On October 31, Esmee Fonville and Tom de Wit presented their second IT and Data journal. This time the topic was current IT case law. Esmee and Tom elaborated on several recent rulings on agile methodology, creditor default, IT vendor’s duty of care and IT procurement. In our next journal, we will take a closer
Sharing knowledge with you: blogs, articles and more
AVDR: Journal IT and DATA, August 29
On August 29, Esmee Fonville and Tom de Wit conducted the first journal ‘IT and data law journal’. Topic of this journal was “Duty of Care of the IT Supplier. After explaining the subject and the importance of the IT supplier’s duty of care, recent case law surrounding the duty of care was discussed. Using
Dutch Supreme court on GDPR civil enforcement of data subjects’ rights, repeating requests and the six-week deadline
In a recent judgment, the Dutch Supreme Court ruled (available in Dutch only) on a number of procedural aspects for the exercise of data subjects’ rights under the General Data Protection Regulation Act (“GDPR“) and the national implementation thereof. This regards the civil enforcement of data subjects’ rights, “repeated” requests and what effect is of
Turing Law provides growing technology practice with arrival of new partner
Turing Law welcomes Jeroen van Woezik as a new partner. Jeroen van Woezik is the founder of Lawrence Privacy (Due Diligence) & Tech. A firm that specializes in supporting tech M&A transactions. Huub de Jong “Jeroen has years of experience in project-based advising and supporting his clients with privacy and IT projects. With Jeroen’s arrival,
IT conflict escalated? IT mediation may be the solution
IT projects can be complex and although supplier and customer like to regard each other as partners, interests diverge. This can cause IT projects to come under pressure or actually derail as a result of differences of opinion about the scope, price and/or delivery date of the project. Mediation: when is it useful? If parties
Recap Turing Summer Drinks 2023
On Wednesday 16 August 2023, the now traditional Turing Summer Drinks took place. Whereas last year we celebrated the start of our office, this time we could proudly toast on the expansion of our team and the move to new premises. As in previous years, we met again yesterday at Pavlov restaurant in The Hague,
DORA: the implication for the IT-supplier, PART II
In PART I of our blog series, we outlined the framework of the Digital Operational Resilience Act (‘DORA’). In this second part of our blog series about DORA, we focus on the implications or impact DORA has for normal IT-suppliers. Normal opposes those IT-suppliers providing ‘critical’, ‘important’ or ‘systemic’ IT-services for which a stricter regime
Burden of proof in a claim of information breach
The burden of proof following the Facebook ruling On March 15, 2023, the District Court of Amsterdam issued a ruling in a class action against Facebook (ECLI:NL:RBAMS:2023:1407). This is an interesting ruling, because the court discusses in detail the application of the GDPR, such as the possible joint processing responsibility within the Facebook group and
DORA: the implication for ICT and cloud suppliers, PART I
In a previous blog we have informed you about the EIOPA guidelines, which contain guidelines for insurance companies for the outsourcing to providers of existing and new cloud services. However, these are only mere guidelines addressing very particular services for a limited type of entities in the financial sector, namely insurance companies. Already in 2019
How do judges rule on GDPR right to access requests? Copy or no copy?
The Court of Justice of the EU has clarified whether the right of access from Article 15(3) GDPR also gives a right to a copy of the documents in which the personal data are recorded. This is only the case if that copy is necessary for an understandable and verifiable right of access by the data subject.
Update on the use of cookies
The rules for being allowed to store and retrieve cookies are laid down in European and national laws and regulations. The rules specifically for cookies are based on the European ePrivacy Directive, which has been implemented in the Netherlands in the Dutch Telecommunications Act (art. 11.7a). The rules concerning the processing of personal data –
How should online search engine operators deal with requests for removal of links to (allegedly) inaccurate or fake third-party content?
