Doing Business In... 2025

NETHERLANDS LAW AND PRACTICE Contributed by: Friederike Henke, Ingrid Cools, Philip ter Burg, IJsbrand Uljée, Suzan van de Kam and Epke Spijkerman, BUREN

On 10 July 2023, the European Commission adopted its adequacy decision for the EU–US Data Privacy Framework. The decision con - cludes that the United States ensures an ade - quate level of protection – comparable to that of the European Union – for personal data trans - ferred from the EU to US companies under the new framework. On the basis of the new ade - quacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards. The adequacy decision followed the adoption of Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” by US President Biden on 7 October 2022 and a Regulation issued by the US Attorney General. The EU–US Data Privacy Framework introduces new binding safeguards to address all the con - cerns raised by the European Court of Justice, including limiting access to EU data by US intel - ligence services to what is necessary and pro - portionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals have access. If the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data. The new safeguards in the area of government access to data will complement the obligations that US companies importing data from EU will have to subscribe to. In order to be able to receive personal data trans - ferred from the EU on the basis of the EU–US Data Privacy Framework, US companies must certify, and then re-certify on an annual basis, with the US Department of Commerce its adher - ence to a detailed set of privacy obligations, for instance the requirement to delete personal data when it is no longer necessary for the purpose

for which it was collected, and to ensure conti - nuity of protection when personal data is shared with third parties. The functioning of the EU–US Data Privacy Framework is subject to periodic reviews, to be carried out by the European Commission, together with representatives of European data protection authorities and competent US authorities. The first review took place in July 2024. Based on the information gathered dur - ing this first review, the European Commission concludes that the US authorities have put in place the necessary structures and procedures to ensure that the Data Privacy Framework func - tions effectively. At the moment of the first review more than 2,800 US companies were certified under the Data Privacy Framework. On 4 June 2021, the European Commission issued modernised the SCCs for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR). These modern - ised SCCs replace the three sets of SCCs that were adopted under the previous Data Protec - tion Directive 95/46. On 27 December 2022, the grace period for using contracts incorporating these earlier sets of SCCs expired. The Europe - an Commission is in the process of developing additional sets of SCCs for data transfers to third countries by EU institutions and bodies, and for data transfers to controllers or processors out - side the EU whose processing operations are directly subject to the GDPR. 8.3 Role and Authority of the Data Protection Agency The Dutch Data Protection Authority ( Autoriteit Persoonsgegevens ) was established by the GDPR Implementation Act as an independent

557 CHAMBERS.COM

Powered by