NETHERLANDS LAW AND PRACTICE Contributed by: Friederike Henke, Ingrid Cools, Philip ter Burg, IJsbrand Uljée, Suzan van de Kam and Epke Spijkerman, BUREN
(including processing information about crimi - nal offences). The ePrivacy Directive and the Dutch Cookie Act Additional provisions regarding data protection and privacy in the context of telecommunica - tions are set out in Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of per - sonal data and the protection of privacy in the electronic communications sector, EU (ePrivacy Directive) and in the Dutch Cookie Act. The ePrivacy Directive has been implemented in the Dutch Telecommunications Act, which pro - hibits unsolicited communication by email (as well as faxes and automated communication systems) for commercial, non-commercial or charitable purposes, unless senders can dem - onstrate the recipient’s prior consent. Under the Cookie Act, informed consent is required for the use of cookies, unless the cook - ies are: • needed to facilitate communication; • strictly necessary for the service requested by users; or • aimed at obtaining information about the quality and/or effectiveness of the services provided and have little or no impact on the users’ personal lives. These rules apply to both first-party cookies and third-party cookies. 8.2 Geographical Scope Pursuant to Article 3 (1), the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EEA, regardless of whether or
not the processing takes place in the EEA. The term “establishment” extends to any real and effective activity – even a minimal one – exer - cised through stable arrangements in the EEA. Businesses not established in the EEA will also be subject to the GDPR if they offer goods and services to individuals in the EEA, or if they mon - itor the behaviour of data subjects who are in the EEA. Non-EEA businesses that do this on a regular basis or in combination with certain high-risk activities will have to designate a repre - sentative in the EEA. Under these rules, websites directed at an EEA audience or tracking visitors from the EEA must comply with the GDPR. No special requirements apply to data trans - fers from the Netherlands to other EEA coun - tries. Transfers of personal data to countries outside the EEA, however, require – with just a few exceptions – either a decision of the Euro - pean Commission that the destination country ensures an adequate level of protection (this is the case for the UK, Switzerland, Canada, Israel and Japan, for example), or appropriate safeguards to protect the data subjects’ rights (such as the Commission’s standard contrac - tual clauses (SCCs) or binding corporate rules approved by a supervisory authority). On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its decision in Data Protection Commissioner v Facebook Ire - land, Maximillian Schrems, commonly referred to as “Schrems II”. The decision invalidated the EU–US Privacy Shield Framework, which was designed to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic com - merce.
556 CHAMBERS.COM
Powered by FlippingBook