Stephanie Dekker of CMS writes:
The Dutch Data Protection Authority (“DPA“) has published policy rules for the processing of personal data concerning the health of employees (the “Policy Rules“). The Policy Rules will serve as a guiding principle for the DPA when implementing enforcement measures.
Since 1 January 2016 fines for breaches of data protection law in the Netherlands have increased significantly in anticipation of the EU General Data Protection Regulation that comes into effect on 25 May 2018. The Dutch Data Protection Act now provides for a maximum fine of EUR 820,000 or, if the DPA is of the opinion that this maximum does not provide an appropriate sanction for a legal entity, a maximum of 10% of the annual turnover achieved in the previous financial year. Further, the DPA has categorized unlawful processing of special categories of personal data, such as data concerning health, as a serious breach that can be punishable by the maximum fine.
Read more on CMS.