Our team

In memoriam Adriaan de Buck

In memoriam Adriaan de Buck 2560 1804 Ekelmans Advocaten
Adriaan nieuwsbericht2

Our beloved partner and colleague Adriaan de Buck passed away on 21 December 2022. Last August he retired from his Corporate Law practice at Ekelmans Advocaten due to his illness.

Our beloved partner and colleague Adriaan de Buck passed away on 21 December 2022. Last August he retired from his Corporate Law practice at Ekelmans Advocaten due to his illness.

Adriaan was a natural unifier and optimist.
Clients and international partners speak highly of Adriaan commending him for his expertise, commitment and personal approach.
For his expert and entrepreneurial work as a lawyer and partner of our firm, we are grateful to Adriaan.

Working with Adriaan was a pleasure: he had a warm sense of humor and was a great sportsman in so many regards. From 2019, he combined his law practice with the chairmanship of his club, HBS, where he also played football.

Over a year ago, he became ill. Last summer, the whole firm bid him farewell as one of the partners of Ekelmans Advocaten. At that farewell, Adriaan recalled the many memorable times he spent with us in the long time he was part of the firm.

We cherish our fond memories of Adriaan and admire his strength and resilience in battling his  illness. Of special note is Adriaan’s unflagging interest for others, right up to the last moment.

We miss Adriaan and extend our deepest condolences to Margot, Jolein, Bram and Jip.

Naar overzicht
Zurück zur Übersicht
Back to main page

Netherlands UBO register temporarily closed to public, registration requirement still applies

Netherlands UBO register temporarily closed to public, registration requirement still applies 2560 1920 Ekelmans Advocaten
UBO Letter Initial Logo Design Vector Illustration
Leestijd: 2 minuten
Lesedauer: 2 Minuten
Reading time: 2 minutes
Expertise:

Corporate / Privacy Desk /

It is not acceptable that random members of the public can request (financial) information about a UBO. This has been ruled by the European Court of Justice. The Netherlands UBO register has therefore been temporarily closed to the public. What does this ruling mean and what are its implications for the UBO register?

Anti-Money Laundering and Terrorist Financing Directive

The UBO register and the obligation to register is based on the European fourth and fifth anti-money laundering directives. This directive aims to combat financial-economic crime. This could include corruption, money laundering, tax evasion, fraud and terrorist financing.

Companies have to register their ultimate beneficial owners in this UBO register. Some of the information (name, month and year of birth, nationality, state of residence, nature and extent of economic interest in the company) was, until recently, accessible to everyone. Anyone could request an extract from the UBO register for a small fee.

European Court ruling on the public nature of the UBO register

In its ruling of 22 November 2022, the European Court of Justice (ECJ) invalidated part of the European rules on the UBO register. According to the Court, public access to information on a UBO constitutes a serious interference with the fundamental rights to respect for private life and protection of personal data. It is not acceptable that random members of the public can obtain (financial) information about a UBO without having an interest related to the purpose of the directive. That is, prevention of money laundering and terrorist financing. UBOs are also particularly at risk because once provided, the data from the UBO register can be freely stored and distributed. The provision in the anti-money laundering directive that information on a UBO must be accessible to every member of the public in all cases is invalid, the Court ruled.

Consequences for the Netherlands UBO register

In the Netherlands, at the request of the Minister of Finance, the Chamber of Commerce has temporarily closed the UBO register to the public. This means that temporarily no information from the UBO register can be requested. The Court’s ruling has no impact on the obligation to register ultimate beneficial owners in the UBO register. UBO’s must register, if they have not already done so.

Contact

Anne-Mieke Dumoulin-Siemens-Ekelmans Advocaten
Anne-Mieke Dumoulin-Siemens-Ekelmans Advocaten

Anne-Mieke Dumoulin-Siemens

+31 70 374 64 34

Naar overzicht
Zurück zur Übersicht
Back to main page

Ekelmans Advocaten appoints Daan Spoormans as partner

Ekelmans Advocaten appoints Daan Spoormans as partner 2085 2441 Ekelmans Advocaten
Daan Spoormans partner
Leestijd: < 1 minuut
Lesedauer: < 1 Minute
Reading time: < 1 minute
Expertise:

Corporate / German Desk /

Daan Spoormans has been appointed partner at Ekelmans Advocaten as per 1 January 2022. Daan specialises in corporate law and contract law. He assists companies and insurers in complex disputes about commercial contracts. Daan also assists directors who have been accused of incorrect management.

