Data Dispute Resolution
Importance of data protection and information security
ITDR is involved in dealing with, resolving and settling disputes and conflicts to do with the protection of personal data and information security. ICT security is of increasing importance as actions of legislators in the European Union and Switzerland shows. To combat the violation of data abuse, the EU introduced the General Data Protection Regulation (GDPR), the European privacy rules which businesses and organizations must comply with from 25 May 2018. In Switzerland, the parliament revises the Swiss Data Protection Code (“Datenschutzgesetz”, “DSG”) at the moment. It should come into force in January 2021. The aim is, inter alia, to at minimum equalize the Swiss data protection and ICT security with the GDPR.
Thanks to the GDPR, the privacy of citizens in Europe is attracting a great deal of attention. The GDPR affects all of society, from large companies to small and medium-sized enterprises. ICT companies too, such as software suppliers, Cloud providers, hosting companies and other ICT service providers, in view of the interest their clients have in ensuring that personal data is properly protected, are giving their full attention to the GDPR. The GDPR also extends to private and public organizations.
- In order to strengthen the protection of personal data, the GDPR imposes a large number of new obligations and sanctions, also in the area of ICT security. The obligations concerning information security consist of new rules on ‘privacy by design’ (the conversion of the principles of the GDPR into software code) and ‘privacy by default’ (the technical set-up of privacy). Any breach of privacy and security rules risks incurring heavy fines and liability.
- In the ICT sector, the GDPR is also making its presence felt in often much more stringent requirements in ICT contracts, requests for tenders and tender documents. This can be seen, for example, in processor agreements and other contracts that are designed to ensure that personal data is dealt with carefully. These contracts deal with difficult and wide-ranging matters, as the issue of privacy and security has now grown to become a specialist discipline.
The Swiss Data Protection Law (SDPL/"DSG")
For the Swiss market, it is important that the SDPL will be acknowledged as equal to the GDPR. Therefore, one of the most important guidelines for the Swiss parliament during the current revision is to keep up with the standards of the GDPR. However, the approach in Switzerland is to protect privacy which is why the parliament wants to include a so-called profiling with high risk. Profiling with high risk means the systematic processing of combined personal data to draw conclusions about different areas of a person's life. In case of a profiling with high risk, it is planned to ask for explicit consent of the person whose data is processed. The special handling of profiling with high risk could put the equivalence decision of the EU at danger. Until the new data protection law comes in force, however, the Swiss Data Protection Law of 1992 stays in force.
The role of ITDR
Failure to comply with the statutory rules and contractual provisions concerning privacy and security can lead to complex conflicts and disputes. ITDR can call on experts with many years of extensive practical experience in privacy and security matters, both lawyers and ICT experts.
A significant advantage of having ITDR deal with disputes in this area is the total confidentiality and secrecy that is guaranteed under the ITDR regulations. This is different when the regular courts are involved, as they act in the public domain. By their very nature, the security policy and security measures of an organization must hardly ever be exposed to the general public. With this in mind, engaging ITDR is an obvious choice.
ITDR is fulfilling its social responsibility to play, even more clearly than before, a professional, independent and impartial role in dealing with disputes and conflicts. A dispute or conflict can be submitted to ITDR on the basis of existing ITDR rules. The associates of ITDR all have extensive and in-depth experience in this area.
Privacy and security disputes
Privacy and security disputes come in all shapes and sizes. Among the issues dealt with are:
- Disputes about the implementation of processor agreements
- Disputes arising if organizations exchange personal data between themselves, either on an ad-hoc basis or on a large scale
- Disputes between a Data Protection Officer or another privacy professional within an organisation and the (senior) management of that organization
- Disputes about security incidents and data breaches
- Disputes about security with software development
- Disputes about specific security measures, such as penetration tests and monitoring
- Disputes about privacy and security tools
- Disputes about specific security standards, such as ISO 27001, ISO 27002, NEN 7510, NEN 7512 and NEN 7513.
- Specific, customized arrangements can be made to deal with disputes between businesses and organizations on the one hand, and citizens whose data are processed on the other hand.