU) 2016/679), as follows.

• General: the DCC consists of general and specific provisions that apply to all respectively particular agreements. As cloud computing agreements are not defined under Dutch law, merely the general provisions apply. Deviation from such general provisions by contracts (in accordance with the freedom of contract principle) is market practice.
• Consumers: consumer contracts are subject to mandatory consumer protection provisions incorporated in the DCC, following the implementation of the Consumer Rights Directive and the Unfair Contract Terms Directive. These contain mandatory provisions that apply to all types of consumer contracts, including cloud computing contracts. Contractual provisions that contravene mandatory consumer protection legislation may be void or voidable in certain circumstances.
• GDPR: when cloud services providers process any personal data, they are generally considered as "processors of personal data". Processors may not determine purposes and means of processing personal data, but they still need to demonstrate that their processing activities comply with the GDPR. Typical issues in this context arise when cloud service providers utilise personal data for their own purposes (eg, to analyse and/or improve their own services) and/or have a decisive saying in the determination of applied means of processing.

On 20 May 2019, Directive 2019/770 regarding the supply of digital content and services was introduced. This Directive establishes a harmonised level of consumer protection for digital content, including cloud computing services. The Directive is scheduled to be implemented into national law by 1 July 2021 and it applies to agreements concluded from 1 January 2022.

Cloud service providers should take into account EU cybersecurity strategy initiatives such as the proposal for a renewed NIS Directive and a proposal for a directive on the resilience of critical entities, which offer an expansion in scope of the current directives.

Financial Supervision Act and Prudential Rules Decree

Financial institutions increasingly utilise cloud computing services. In this context, they remain responsible for complying with relevant financial legislation and must control their operational processes. Financial institutions must comply with the strict statutory (supervision) requirements as laid down in the Financial Supervision Act (Wet op het financieel toezicht) while using cloud computing services. This indirectly impacts the delivery of these cloud computing services.

Financial institutions may not enter into cloud computing agreements if this could impede the exercise of adequate supervision by the supervisory authority for Dutch banks. Consequently, financial institutions are obliged to have a range of obligations in their cloud computing contracts and must obtain the right for the supervisory authority to examine the cloud services.

The Cloud Computing Circular, issued by the Dutch National Bank (DNB), requires that before supervised Dutch financial institutions engage in cloud computing, they must inform the DNB of their prospective outsourcing arrangements to ensure that operational processes and risks are under control.

Guidelines on Outsourcing to Cloud Services Providers

The Guidelines on outsourcing to cloud services providers of the European Securities and Markets Authority (ESMA), published on 18 December 2020, are useful for both financial institutions as for cloud services providers when negotiating cloud outsourcing arrangements. The guidelines are intended to help identify, address and monitor the risks arising from cloud outsourcing arrangements. They provide guidance to the governance, organisational and technical frameworks to put in place to monitor the performance of the cloud service providers.

Good Practice Information Security 2019–20

The Good Practice Information Security, a guide drafted by the DNB, offers tools with which financial institutions can give practical substance to control measures in the areas of governance, organisation, people, processes, technology, facilities, outsourcing, testing and the risk management cycle. Good Practice sets out various recommendations for control measures which, in DNB's opinion, properly implement the requirement of Section 3.17 of the Financial Supervision Act, in conjunction with Section 20 of the Prudential Rules Decree and the Pensions Act. These guidelines are based on international standards such as COBIT (Control Objectives for Information and related Technology) of the ISACA, ISO27000 and the NIST Cybersecurity Framework.

Over the past decade, the use of "distributed ledger technology" has increased rapidly. A distributed ledger (also known as a general ledger, or distributed general ledger technology) is a technology that uses decentralised ledgers, also known as "nodes", to share, record and synchronise transactions across the distributed network. One of the most well-known types of distributed ledger technology is blockchain.

Risk and Liability

Even though blockchain has been praised as being safe and unhackable, practice has shown that this is not the case. Even blockchain can be subjected to malware, and even blockchain can, in the near future, be hacked by quantum computers.

Therefore, it is of utmost importance as a blockchain provider to implement proper organisational and technical security measures to be able to monitor potential (personal) data breaches. If the blockchain provider does not implement a level of security that is appropriate to the risks that are involved, the blockchain provider may be in violation of Article 32 of the GDPR, and thus liable for any (personal) data that has possibly been altered or deleted, also depending on the contractual clauses that have been concluded between the blockchain provider and the user.

Also, as with any technology service, blockchain services can suffer programming defects, which – depending on the type of defect – may trigger liability issues. Therefore, blockchain providers and customers should, prior to the purchase and use of blockchain, negotiate certain contractual rights and obligations, such as a contractual defects liability period, and include details of the scope and expectations regarding the blockchain application, such as detailed key performance indicators. In case of standard terms and conditions, it is also important to be aware of any limitation of liability, the governing law and jurisdiction, termination of the services, and the contractual possibility to block certain users that violate the guidelines or breach the terms and conditions.