Daan has been working at Ekelmans Advocaten since 2008. In recent years, he has built up a flourishing international practice. Due in part to his bilingual background (Dutch and German), Daan also has many clients from German-speaking countries.

Partner Corporate/German Desk Robert Kütemann: “Daan’s partnership really strengthens our corporate practice. Daan has a strong legal and strategic insight. For many years, he has made an important contribution to the corporate team, which is highly valued by clients.
Since Daan’s clients include both companies and insurers, his appointment fits in perfectly with our positioning as an Insurance & Corporate firm. We are very pleased to appoint Daan as a partner.”

Contact

Like to know more?
Like to know more?

Like to know more?

+31 70 374 63 00

Naar overzicht
Zurück zur Übersicht
Back to main page

Chambers: an introduction to the Dutch Insurance Market

Chambers: an introduction to the Dutch Insurance Market 2560 1707 Ekelmans Advocaten
Concept of car insurance. Blue car under red umbrella with text Insurance
Leestijd: 2 minuten
Lesedauer: 2 Minuten
Reading time: 2 minutes
Expertise:

Insurance / Liability /

For Chambers and Partners, Jan Ekelmans and Frank Schaaf, partners at Ekelmans & Meijer, wrote and overview of the Dutch insurance market. The article gives an introduction to the current economic, legal and political trends affecting the Insurance Market in the Netherlands. Chambers and Partners is an independent research company operating across 200 jurisdictions delivering detailed rankings and insight into the world’s leading lawyers.

The Dutch insurance market is the 4th largest EU insurance market. At the basis of the insurance market lie the contractual obligations in insurance contracts. Dutch insurance law limits the freedom to determine the validity and contents of insurance agreements in ways generally similar to those in other European countries. The contractual obligations are influenced by international practice and insurance is offered by insurers who often maintain an international presence.

Specifically healthcare insurance is different. Legislation contains detailed provisions on the allowed content of healthcare insurance agreements. Dutch residents are legally obliged to maintain healthcare insurance.

Many of the largest Dutch law firms specialize in limited areas of insurance only. Most Dutch law firms with a broader in-depth activity on the insurance market are smaller or mid-sized firms. Generally, firms active in the insurance market concentrate on the Dutch insurance market.

You can read the full article here.

 

Contact

Frank Schaaf-Ekelmans Advocaten
Frank Schaaf-Ekelmans Advocaten

Frank Schaaf

 +31 6 55 11 29 39

Jan Ekelmans
Jan Ekelmans

Jan Ekelmans

+31 6 23 36 99 58

Naar overzicht
Zurück zur Übersicht
Back to main page

VoetbalTV and the GDPR: even commercial interests can be legitimate

VoetbalTV and the GDPR: even commercial interests can be legitimate 2560 1707 Ekelmans Advocaten
Voetbal
Leestijd: 4 minuten
Lesedauer: 4 Minuten
Reading time: 4 minutes
Expertise:

Privacy Desk /

The Dutch supervisory authority (Dutch DPA) has long taken the position that a purely commercial interest cannot be a legitimate interest as referred to in Article 6(1)(f) of the GDPR. On that basis the Dutch DPA imposed a € 575,000 fine on VoetbalTV in 2020. A Dutch lower administrative court disapproved of the strict interpretation of legitimate interests by the Dutch DPA and annulled the fine.

The Dutch DPA has investigated the privacy of players and spectators filmed by VoetbalTV. VoetbalTV is an online platform that broadcasts amateur football. Users were able to watch highlights, share those highlights or use the clips as preparation for their matches. In September 2020 VoetbalTV was declared bankrupt. The Dutch DPA concluded that VoetbalTV should not have broadcast the film footage of the footballers, because there is no lawful basis for the recording and distribution of this footage. The Dutch DPA imposed a fine of € 575,000 on VoetbalTV for unlawful processing of personal data. VoetbalTV did not agree with the fine and initiated court proceedings against the Dutch DPA. A Dutch lower administrative court gave judgment on 23 November 2020.

