6 / 5TH ANNIVERSARY OF THE GDPR
7 /
NETHERLANDS.
NORWAY.
ROMANIA.
MICHA GROENEVELD BDO Legal | Netherlands
ASTRID EIKENES SKORPEN BDO Legal | Norway
CATALINA DAMASCHIN Tudor, Andrei & Associates
micha.groeneveld@bdo.nl
astrid.skorpen@bdo.no
catalina.damaschin@tudor-andrei.ro
LESSONS LEARNED:
LESSONS LEARNED:
LESSONS LEARNED:
Over the past five years, people have become much more aware of their privacy rights. We have also noticed that the Dutch Data Protection Authority (the “AP”) sometimes upholds opinions that are not shared by other data protection authorities. A good example is its position on legitimate interest. According to the Dutch DPA, a commercial interest cannot be a legitimate interest, although the EDPB has clearly stated otherwise and the GDPR itself mentions that direct marketing may be based upon legitimate interest. This position has sparked much debate, as it limits the ability to process personal data for commercial purposes and a Dutch court has asked the EU court to give its opinion on the matter.
We have seen that many Norwegian entities (including the public sector) find it challenging to ensure compliance with the GDPR. The national legislation that should clarify the lawfulness of processing of personal data in specific situations is underdeveloped and some actors are in a position of having to choose between not complying with the GDPR or not complying with other legislation. We have at the same time seen that several of the decisions from the Norwegian Data Protection Authority have been overruled by the privacy appeals board. A public report related to personal data protection in Norway was released in 2022. The report highlighted risks and challenges in several areas, and some of the most debated subjects following the report are personal data protection within the school sector, related to technology and related to consumers.
These past five years have highlighted the importance of raising awareness about data protection rights and obligations among individuals and organisations in Romania. The legislator adopted legal provisions adapted to the national context to facilitate the implementation of the new GDPR regulations. While the National Supervisory Authority for the Processing of Personal Data (“ANSPDPC”) has adapted to changes generated by the GDPR by strengthening its administrative capacity for the effective application of the new regulations. Its endeavors have increased trust and improved protection for individuals’ personal data. ANSPDPC has observed compliance with the GDPR and sanctioned acts such as unauthorised disclosure or access to certain personal data and non-observance of obligations imposed by the GDPR. The decisions, guidelines and interpretations of the new regulations have helped change the way in which individuals see the protection of their personal data, making them more proactive.
PREDICTIONS FOR THE FUTURE:
PREDICTIONS FOR THE FUTURE:
Some expect that “privacy” will cease to exist in the future, but given the effects of the GDPR and the EU’s digital strategy we expect that privacy will continue to be protected in the future. A balance will have to be found between upholding privacy and using personal data for commercial purposes, but we expect that the EU court will confirm that the AP needs to adjust its position and allow the use of personal data for commercial interests.
We have recently seen that the Norwegian Data Protection Authority has reached out to both the public and the private sector for dialogue. Our impression is that they seek to identify and understand challenges related to the interpretation and use of the GDPR. We hope that this can contribute to improved and more specific guidelines from the authority. We have also seen that personal data protection is more often debated in public, and we hope that this will raise awareness for all relevant stakeholders, including the legislator.
PREDICTIONS FOR THE FUTURE:
It is thought that the new data protection challenges will arise from technological advancement, namely artificial intelligence. In this context ANSPDPC will likely introduce further guidelines and amendments to ensure the effective protection of personal data in line with emerging trends and risks and will steadily become more proactive in monitoring compliance and imposing penalties for violations. However, what at first glance may represent a challenge, will in the end be a solution and play a significant role in data protection practices, enabling more efficient and secure handling of personal data.
A balance will have to be found between upholding privacy and using personal data for commercial purposes.
Made with FlippingBook interactive PDF creator