Intellectual Property

There are two types of blockchain that can be distinguished: blockchain can be (i) "permissionless", which means that there is no special authority that is able to deny their permission to participate in the blockchain and to add any transactions to the ledger, or (ii) "permissioned", which means that there is a limited group of participants that retain the power to add transactions to the ledger. In the context of an infringement of an intellectual property right, permissionless blockchains can give rise to disputes. If an intellectual property protected work is recorded on the blockchain, it can be difficult in proving the relevant ownership and identifying any potential breaches, handling transfers or licences to third parties.

Prior to using blockchain, it must be taken into account what type of data will be shared, and whether this data is, for example, subject to any intellectual property rights or trade secrets, and whether any contractual rights and obligations of the blockchain provider may apply.

Privacy

The decentralised nature of the blockchain makes it difficult to identify the person responsible for processing, which in turn makes it impossible to guarantee a whole range of data subjects' rights. The distributed nature requires a high degree of transparency, which conflicts with the principle of data protection by design and default settings.

Finally, the permanent nature of blockchain prevents the possibility of guaranteeing various data subjects rights, such as the right to be forgotten, and clashes with a large number of general principles, including data minimisation and storage limitation.

Service Levels

The business processes built on blockchains may be vulnerable to technology and operational failures, as well as cyber-attacks. Blockchain users need to have a robust business continuity plan and governance framework to mitigate such risks.

Additionally, blockchain solutions shorten the duration of many business strategy processes, which means that it is of utmost importance to assess the (business critical) risks that are involved, and to mitigate any business continuity risks by concluding service level agreements, that detail specific adequate incident response and recovery times – for example, between participating nodes and the administrator of the network.

Jurisdictional Issues

If a dispute arises about blockchain – for example, between a blockchain supplier and a customer – it is important to determine which rules of which country apply. If a supplier and a customer are located in different countries, international private law should be invoked. On the basis of international private law, it should then be determined (i) which court is competent, and (ii) which law is applicable. Potential issues can be prevented by explicitly entering into an agreement or accepting terms and conditions that designates a competent court and governing law.

Big Data

Big data means a large amount of unstructured data, which grows exponentially and is processed at high speed. Big data can be obtained directly from the source, such as the person providing this data, but can also be obtained indirectly by linking data together.

Potential risks when collecting and using big data

When collecting big data, one of the issues that can arise is whether or not the data can be used to (in)directly identify an individual. If so, the data must be regarded as "personal data", which means that the GDPR and the Dutch GDPR Implementation Act applies. In such case, the legal grounds for processing personal data as mentioned in Article 6(1) of the GDPR must apply and, depending on the sensitive nature of personal data, one of the exemptions as mentioned in Article 9(2) of the GDPR must also be in place.

Storing big data is happening more often by using "data lakes", which means that raw data is being stored in a repository. Once the big data is stored in the repository, organisational and technical measures must be set in place to secure the big data and to prevent any data breaches. Even if the data does not contain personal data, the data itself can also be protected by intellectual property rights or can be protected under trade secrets. By protecting the data, cyber-attacks and other security incidents may be prevented. 

Artificial Intelligence (AI)

Artificial intelligence (AI) can be defined in many different ways. In general terms, however, we can say that artificial intelligence is the theory and practice of creating computers that can automate and perform activities in a "human-like" manner.

Machine learning

One of the key components of artificial intelligence is machine learning. Machine learning is essentially the study of algorithms, which are programmed to learn from (un)structured data and produce predictive models, that are constantly updated and refined.

To be able to train an algorithm and gain valuable insights from (un)structured data, (i) enough representative data is needed (ie, data quantity), (ii) this data also needs to be accurate, representing the aspects you wish to observe, with as little errors as possible (data quality), and (iii) sufficient computing power is needed.

Potential risks of implementing artificial intelligence and machine learning

When implementing or developing artificial intelligence, and in particular machine learning, there are a few privacy risks that developers, customers and lawyers should be mindful of.

Artificial intelligence, and in particular machine learning, can affect the privacy of individuals, as it is not always completely transparent to the individual what kind of personal data is being generated, collected and/or shared, or for which purposes the personal data will be used.

When algorithms process personal data in or from the European Economic Area, the GDPR and the GDPR Implementation Act applies. Also, if the personal data will be used for unsolicited communication or spam, the ePrivacy Directive and the Dutch Telecommunication Act (Telecommunicatiewet) applies.

In such cases, the outcome of the algorithm may be used for automated individual decision-making and profiling, which can have a significant adverse effect on the individual. Therefore, this type of processing is regarded as high risk and, prior to implementing and using algorithms, it is obliged to conduct a Data Protection Impact Assessment (DPIA), as mentioned in Article 35 (3) (a) of the GDPR and also in the European Data Protection Board Guidelines on Data Protection Impact Assessment.

By conducting a DPIA, potential risks to individuals can be assessed and ways can be identified to address and mitigate these risks. It is also important to note that automated processing, including profiling, which produces legal effects concerning individuals, may only be carried out if one of the three exceptions as set out in Article 22(2) of the GDPR applies, in addition to having a lawful basis for the processing of personal data as set out in Article 6 of the GDPR.