VoetbalTV believes it has a legitimate commercial interest in distributing the images The court ruled that a purely commercial interest can be a legitimate interest for processing personal data (Art. 6 (1) f AVG) and thus for making recordings and distributing the images. This follows from European case law.

Dutch DPA: a commercial interest can never amount to a legitimate interest

In determining what constitutes a legitimate interest, the Dutch DPA applies a strict view: an interest is only legitimate if it is named as a “legal interest” in law or unwritten law. This interest must be of a more or less urgent and specific nature arising from a rule or principle of law. If this is not the case then there is no legitimate interest that has to be taken into account in the balancing test. Purely commercial interests and profit maximization lack a legal character. Therefore, according to the Dutch DPA, those interests can never amount to a legitimate interest. This restrictive interpretation is also found in the guidance note the Dutch DPA has published on how legitimate interests under the GDPR should be interpreted. Dutch legal practitioners have been critical of the guidance note from the Dutch DPA.

According to Voetbal TV, the level playing field is much broader: any interest can be legitimate as long as it is not contradictory to statutory law.

The European Perspective

The ‘Fashion ID’ judgment from the Court of Justice of the European Union (CJEU) (ECLI:EU:C:2019:629) shows that the legitimate interest is entirely flexible and open-ended in nature. Fashion ID collected and shared personal data in order to benefit from the commercial advantage consisting in increased publicity for its goods. This too can amount to a legitimate interest. Indeed, recital 47 to the GDPR stipulates that direct marketing can be a legitimate interest. By excluding purely commercial interests, commercial enterprises never get around to the balancing test for which the ‘legitimate interest’ basis was created. Both the right to respect for one’s private life and the freedom of enterprise are European fundamental rights. Fundamental rights must be taken into a balancing test for which the ‘legitimate interest’ basis was created. The one fundamental right never prevails over the other by definition. Any interest can be legitimate. The European Data Protection Board (EDPB) also defined legitimate interests in a more inclusive manner.

This interpretation allows for more interests being legitimate than the Dutch DPA’s interpretation, as many factual, economic, and idealistic interests are not designated in the law. The court rules that it is – in principle – up to controllers (i.e., VoetbalTV) to determine their legitimate interests. The controller must act accordingly.

Judge overturns Dutch DPA GDPR fine

In the Voetbal TV case, the court adopts the broad interpretation of “legitimate interest” used by the CJEU in the Fashion ID case: is the processor not pursuing an interest that is contrary to the law ?

The court disapproved the strict interpretation of legitimate interests by the Dutch DPA. According to the court, excluding certain interests in advance is contrary to European law.

Moreover VoetbalTV indicates that it has interests that go beyond commercial purposes. Distributing the images is also informative and makes the sport available to a wider audience.

Based on the purposes stated by VoetbalTV and the explanation that the processing is necessary and proportionate, the Dutch DPA must still assess whether VoetbalTV has a legitimate interest in recording and broadcasting the film footage of footballers.

What are the consequences of this judgment?

The Dutch DPA will have to revise its guidance note on how legitimate interests under the GDPR should be interpreted. The VoetbalTV judgment enables organisations to process personal data on the basis of commercial interests since these are legitimate interests in the meaning of article 6(1)(f) GDPR. In that case, it is not necessary to ask all data subjects involved if they are willing to consent to the data processing. This is good news for (commercial) organisations. However, it is important to note they must have a well-founded explanation for the (intended) data processing.

The period for submitting an appeal with the Court of Appeal has now expired. It is not known to us whether an appeal has been submitted, but we do not consider that there is a very high risk of the Court of Appeal adopting a different course. Interesting from an EU perspective is that on September 2, 2020, the European Data Protection Board (EDPB) published draft guidelines on the targeting of social media users on its website. The EDPB maintains the position that commercial interests can also amount to a legitimate interest. It will be interesting to see how the Dutch DPA’s legitimate interest interpretation in the Netherlands and on EU level is impacted at this stage.