Online search engine operators (‘search engines’) are often faced with individuals (applicants) requesting that an online negative publication or review about them no longer be indexed (linked) in the engine operator’s search results. In doing so, it is often argued that that negative publication or review would contain inaccurate or false information. For example, a
Annual Review of Privacy 2022
2022 was a year in which the (European) legislator, judges and regulators made plenty of noise in the field of privacy law. Numerous legislative initiatives at both the European and national levels saw the light of day, and more than once did the Dutch Data Protection Authority advise the Dutch legislator to pay more attention
Annual review of IT 2022
The year 2022 shows a multitude of legislative and policy initiatives related to IT and data at the European and national levels. The European Commission took seriously its President’s 2021 call to shape digital transformation, especially in the areas of data, artificial intelligence and cybersecurity. At the national level, we also saw a lot happening
GDPR & international transfer: deadline December 27, 2022
Last year, on June 4, 2021, the European Commission published a new model contract (in English: “Standard Contractual Clauses” or abbreviated “SCCs”) for the transfer of personal data to countries outside the European Economic Area (“EEA“). The old model contracts were no longer to be used for new transfers of personal data as of September
ARBIT 2022 – IT supplier obligations further tightened
On 10 September 2022, the new Arbit (General Government Conditions of IT Procurement) terms and conditions came into force. These Arbit 2022 replace the earlier version from 2018. These terms and conditions are used by the central government, such as ministries, independent administrative bodies and regulators as well as other public authorities for the procurement
Seminar “Duty of Care and IT Supplier”
After giving a seminar on the IT supplier’s duty of care in Eindhoven this summer, we have decided to give the seminar again at our location in The Hague, of course supplemented with relevant new case law and insights. In conflicts between IT suppliers and their customers, we are increasingly finding in our own litigation
Eu data act part III: the data act and databases
The proposal for the EU Data Act (“Data Act“) has been on the table since 23 February 2022 and is part of the European Commission’s European data strategy. With its strategy, the European Commission aims to boost digitization and give both stakeholders and businesses new opportunities regarding data. The Data Act makes it easier for
Cybersecurity on a higher level? The NIS-2 directive
In the European security agenda, originating from 2015, cybersecurity was one of the major focus areas. Since then various legislations in the field of cybersecurity have been introduced as part of the EU-strategy to make Europe more digitally resilient. Various cybersecurity incidents and an evaluation of the cybersecurity legislation in place since 2015, have urged
Seminar “Duty of Care and IT Supplier”
In conflicts between IT suppliers and their customers, we increasingly notice that the special duty of care of the supplier is invoked. What is the impact of the duty of care on the interpretation of the agreement between parties? Does it bring unpredictable obligations for ICT suppliers? Is it a legitimate fallback option for inexperienced
EU Data Act part II: unfair terms on access to and use of data between companies
The European Commission is building a European data economy. Within its Digital Single Market strategy, the European Commission is trying to stimulate data exchange within the EU through policy and regulation. In this context, on February 23, 2022, the European Commission presented its proposal for the EU Data Act (“Data Act”). The Data Act follows
Proposed guidelines for the imposition of fines
The European Data Protection Board (‘EDPB’), composed of representatives of the EU national data protection authorities has drafted new guidelines with respect to the calculation of fines in case of non-compliance of the General Data Protection Regulation (‘GDPR’). These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines dating from 2016, which focus on the circumstances in which to impose a fine. This post outlines the main elements of the proposed guidelines and sets out the differences with the current national guidelines.
As of 28 May 2022, the legislator sets strict requirements for online reviews
Consumers are increasingly searching for, comparing and purchasing products and services online. They more and more rely on reviews and recommendations from other consumers. However, these consumer reviews are not always reliable. For example, sometimes positive reviews remain online longer than negative reviews, or consumers even receive a form of reward in exchange for a
legal cloudsourcing strategy
Our 10 key lessons learned contracting model – customers may contract with a cloud service provider directly or indirectly via a cloud reseller / integrator, although in practice it is not always very clear which parties are contracting with each other for which type of services (cloud-, maintenance / support – or professional services) and