Based on Article 25 of the GDPR, it is also mandatory to adhere to the principles of "data protection by design" and "data protection by default". Data protection by design means that privacy and data protection issues must be addressed at the design phase and then throughout the life cycle, ideally at the earliest stages of the design of the processing operations, in order to safeguard privacy and data protection principles. Data protection by default means that, as a matter of course, safeguards must be put in place to ensure that the personal data that shall be processed is necessary to achieve the specific purposes.

By adhering to the principles of data protection by design and data protection by default, developers and users of artificial intelligence and machine learning applications are able to address privacy issues in a timely manner.

EU Data Initiatives

In addition to the GDPR, the Dutch Implementation Act, the ePrivacy Directive and the Dutch Telecommunication Act (Telecommunicatiewet), the European Commission has presented their Strategy on Data and Artificial Intelligence consisting of, among others, a white paper on artificial intelligence and a proposal for the Digital Services Act.

The Internet of Things (IoT) describes a system that consists of interrelated and internet-connected devices, in order to be able to connect and exchange (personal) data between these devices. When contemplating a project that revolves around the development or use of Internet of Things technologies, such as smart car software, smart security systems and connected health wearables, there are multiple legal restrictions and potential legal issues that must be taken into account when setting up these projects.

Privacy

Internet of Things devices collect high amounts of real-time data and share this between the different devices. If the data that is collected and shared relates to an identified or identifiable natural person – which is most likely the case due to the fact that multiple devices and datasets are being linked by different devices – the data must be considered to be personal data. When processing personal data in or from the European Economic Area, the GDPR and the Dutch GDPR Implementation Act applies. In such case, the principles of the GDPR must be taken into account prior to, and during, the project.

The European Data Protection Board Guidelines on Data Protection Impact Assessment (wp248rev.01) explicitly mentions that “innovative use or applying new technological or organisational solutions, like combining use of finger print and face recognition for improved physical access control”can trigger the need to carry out a DPIA. The reason is that it is a new way of collecting, using and sharing personal data.

The purposes for which the personal data is being processed are most often not transparent to the individual, which means that personal and social consequences are not always directly known and thus difficult to envisage. The deployment of Internet of Things devices may thus impose a high risk to the rights and freedoms of individuals. Therefore, the European Data Protection Board has decided that in such cases it is required to conduct a DPIA, in order to assess and mitigate any potential privacy risks.

It is also important to note that if Internet of Things technologies will be used for automated individual decision-making and profiling, which will produce legal effects concerning individuals, such processing may only be carried out if one of the three exceptions as set out in Article 22(2) of the GDPR applies, in addition to having a lawful basis for processing as set out in Article 6 of the GDPR.

Data Protection

Due to possible vulnerabilities of connected devices, cybersecurity is also a high priority. The organisational and technical measures that must be taken into account based on Article 32 of the GDPR, must take into account, among others, the costs of the implementation, the nature of the processing and the risks, and also the "state-of-the-art", which means that if there are certain relevant security standards and codes of practices that apply and are being used by other market participants, it can be mandatory to implement these standards. Furthermore, the principles of data protection by design and data protection by default, as mentioned previously, also applies to the implementation and use of Internet of Things devices.

Local Legislation

IT service agreements are not specifically regulated under Dutch law. Generally an IT service agreement falls under the scope of Articles 7:400 to 7:413 of the Dutch Civil Code (overeenkomst van opdracht). When a software solution is developed specifically for the customer (agile or waterfall), tailored to the intended use of the customer, it is more likely that the IT service agreements fall under the special scope of Articles 7:750 to 7:764 of the Dutch Civil Code (aanneming van werk). Both sections in the Dutch Civil Code, however, refer to general services and do not particularly govern IT services. Moreover, Dutch contract law is strongly influenced by the freedom of contract principle. This means that parties in the context of IT services are free to shape and determine the content of their arrangements, without prejudice to overriding mandatory Dutch law.

Duty of care

Dutch case law shows a development in which the content of duty of care is becoming more comprehensive. When the IT services consist of software development, configuration and implementation work, or application design, a certain duty of care applies to the IT supplier. Based on this duty of care, customers may hold the IT supplier accountable in the event of a failed IT project or default in the provision of IT services. This duty of care of IT suppliers may arise from the contract itself or tort.

An IT supplier will at least have to act in accordance with the efforts that can be required of a reasonably acting peer. The duties of care that can be distinguished are as follows:

• the IT supplier must put the interest of the customer first;
• the IT supplier must warn the customer if their instructions are not justified or if the intended execution of the assignment is not likely to lead to the intended result;
• in the event of additions or changes to the work agreed (so-called “scope creep”), the IT supplier may only demand an increase in the price if they have informed the customer prior about the need for a price increase resulting from the additional work. (See also 7.1 Key Restrictions on "mission creep".)

Tenders

Additionally, in the context of IT Service Agreements, responding to a call of tender issued by a public entity or a listed company requires specific formal requirements for the submission and entails disclosure of specific documents from the IT supplier.

Data protection

Furthermore, due to the GDPR, privacy and data protection is also a frequently discussed topic during IT service negotiations, as IT suppliers that provide hosting services and maintenance and support services may have access to the production environment of the customer.