Our Privacy Desk will of course keep you updated regarding ongoing developments.

Auteur

Vivian Huisman-Ekelmans Advocaten
Vivian Huisman-Ekelmans Advocaten

Vivian Huisman

+31 70 374 63 10

Naar overzicht
Zurück zur Übersicht
Back to main page

Travel Insurance in times of COVID-19 – view from The Netherlands

Travel Insurance in times of COVID-19 – view from The Netherlands 2560 1880 Ekelmans Advocaten
Travel Insurance
Leestijd: 3 minuten
Lesedauer: 3 Minuten
Reading time: 3 minutes
Expertise:

Insurance / Liability /

Due to Covid- 19 travel insurance companies have had to face many claims under the travel insurance policies in the past months. Many travel insurance policies exclude the outbreak of a pandemic from coverage. In a couple of cases the insured party did not give up after the Travel Insurer refused to provide cover and appealed to the Financial Services Complaints Tribunal of The Netherlands.

Travel insurance

As the name suggests, travel insurance provides cover for travelers during a trip. On the basis of travel insurance, travelers can receive assistance if they have to cut their stay short or if they are forced to stay longer as a result of an illness or an accident. Travel insurance usually covers the additional costs in certain cases.

The Policy Conditions of the travel insurance determine which events are covered and which events are excluded from insurance. Travelers can extend coverage by purchasing specific modules.

Financial Services Complaints Tribunal of The Netherlands interpret the policies in favor of the Insurers

The Financial Services Complaints Tribunal of The Netherlands is a dispute settlement authority accessible to consumers where they can complain about, for example, their insurance.

As mentioned before a couple of consumers appealed to the authority after the Insurer refused to provide cover.

An example of such a case is decision no. 2020-628 of 29 July 2020, of the Disputes Committee of the Financial Services Complaints Tribunal of The Netherlands. In this case the Insured was visiting his daughter in Morocco when both Morocco and The Netherlands went into complete lockdown. The flight was canceled and the only way home was repatriation by the Dutch Government. He had to stay in Morocco for weeks.

The Insured called on his travel insurance for the extra costs he would have to make because he couldn’t fly home. The Insurer however refused cover, and took the position that cover only exists when damage is caused by an earthquake, flood or volcanic eruption and that definitions of earthquake, flood and volcanic eruption are given in the General Terms and Conditions. These Conditions did not mention a pandemic or a virus outbreak, such as the coronavirus outbreak, and therefore the Insurer was not obliged to reimburse the Insured.

The Disputes Committee concurred with the position of the Insurer and considered (in so far as relevant) that the starting point should be what is stated in the Insurance Conditions. The Conditions are – according to the Committee – what parties have agreed on. According to The Disputes Committee the Insurer is free to determine the limits within which it is prepared to provide cover.

In this case The Disputes Committee found that the Policy Conditions were sufficiently clear about what would and would not be covered by the Insurer.

Does that mean Travel Insurance never covers COVID-19 related issues?

No, it does not. Firstly the question whether or not the insurance provides cover depends on the Policy Conditions. However in certain circumstances the Insured will be able to successfully make a claim on his travel insurance. This is the case, for example, if the insured or a co-insured himself becomes seriously ill due to the Corona virus and as a result has to make additional accommodation costs. Serious illness is in fact classified as an insured event in most Policy Conditions. In that case it does not matter what made the Insured sick in the first place.

Bron: Insurance Law Global

Author

Simone Eman
Simone Eman

Simone Eman

+31 70 37 46 368

Naar overzicht
Zurück zur Übersicht
Back to main page

Can you transfer personal data to third countries safely after Schrems II? 

Can you transfer personal data to third countries safely after Schrems II?  1120 600 Ekelmans Advocaten
Schrems II
Leestijd: 6 minuten
Lesedauer: 6 Minuten
Reading time: 6 minutes
Expertise:

Privacy Desk /

Since the EU-US Privacy Shield has been declared invalid, it is unclear how a company can transfer personal data to the US. Anne-Mieke Dumoulin Siemens provides guidance in the twilight zone created by the Court.

