On May 25, 2018, the European General Data Protection Regulation will apply in all EU member states, which includes severe penalties should companies not comply. Please read our memo for a brief explanation of the Regulation, which is not only applicable to large companies but to any company that collects data of individuals.
Please scroll down for the English version
Het aansprakelijkheidsschild van bestuurders anno 2017
Wanneer iemand het bestuur wil voeren van een vennootschap (“Werk BV”), kan hij of zij ervoor kiezen om een bv op te richten (“Management BV”), de bv statutair directeur te maken van Werk BV en vervolgens zelf statutair directeur te worden van Management BV. Management BV wordt als het ware tussen hem of haar en Werk BV ingeschoven. Nederland is een van de weinige landen waarin deze mogelijkheid in de wet is opgenomen (Artikel 2:11 Burgerlijk Wetboek (BW)). De voordelen van een dergelijke constructie wogen tot voor kort op tegen de nadelen, maar dit is langzaam aan het wijzigen. Hieronder gaan we uitsluitend in op de juridische achtergronden van een dergelijke structuur.
Dutch directors’ liability shield in 2017
When someone wants to manage a Dutch private limited liability company (hereinafter: “Opco”), he or she may choose to incorporate a Dutch private limited liability company (a so-called “BV”) (and for example name it: "Management BV"), appoint this Management BV as statutory director of Opco and appoint him or herself as statutory director of Management BV. Management BV is being shoved between him or her and Opco, as it were. The Netherlands is one of the few countries which allows for a company to become a director of another company (Article 2:11 Dutch Civil Code (DCC)). Until recently, the advantages of such structure weighed up against the disadvantages, but this is slowly changing. Hereinafter we will only deal with the legal aspects of such structure.
n recent years data breaches have increased, both in numbers and intensity. Breaches of personal data have the potential to severely damage individuals, for example in case of credit card fraud or identity theft. To improve the security of personal data, the European legislator created a duty for people and corporation that process personal data (“data controllers”) to notify national data protection authorities and individuals (“data subjects”) in case of data breaches.
This duty to notify is included in the new General Data Protection Regulation, which is scheduled to enter into force in the near future. In anticipation of this EU Regulation a duty to notify data subjects and the data protection authority in case of a data breach will be introduced in the Netherlands on 1 January 2016. The goal of this new rule is to confirm and restore trust in controllers of personal data. As a result, it can be expected that existing contracts need to be reviewed and, where necessary amended.
The introduction of a duty to notify is relevant for all controllers and processors of personal data, for example those dealing with contracts between payroll agents and employees. In this newsletter we will provide answers to the following six questions data controllers might have on the new data breach notification: (i) What constitutes a data breach? (ii) Who has the duty to notify? (iii) What to do in case of a data breach? (iv) How can a proper level of security be acquired? (v) What if controllers do not comply with duty to notify? And (vi) What are the practical changes data controllers have to make?