In these circumstances, the IT suppliers must be regarded as a data processor. In this scenario, the IT Service Agreement must contain contractual guarantees provided by the IT supplier. If the customer determines the purposes and means of processing and the IT supplier will process the personal data on behalf of and based on the instructions provided by the customer, the customer should be considered to be a data controller. In such case, a data processing agreement as mentioned in Article 28(3) of the GDPR must be concluded between the IT supplier and the customer.

Core Rules Regarding Data Protection

Players in the field should keep in pace with the broad range of policy measures geared toward Europe’s digital ambition that touches data protection and privacy, as well as cybersecurity in 2021, including current proposals on the:

• Data Governance Act;
• Digital Services Act; and
• Digital Markets Act.

In most EU member states, including the Netherlands, there is no legal definition of "data" and no such thing as "data ownership". Dutch law merely recognises ownership of physical objects, which are defined as all "material objects which are susceptible to human control" (Article 3:2 of the Dutch Civil Code). In legal practice, this often results in challenging situations which are mostly resolved in legal contracts.

With regard to data protection, there are three pieces of EU legislation that are directly applicable in the Netherlands or have been implemented into Dutch law. Whilst the EU is still seeking consensus on a new ePrivacy Regulation governing, among others, electronic communications and the use of metadata, most recently the Free Flow Regulation ((EU) 2018/1807) entered into force. This regulation applies to electronic data, meaning all data other than personal data as defined in the GDPR and the Dutch GDPR Implementation Act, in order not to affect the existing framework for personal data protection. The Free Flow Regulation, GDPR and the ePrivacy Directive (2002/58/EC) eventually complement each other and currently create the comprehensive and coherent EU framework for the free movement of all data in the digital single market of the EU.

General Processing of Data

In general terms, it is important to grasp the interaction between the GDPR and the Free Flow Regulation, especially regarding datasets comprising of both personal and non-personal data. Examples include the following.

• The GDPR’s free flow provision applies to the personal data part of the dataset. Information about legal entities is not considered personal data. However, information about sole traders and partnerships is likely to be considered as personal data.
• The Free Flow Regulation applies to the non-personal data part of the dataset and aims at removing obstacles to the free movement of non-personal data across member states and IT systems in Europe.

The two regulations will function together to enable the free flow of any data, creating a common European space for data.

Mixed datasets

If a company processes mixed datasets, neither the Free Flow Regulation nor the GDPR obliges it to separate or store personal and non-personal data separately. If the company decides not to separate the datasets and processes them as mixed datasets, the data protection rules will apply to the entire mixed dataset. The Free Flow Regulation and the GDPR together create legal certainty for companies, and guarantee that personal and non-personal data (even when they are included in a mixed dataset) can move freely within the EU. Therefore, companies can decide to store, transfer or process the mixed dataset anywhere in the EU, wherever they consider is the most beneficial to them.

Examples of mixed datasets include:

• a company’s tax record, mentioning the name and telephone number of the managing director of the company;
• datasets in a bank, such as those with client information and transaction details;
• a research institution’s anonymised statistical data and the raw data initially collected, such as the replies of individual respondents to statistical survey questions;
• analysis of operational log data of equipment in the manufacturing industry

Processing of Personal Data

Territorial scope

As regard to its territorial scope in the Netherlands, the GDPR and Dutch GDPR Implementation Act simultaneously apply to the processing of personal data in the context of the activities of the establishment of a controller or a processor (see below) in the Netherlands (Article 3(1) of the GDPR).

It additionally applies to the processing by a controller or processor not established in the Netherlands of the personal data of data subjects who are in the Netherlands, where the processing activities are related to:

• the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Netherlands; or
• the monitoring of their behaviour to the extent that their behaviour takes place within the Netherlands (Article 3(2) of the GDPR).

Controllers and processors

A controller is the entity deciding on the purposes and the means of the processing of personal data. A processor processes personal data on behalf of a controller, having generally no control over the purposes and the means of the processing. Controllers must conclude a data processing agreement with processors (Article 28 of the GDPR).

Legal grounds

Processing of personal data is only permitted if there is a legal ground for that processing activity. Legal grounds are:

• consent;
• the performance of a contract;
• compliance with a legal obligation;
• vital interests of the data subject;
• task carried out in the public interest; and
• legitimate interest. 

Consent must be freely given, specific, informed and unambiguous. Children below the age of 16 years (Article 5 of the GDPR Implementation Act) cannot give valid consent, consent must be given by their parents or guardians.

For the processing of special categories of personal data (eg, personal data revealing racial origin, political opinions and trade union membership) to be permitted, there must be a legal ground and one of the exceptions of Article 9(2) of the GDPR must apply. Besides the exceptions set forth in Article 9(2) of the GDPR, there are exceptions of national law set out in the GDPR Implementation Act – for example, exemptions for the processing of health data in Article 30 of the Dutch GDPR Implementation Act.

Accountability

The processing of personal data must meet the principles of Article 5 of the GDPR:

• lawfulness, fairness and transparency;
• purpose limitation;
• data minimisation;
• accuracy;
• storage limitation;
• integrity and confidentiality.