The Court of Justice of the European Union (ECJ) declared the EU-US Privacy Shield invalid on 16 July 2020 in the so-called Schrems II case. This means that with immediate effect, the EU-US Privacy Shield can no longer serve as a basis for the transfer of personal data to the US. When transferring personal data to countries outside the European Economic Area (EEA), the rules of the GDPR must be followed. Now that the EU-US Privacy Shield can no longer be used as a basis for transfer, the question arises as to how transfer to the US (and to other countries outside the EEA) can be designed to be secure. This article provides guidance in the twilight zone created by the Court.

Exit EU-US Privacy Shield

The GDPR facilitates the transfer of personal data on the basis of an adequacy decision. The European Commission has issued an adequacy decision for 12 countries.  An adequacy decision guarantees the third country concerned provides an adequate level of data protection. The EU-US Privacy Shield is based on an adequacy decision issued by the European Commission. The Court has annulled the EU-US Privacy Shield in Schrems II because of the lack of an adequate level of protection in the US. There are surveillance regulations in the US that allow US intelligence and security services to access personal data. Such access is not limited to strictly necessary data. In addition, US citizens have no enforceable data protection rights and no effective legal remedies.

Consequences exit EU-US Privacy Shield

The clash between the European privacy regulations and the US surveillance laws has serious consequences for the many companies and organisations that transfer personal data to the US under the EU-US Privacy Shield on a daily basis. They are now acting in violation of the GDPR. Schrems II does not offer a transition period: the transfer of personal data to the U.S. on the basis of the EU-US Privacy Shield has been declared invalid as of the date of the ruling. Schrems II does not only cover future data flows, but also personal data that have been transferred in the past and are still accessible to U.S. authorities. At present, it is not to be expected that the European supervisory authorities will start immediate enforcement proceedings, but the question what is an acceptable alternative mechanism for the transfer of personal data should be at the top of your company’s action list. How to proceed?

Alternative mechanism for the transfer of personal data?

The transfer of personal data to recipients in third countries must not undermine the level of protection guaranteed by the GDPR to individuals within the EU. The recipient country must provide a level of protection for personal data comparable to that guaranteed within the EU. In short, transfers should only take place in full compliance with the GDPR.

If no adequacy decision is in place for a particular country, the data exporting company or organisation must ensure that the transfer is secured with appropriate safeguards. The standard contractual clauses (SCCs) as adopted by the European Commission provide appropriate safeguards according to the GDPR.

Can SCCs still be used after Schrems II?

Article 46 GDPR, which forms the basis for the use of standard provisions, explicitly sets two requirements for transfers to countries to which no adequacy decision applies. Firstly, the exporting company must provide adequate safeguards (through SCCs, for example) and secondly, enforceable data subject rights and effective legal remedies for data subject must be available in the third country.

The SCCs passed the test of criticism in Schrems II. In principle, personal data can still be transferred to third countries on the basis of SCCs. However, the Court emphasises the importance of requirements in Article 46 GDPR concerning the use of standard clauses. Prior to any transfer of personal data, the transmitting company must verify that the receiving country provides the data subjects with enforceable rights and effective legal remedies.

In general, companies are imposed with the almost impossible task of assessing – on a country-by-country and transfer-by-transfer basis – whether recipient countries have legal rules in place regarding the protection of data subjects and their personal data. In addition, it is not clear what criteria should be used in the assessment. The Court does not address this and Article 46 GDPR does not provide any further explanation either. We now know that standard provisions cannot (or no longer) be used as a mechanism for the transfer of personal data to the US because US surveillance legislation prevents this. However, companies are in the dark as to how the surveillance and security legislation in other third countries is to be valued.

The reality is that few companies have sufficient knowledge and resources to properly assess the data protection legislation and surveillance practices of third countries. It is also clear that the European authorities seem to be struggling with such assessments. So far, the European Commission has issued adequacy decisions for only 12 countries, and the adequacy decision for the US has now been invalidated twice.