Controllers and processors must maintain a record of processing activities (Article 30 of the GDPR), and, in case of a high-risk processing activity, a DPIA must be carried out based on Article 35 of the GDPR. In particular situations, a controller or processor must appoint a data protection officer (Article 37 of the GDPR).

Rights of data subjects

Data subjects have the right to be informed, therefore certain information (set out in Article 13/14 of the GDPR) must be provided to data subjects, usually by means of a privacy notice.

Controllers must be able to comply with data subject's request to exercise their rights, namely:

• right to request access to personal data;
• rectification of personal data; 
• erasure of personal data;
• restriction of processing;
• right to object to the processing;
• right to data portability; and
• right to withdraw consent at any time. 

Data breaches

Data breaches are breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12) of the GDPR).

Data breaches that are likely to result in a risk to the rights and freedoms of natural persons must be notified to the Dutch DPA (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of it (Article 33 of the GDPR). When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, it must be communicated to the data subjects without undue delay (Article 34 of the GDPR).

To prevent a personal data breach and to protect personal data, controllers must implement technical and organisational measures to ensure an adequate level of security (Article 32 of the GDPR).

Transfer of personal data outside the EEA

Transfer of personal data to countries outside the EEA is not permitted unless:

• there is an adequacy decision (Article 45 of the GDPR);
• appropriate safeguards have been taken, such as binding corporate rules or standard contractual clauses (Article 46/47 of the GDPR);
• one of the derogations for a specific situation applies (Article 49 of the GDPR).

In respect of Brexit, it remains to be seen when an adequacy decision permitting EEA to UK personal data transfers will be reached. In the meantime, interim periods apply, in which a transmission of personal data from the EEA to the UK shall not be considered as transfer to a third country under EU law.

Enforcement

The GDPR is intended to make data protection a boardroom issue. It introduces an antitrust-type sanction regime with fines of up to 4% of annual worldwide turnover or EUR20 million, whichever is the greater. These fines apply to breaches of many of the provisions of the GDPR, including failure to comply with the six general data quality principles or carrying out processing without satisfying a condition for processing personal data.

A limited number of breaches fall into a lower tier and so are subject to fines of up to 2% of annual worldwide turnover or EUR10 million, whichever is the greater. For example, failing to notify a data breach or failing to put an adequate contract in place with a processor fall into this lower tier.

In addition to the fines, the Dutch DPA (Autoriteit Persoonsgegevens) has a range of other powers and sanctions at its disposal. This includes investigative powers, such as the ability to demand information from controllers and processors, and to carry out audits. It also has corrective powers enabling them to issue warnings or reprimands, to enforce an individual’s rights and to issue a temporary or permanent ban on processing.

In the Netherlands, the DPA has the power to enter residences without the consent of the owner. Furthermore, obligations of secrecy cannot be invoked against the DPA to the extent that information or co-operation is required regarding that organisation’s own involvement in data processing.

Finally, data subjects have a right to compensation in respect of material and non-material damages. In the Netherlands, we see litigation emerging on the basis of the new Act on collective damages claims (Wet afwikkeling massaschade in collectieve actie or WAMCA) that entered into force on 1 January 2020.

Restrictions on monitoring and limiting use by employees of company computer resources are predominantly driven by data protection laws.

Workplace monitoring will usually involve processing personal data and is therefore governed in the Netherlands by the GDPR and the Dutch GDPR Implementation Act.

Identify the Purpose of Monitoring

When considering whether or how to monitor employees, the starting point should be identifying the purpose and underlying interest of the employer. What is the employer trying to pursue, ensure or protect? Is it for efficiency purposes, or are there specific security concerns? Is it a one-off, incidental case of monitoring (such as a breach of company confidentiality by an employee and subsequent investigations) or is it a more general concern (data loss prevention tools, web traffic monitoring, extensive private email use, e-discovery tooling)? Would monitoring the flow of communications be sufficient or is actual content inspection intended?

Employers should conduct a thorough risk analysis and make sure that the monitoring chosen is proportionate to the risks employers are looking to mitigate. This risk analysis should help employers to meet legislative requirements. Once an employer has identified the reason or purpose for any monitoring, the next step should be to consider how the chosen monitoring addresses the concern or reason identified, and whether there are any alternative ways of meeting its purpose other than monitoring. This has a practical as well as legal purpose – if there is a less intrusive way to protect a business than monitoring employees, the courts and the Dutch DPA (Autoriteit Persoonsgegevens) would expect the employer to take it and doing so should lower the risk to the business.

GDPR Compliance

In order to carry out GDPR-compliant monitoring of employees, employers must identify a legal basis for carrying out and processing the monitoring information, and any exemptions for special category personal data such as data related to health, religion or ethnicity/race.

It is noteworthy that consent is not considered a proper legal basis for processing personal data in the employment context (especially for intrusive processing activities such as monitoring). In the Netherlands, in most cases employers will have to rely on the "legitimate interest" legal basis for processing. This means that a legitimate interests assessment (LIA) must be conducted to ensure a proper balance between the legitimate interest of the employer and the fundamental rights and freedoms of the employees. Such measures, depending on the form of monitoring, should include limitations on monitoring so as to guarantee that the employee’s privacy is not violated. Such limitations could be:

• geographical (eg, monitoring only in specific places – monitoring sensitive areas such as religious places and, for example, sanitary zones and break rooms should be prohibited);
• data-oriented (eg, personal electronic files and communication should not be monitored); and
• time-related (eg, sampling instead of continuous monitoring).

Employee monitoring is considered to be "high risk" processing, according to the Dutch DPA. Consequently, a DPIA must also be conducted. The Dutch DPA distinguishes between general monitoring and covert monitoring. For covert monitoring to be lawful, employers must have a reasonable suspicion of a criminal offence or wrongful use of company information and where notifying concerned individuals would prejudice its detection or prevention.

Companies with a works council will also need to obtain prior consent from the works council before conducting employee monitoring based on the Dutch Works Counsel Act. Furthermore, it is of significant importance that such assessments are appropriately documented as (aside from demonstrating accountability with other data protection principles and requirements) the documentation will form the basis of the employer's defence in the event of a claim, complaint or Dutch DPA investigation.

Information and Transparency

Employers are obliged to inform employees in a transparent way of the purposes and means of the monitoring activities. This kind of information is often captured by means of a(n) (employee) privacy notice. This notice draws the relevant acceptable use and monitoring policies to the attention of the employees. Appropriate training for staff carrying out and using monitoring data is also key. 

Failure to do so may leave employers exposed to additional risk and claims. Depending on the circumstances, employees may also have grounds for an unfair dismissal or constructive dismissal claim, and might in some circumstances be able to establish a whistle-blowing aspect to such a claim. This could seriously impair the position of the employer, which could lead to significant financial and reputational damages. After all, employee communications are key to avoiding lasting damage to employee relations.

Access Limitation and Retention

Employers must ensure that they limit access to monitoring data. Only those who really need access should be able to access it (ie, on a need-to-know basis). This means assessing control access, permission grants/sign-off processes, etc, to facilitate access where necessary.

Furthermore, monitoring data should only be kept to the extent it is relevant to the purpose for which it is processed and whilst it remains accurate. Indefinite retention is never permissible. The period of retention will, to a certain extent, depend on the nature of the information collected and its usefulness. For example: CCTV images may, in principle, be retained for a maximum term of four weeks in the Netherlands. In addition, the employer is obliged to implement appropriate technical and organisational measures to ensure the safety and integrity of the data at all times. Once no longer needed, the data must be destroyed safely and securely.

Private Remains Private

Private and working lives are now more intertwined than ever. During the COVID-19 crisis, many more employees will be using their personal devices rather than work devices when working remotely. Employers need to be extremely careful of the following:

• employees should be informed about their (lack of) privacy while using company systems/ devices (eg, use of personal email account on company devices or personal devices for work-related matters);
• employers should disregard any data marked "private" or "personal" unless they have very good reasons;  
• employers should treat private devices as out of bounds, unless such devices operate workplace systems and/or work-related communications (the employer must have clear policies that address monitoring such circumstances);

Additionally, accessing communications without grounds to do so could amount to criminal or other civil offences for the business and potentially its directors.

Location Data

Tracking of location data is seen by the Dutch DPA as a particularly invasive form of employee monitoring. Employers may feel the need to track company assets or equipment, such as laptops, tablets and phones. However, even if the employer can pass the legal hurdles, if it wants to use such data for the management and discipline of wayward employees it must spell this out clearly for employees, otherwise it will breach key provisions of the GDPR and employment legislation. Otherwise, it could set itself up for additional claims and risks.

Mission Creep

There will inevitably remain scenarios where an employer is tempted to use monitoring tools for wider purposes, particular in the COVID-19 context – for example, on the private use of company devices or on homeworking conditions and efficiency. However, risks remain significant and employers should beware of the so-called "mission creep" – ie, incremental expansion beyond the initial purpose of monitoring. Monitoring data should only be used for the purpose for which it is collected, and changing its purpose will raise further questions and compliance hurdles as to whether the monitoring was legitimate and employees were properly informed. Justifying employee monitoring is a hard task; using the same data for other purposes creates a new layer of risk.

Currently, there are multiple technologies that are deemed to fall within the scope of local telecommunications rules. Prior to bringing such technologies on the market, it is important to comply with the requirements as set out in local law.

Legislative Framework

The Dutch telecommunications sector is primarily governed by the Dutch Telecommunications Act (Telecommunicatiewet), which also incorporates multiple European Directives, such as the aforementioned ePrivacy Directive, the Directive 2002/21/EC on a common regulatory framework for electronic communications networks and services (Framework Directive), and the Directive 2002/22/EC on communications networks and services (Universal Service Directive).

The Telecommunications Act requires registration with the Authority Consumers and Markets (Autoriteit Consument en Markt) for a provider of:

• public electronic communications networks;
• public electronic communication services; and/or
• any services, physical infrastructures, and other facilities or elements belonging to an electronic communications network, or an electronic communications service, that makes it possible or supports the provision of services via that network/service or has the potential to do so.