How can SCCs be used in practice?

The European Data Protection Board (EDPB) has announced to publish recommendations on how to deal with the consequences of Schrems II. In anticipation of these recommendations, the following guidelines may help you to implement the transfer of personal data to third countries on the basis of SCCs.

  • Check that the data importer is able to comply with all the provisions of the SCCs.
  • Carry out a due diligence on the type of data transferred, the categories of data subjects, the processing purposes, the retention period, the type of recipient and the sector to which the recipient belongs.
  • Examine to what extent the legal system of the third country allows public institutions to require disclosure of data and whether data subjects (including foreign data subjects) are aware of the disclosure and are able to take legal action before the courts. Determine the category of data affected by the laws of the third country.
  • Investigate the extent to which the importer is bound by these laws and the likelihood of the importer disclosing or having to disclose the exporter’s personal data to the authorities in the third country.
  • Check whether the data importer has a procedure to inform the data exporter if a government request extends to the data of the data exporter and offers the possibility of opposing disclosure.
  • Check whether the risks posed by national surveillance legislation can be offset by agreeing additional safeguards with the data importer. This could include agreements on the application of proper encryption, the suspension of the transfer of data and the removal of data by the data importer.
  • Make sure you document your choices and agreements. The GDPR requires you to be able to demonstrate that you comply with the GDPR.

Can Binding Corporate Rules be used?

Binding Corporate Rules (BSRs) are, in addition to SCCs, a mechanism for the transfer of personal data to third countries. BCRs are rules specifically designed for transfers of personal data within an international group of companies. Once established and approved, BCRs can only be used for the transport of personal data within the group of companies. A different mechanism must be used for transfers outside the group.

BCRs were not subject of debate in Schrems II. However, if the lawfulness of the transfer of personal data on the basis of SCCs is in question, because the regulations in the receiving third country do not comply with European safeguards, then one may wonder whether transfer to the same country on the basis of BCRs is lawful.

BCRs are drawn up by the group company concerned and must be approved by the competent supervisory authority. SCCs are a product of the European Commission. In practice, the main difference is that the burden of assessing the adequacy of protection measures lies with the supervisory authority when a company uses BCRs, whereas the user of SCCs (re Schrems II) has to make his own adequacy assessment and is responsible if he makes a mistake. This raises the question of how supervisory authorities within the EU deal with pending applications for the approval of BCRs. Approval of BCRs implies that the relevant supervisory authority considers that appropriate safeguards are in place in the receiving third country. This may be a sensitive issue, given the reasoning in Schrems II.

Can the exceptions in Article 49 GDPR be used?

According to the Court in Schrems II, the invalidation of the EU-US Privacy Shield does not create a vacuum because companies can rely on one of the derogations for specific situations (Article 49 GDPR). However, the possibilities to justify transfers using the exceptions of Article 49 GDPR are limited. EDPB has stated (Guidelines 2/2018) that these exceptions should be interpreted restrictively and that the exception should not be made the rule. In addition, the use of article 49 GDPR imposes a heavy administrative burden on the company. The data exporter must justify why each of the mechanisms for the transfer in question cannot be used and why the exception in question is suitable as a basis for transfer in the specific case. The option provided for in Article 49 GDPR therefore does not seem very attractive.

EDPB recommendations on implications of Schrems II

Schrems II shows that the application of and compliance with strict European privacy rules for the transfer of personal data in international traffic is problematic. The EDPB has set up a task force which will hopefully soon come up with recommendations on how to deal with the consequences of the Schrems II decision.

Would you like to know more about this subject? Then please contact our Privacy Desk.

Author

Anne-Mieke Dumoulin-Siemens-Ekelmans Advocaten
Anne-Mieke Dumoulin-Siemens-Ekelmans Advocaten

Anne-Mieke Dumoulin-Siemens

+31 70 374 64 34

Naar overzicht
Zurück zur Übersicht
Back to main page

De Zorgverzekering (‘Health Insurance’) — the first clear overview of the law in Dutch healthcare

De Zorgverzekering (‘Health Insurance’) — the first clear overview of the law in Dutch healthcare 2560 1707 Ekelmans Advocaten
overzicht zorgverzekeringsrecht
Leestijd: 2 minuten
Lesedauer: 2 Minuten
Reading time: 2 minutes
Expertise:

Insurance / Liability /

Dutch health insurance and long-term healthcare are riddled with rules and customary practices, in which it is easy to lose your way.