Furthermore, when offering the aforementioned services, providers are obliged to solve and report any interruptions or technical failures and they may not impede or delay services or applications on the internet, including charging different rates for different internet applications.

In the Netherlands, there are two authorities that supervise the enforcement of the Telecommunications Act: the Authority Consumers and Markets (Autoriteit Consument en Markt), which is responsible for competition oversight, telecom-specific regulation and consumer protection, and the Dutch Radiocommunications Agency (Agentschap Telecom), which is responsible for obtaining and allocating frequency space and monitoring its use.

RFID

Radio Frequency Identification (RFID) are chips that use radio frequencies to collect (personal) data from uniquely identified tags and transfer the (personal) data over electronic communications networks.

Based on Article 3.4(1)(a) of the Telecommunications Act, Article 18 of the Frequency Decree (Frequentiebesluit) and the Regulation on the use of frequency space without a licence (Regeling gebruik van frequentieruimte zonder vergunning), RFID chips are exempted from the obligation to receive a permit prior to the use of frequency space.

However, collecting and transferring (personal) data with RFID chips may trigger privacy and security issues. The Directive 2009/136/EC, which amended the ePrivacy Directive and the Universal Service Directive, explicitly states that: “use of such technologies can bring considerable economic and social benefit and thus make a powerful contribution to the internal market, if their use is acceptable to citizens. To achieve this aim, it is necessary to ensure that all fundamental rights of individuals, including the right to privacy and data protection, are safeguarded. When such devices are connected to publicly available electronic communications networks or make use of electronic communications services as a basic infrastructure, the relevant provisions of Directive 2002/58/EC (Directive on privacy and electronic communications), including those on security, traffic and location data and on confidentiality, should apply.” (Directive 2009/136/EC, consideration 56).

If RFID chips collect and transfer personal data, the GDPR and the Dutch GDPR Implementation Act shall apply. Therefore, when producing or using RFID chips, the principles of the GDPR and the Dutch GDPR Implementation Act must be taken into account. Furthermore, a Data Protection Impact Assessment as mentioned in Article 35 of the GDPR must be carried out. The European Data Protection Board adopted a specific Privacy and Data Protection Impact Assessment Framework for RFID applications on 12 January 2011, which can be used to conduct such assessment.

VoIP

Voice over Internet Protocol (VoIP) is the transmission of voice and multimedia communications over an internet connection. Based on the Telecommunications Act, a provider of VoIP services is regarded to be a provider of electronic communications services. Therefore, in the Netherlands, the Dutch Telecommunications Act applies and providers must register with the Authority Consumers and Markets (Autoriteit Consument en Markt) prior to providing such services to customers.

This has also been confirmed in the case C-142/18 Skype Communications Sarl v IBPT (5 June 2019). In this case, the European Court of Justice (ECJ) ruled that Microsoft’s Skype service, SkypeOut – which is an additional feature of the Skype software and allows Skype-users to make calls from a terminal to a fixed or mobile telephone line using VoIP – is an electronic communications service, as defined in the Framework Directive (Directive 2002/21/EC, as amended) and is therefore subject to European telecoms regulations.

In the Netherlands, any natural or legal person may in principle provide a commercial media service or solicitation, provided that they:

• fall under the competence of the Netherlands;
• are of age;
• are not a national, regional or local public media institution.

On 1 November 2020, the new Dutch Media Act came into force due to the implementation of the revised Directive on Audiovisual Media Services (AVMSD, (EU) 2018/1808). The new Media Act contains, among others, provisions for public media services, commercial media services, video platform services, protection of young people, major events, use of broadcasting networks and supervision and enforcement by the Dutch Media Authority (Commissariaat voor de Media).

The new Media Act has major consequences for providers of commercial media services on demand, including online video channels. The following criteria are used to determine whether a provider qualifies as a media service on demand:

• the main goal of the service is to show videos;
• the service has a mass media character;
• it is an economic service;
• the provider of the service determines the content of the videos; and
• the videos are available through a catalogue.

These criteria can be found in the Policy Rule Classification of Commercial Media Services on Demand. The Dutch Media Authority examines whether the notified service is actually a commercial on-demand media service on the basis of the Dutch Media Act. If that is the case, the media service is included in the Register Commercial Media Institutions. Media organisations providing on-demand commercial media services are required to pay an annual fee of EUR200 (plus indexation) for each media service.

Under the new Media Act, platforms such as YouTube are obliged to take adequate measures in order to clarify if the content shown contains advertisements, sponsorships or other kinds of commercial activities. The supervisory authority that is located in the same country as the video-sharing platform provider will be the competent authority and can issue fines or other measures.

The new Media Act prohibits influencers to encourage viewers to buy or hire products or services shown in the video through specific recommendations. They may not pay excessive attention to products in their videos, which must indicate whether any advertisement is included. Videos that target children younger than the age of 12 cannot show any sponsored content or advertisements. Such videos must be stored for at least two weeks in order for the Dutch Media Authority to be able to file request and check whether there have been any violations.