But now the first edition of the book De Zorgverzekering (i.e.: healthcare insurance) has appeared.

Dutch health insurance and long-term healthcare are riddled with rules and customary practices, in which it is easy to lose your way. But now the first edition of the book De Zorgverzekering (i.e.: healthcare insurance) has appeared. In this book, Jan Ekelmans provides a picture of the health insurance scene and unpicks it layer by layer. Health insurers, healthcare providers, regulatory bodies, consumers and their advisors can use this book to help them make better, faster choices on what action to take.

Market worth 80 billion euros

Insured healthcare is a market with a turnover of 80 billion euros. Producing an overview of what happens in that market is quite a challenge, one that has been taken up by this book. It focuses on four topics: the various kinds of insurance (health insurance, insurance under the Long-Term Care Act and supplementary insurance); the legal relationship between the healthcare provider and the health insurer; privacy protection and possible breaches of privacy; and the audits and fraud investigations by health insurers, plus the consequences attached to the findings from these investigations.

Practical approach

The book has a practical approach; it devotes attention to different perspectives on decisions and includes examples from actual practice, future developments and sources for further information and application. It contains a wealth of facts and legal information that has never before been brought together in one place, ordered and made accessible in this way.

About the author

Jan Ekelmans is a lawyer and partner at Ekelmans & Meijer Advocaten. He is an authority in the field of insurance law in the Netherlands. Insurers ask him for advice on complex and politically sensitive matters. For a number of years Jan was a deputy justice at the Arnhem–Leeuwarden court of appeal and a member of the advisory committee that advises the Dutch Parliament and Government on civil procedural law. His extensive experience with insurance law enables him to provide a clear overview of health care insurance in the Netherlands.

Contact

Jan Ekelmans
Jan Ekelmans

Jan Ekelmans

+31 6 23 36 99 58

Naar overzicht
Zurück zur Übersicht
Back to main page

Abdi Youssuf: the most driven mentor

Abdi Youssuf: the most driven mentor 1900 1357 Ekelmans Advocaten
Abdi Youssuf-Ekelmans Advocaten
Leestijd: < 1 minuut
Lesedauer: < 1 Minute
Reading time: < 1 minute
Expertise:

Insurance / Liability /

We are proud of Abdi! “The most driven mentor” is how he was described by the jury tasked with selecting the mentor of the year.

And our best wishes to Annemieke Hazelhoff, who won the ‘best mentor of the year award’.

Abdi, a lawyer specialized in insurance law at Ekelmans & Meijer, acts as a mentor to young lawyers (trainees) during the first three years of their career.

Our firm attaches a high priority to coaching and training for our young lawyers. An excellent mentor makes an important contribution to this. We see the nomination of Abdi as recognition of his qualities. And not only is Abdi a great mentor and fantastic person to work with, he is also an outstanding lawyer with a successful practice!

Contact

Naar overzicht
Zurück zur Übersicht
Back to main page

Beware of the Cyber Security Act!

Beware of the Cyber Security Act! 1920 1280 Ekelmans Advocaten
cybersecuritywet
Leestijd: 4 minuten
Lesedauer: 4 Minuten
Reading time: 4 minutes
Expertise:

Privacy Desk /

The Network and Information Systems Security Act (Wbni) is applicable in the Netherlands. The act is also known as the Cyber Security Act. The directive applies to operators of essential services and providers of digital services. This directive may also apply to your organisation.

Since 9 November 2018, the Network and Information Systems Security Act (in dutch: “Wet beveiliging network – en informatiesystemen”) has been applicable in the Netherlands, also known as the Cyber Security Act. This Act is the Dutch translation of the European Cyber Security Directive (EU Network and Information Security Directive 2016/1148). Each Member State is mandatory to have its own translation of the directive. The directive applies to operators of essential services and providers of digital services. This directive may also apply to your organization. In this article the operators of essential services and digital service providers are explained first and then the duty of care arising from the European Cyber Security Directive will be discussed.

When are you a operator of essential services or a provider of digital services?

Essential service operators include organizations in the energy, financial and transport sectors. The digital service providers includes for example cloud services, search engines and online market places, also known as “DSPs”. However, not every party that offers a digital service is automatically covered by the European Cyber Security Directive. For example, social media and web shops also offer digital services, but do not necessarily have to comply with the European Cyber Security Directive. Required is that the organization must have a head office or representation in the Netherlands. In addition, more than 50 employees must be employed within the organization or there must be a balance sheet total or an annual turnover of more than 10 million euros. Small and micro-enterprises therefore do not fall under the scope of the European Cyber Security Directive.

The failure or disruption of operators of essential services or digital service providers can lead to major social disruption. The European Cyber Security Directive therefore includes a duty of care for security measures.

The duty of care

The duty of care means that operators of essential services and the digital service providers must take appropriate organizational and technical measures to manage security risks and to reduce the consequences of incidents. In the GDPR (art. 24) we also have such an arrangement for the processing of personal data. However, the European Cyber Security Directive specifically focuses on digital security and includes the operators of essential services and the digital service providers in the broad sense.

The European Cyber Security Directive works out five aspects that operators of essential services and the digital service providers must take into account. This elaboration is based on art. 2 Implementing Regulation (EU) 2019/151 and consists – in brief – of taking the following measures:

First of all, the network and information systems must be adequately secured. In addition, organizations must be able to demonstrate that they take measures in the event of incidents. This could include processes for reporting incidents and for identifying shortcomings and weaknesses in the system. Provision must also be made for measures to properly maintain or restore business continuity and services after an incident. These measures include the establishment and use of contingency plans. It is also relevant that regular checks are made to ensure that the measures in question work properly and are therefore periodically tested. Finally, international standards must be taken into account in all of this.

All these measures aim to ensure that operators of essential services and the digital service providers comply with the principle of duty of care as set out in the European Cyber Security Directive: “taking appropriate measures to prevent incidents and, if incidents do occur, the consequences thereof so as much as possible “.

The duty of care in practice

The European Cyber Security Directive mainly indicates what needs to be done, but not how the implementation of this duty of care should subsequently be given shape.

Operators of essential services and the digital service providers must complete the implementation of the duty of care and the measures themselves, whereby each Member State needs to have a supervisory body (the Telecom Agency in the Netherlands) to supervise and take enforcement action if needed. However, because the duty of care and the measures are lacking, it is to be expected that organizations have many uncertainty about this. This could result in a failure to fulfill their duty of care.

Recommendation therefore deserves legal advice in applying the duty of care arising from the European Cyber Security Directive as correctly as possible in practice. It is important thereby that a balance is found in complying with the duty of care and respecting the commercial interests of companies and the privacy of natural persons. Creating a security protocol with a concrete step-by-step plan/checklist could be an example of this. However, due to the diversity of organizations that fall within the scope of the European Cyber Security Directive, this is a matter of customization.

What does this mean for the insurer?

The imposition of a specific duty of care on one hand, but the absence of specific standards on the other hand, makes the operators of essential services and the digital service providers vulnerable not only to the regulator but also to (possible) claims.

This increases the risk of an insurer that insures operators of essential services and the digital service providers. For insurance companies it is therefore advisable to take this into account in the underwriting processes regarding these operators and providers. For example this can be done by checking whether protocols and step-by-step plans to meet the duty of care are present within the organization. It is also advisable to oblige insured operators of essential services and digital service providers to inform the insurer of any changes to this duty of care within the organization.

Contact

Like to know more?
Like to know more?

Like to know more?

+31 70 374 63 00

Naar overzicht
Zurück zur Übersicht
Back to main page
Click here to enter your search term
We use cookies to make sure that our website functions smoothly. If you continue to use the website, we assume that you consent to the cookies.
Privacy Policy