Furthermore, as far as online video channels are concerned, adequate measures must be taken to protect the interests of minors. This means that parents must be able to control what their minors watch via an accessible system. Measures must also be taken to protect minors from videos inciting violence or distributing videos containing criminal offences.

In the Netherlands, there are no formal legal requirements governing the use of encryption. Encryption supports respect for privacy and secure communication of individuals and companies by providing them a means to communicate protected data confidentially and with integrity. Encryption that cannot be hacked is considered vital to a company’s competitiveness in the global marketplace. According to the Dutch government, confidence in such secure communication and storage data is essential for the future growth potential of the Dutch economy, which is mainly in the digital economy.

In the GDPR, encryption is considered as a potential appropriate safeguard to mitigate risks. For example, it should be considered as a measure when processing personal data for a purpose other than that for which the personal data has been collected (Article 6 (4) (e) of the GDPR) or to comply with Article 32 of the GDPR regarding the security of processing.

Encryption is considered a (mere) security measure by the Dutch DPA (Autoriteit Persoonsgegevens) due to its reversible nature. By using the right key, the original information can be obtained (decryption). Encryption is used, among other things to secure data when transmitting data over the internet, when storing data on portable devices and on removable media such as USB sticks, and in other situations where data is vulnerable to unauthorised access.

When cryptographic operations like encryption are used, it is therefore critical to assess periodically whether reliability requirements are still met. Various (international) standards provide further guidelines in terms of using encryption methods, such as ISO:20001 and NEN7510 (applicable to the healthcare sector).

The Dutch government issued emergency legislation as well as initiating programmes and other initiatives to address the COVID-19 pandemic. Although they lack specific TMT sector focus, they are nevertheless relevant.

First of all, a set of financial measures to help entrepreneurs came into effect three times in 2020, with the last time being on 1 October. These measures, among other things, offer entrepreneurs relief for paying wages and offer compensation for self-employed professionals, thereby aiming to minimise lockdown effects in selected sectors. Other measures relate to tax, credit and guarantees relief and payment extensions. For a full overview, please refer to Corona: Dutch government measures overview.

On 2 December 2020, the temporary Corona Act entered into force. This legislation replaces former emergency legislation incorporating all temporary measures that had been issued by the government as of March 2020. As this is temporary legislation, it will only remain in force for three months, with a possible extension by an additional three months. This temporary legislation covers five separate arrangements, three specifically for the islands Bonaire, Sint Eustatius and Saba and two regarding the European part of the Kingdom of the Netherlands. These latter two refer to legislation based upon which the use of facial masks can be declared mandatory in public spaces and a law that implements “social distancing by law” – for example, maintaining 1.5-metre distancing between individuals, forbidding groups of more than four people in public spaces and the temporary closure of shops, restaurants, etc.

At the beginning of January 2021, the Dutch government started with a COVID-19 vaccination programme. Focussed on people working in healthcare and those in care for the elderly, in the course of the first part of 2021 the vaccine will become publicly available to all residents of the Netherlands. This vaccination is, at this time, not declared mandatory by the Dutch government and discussions have arisen as to whether employers can demand vaccination of its employees and customers. Up until now, it is the decision of the Dutch government, as well as the Dutch DPA, that in general such demand cannot be made from employees by employers unless there are specific circumstances that would make such vaccination absolutely necessary. Dutch law offers better possibilities to make such demands of customers (such as patients or visitors to private premises).

One of the challenges for employers in the Netherlands is the position of the Dutch DPA regarding the processing of medical information and also, therefore, information on vaccination. The Dutch DPA is adamant in its opinion that the processing of vaccination information of any data subject, including employees, is not allowed under the GDPR unless a legitimate ground and exception can be identified in Articles 6 and 9 of the GDPR, respectively. This position, combined with the strict view of the Dutch DPA on “legitimate interest”, means in practice that it will be challenging, even in situations where there is an urgent need for vaccination, to stay within both the GDPR and the Dutch DPA's view on the GDPR.

However, the position of the Dutch DPA is under scrutiny in the press as well, because of a recent ruling against their position by a Dutch Court in the VoetbalTV case (District Court Midden-Nederland, ECLI:NL:RBMNE:2020:5111, 23 November 2020). This case concerned an internet platform, VoetbalTV, on which amateur football matches was broadcasted. The DDPA imposed a fine of EUR575,000 because there would be no legal basis for recording and broadcasting football matches (and thus processing personal data). The DDPA argued that production and processing of recordings is an invasion of the privacy of a large number of the persons concerned and, because it also concerned underage football players, justified a significant fine. In this case, the DDPA had only examined in its investigation whether there was a legitimate interest. It was only after the decision on the fine had been taken that the DDPA reasoned that the legitimate interest requirements were not met. The court eventually came to the conclusion that because the investigatory report on the basis of which the fine decision was taken was incomplete and therefore negligent, it should be annulled.

Therefore, in conclusion, it remains highly advisable to keep a close watch on the actual position of the Dutch DPA in the Netherlands regarding the processing of COVID-19-related personal data.