CJEU Finds Website Operators Using Social Media Plugins Are Joint Controllers

Posted in Court of Justice of the European Union (CJEU), ePrivacy, EU, European Directive, European Union Law, GDPR, GT Alert, litigation, privacy

On July 29, 2019, the Court of Justice of the European Union (CJEU) found that a website operator using a social media plugin is a joint controller with the social media company providing the plugin and can be held jointly liable in relation to such processing activities. Although the case was decided under the Privacy Directive 95/46, since the ruling concerns definitions that also exist under the General Data Protection Regulation (GDPR), website operators should take note and may want to review their previous legal bases determinations and notices as well as their existing contractual arrangements with the social media company to ensure they are in compliance with GDPR.

The case arose when a German consumer protection association sued a German online fashion retailer, Fashion ID, for allegedly breaching the then-existing national data protection laws when it enabled the transfer of visitors’ personal data to a third party via a social plugin. The German Higher Regional Court referred the matter to the CJEU.

In the proceedings it became apparent that the social media plugin (a “like” button) on Fashion ID’s website caused the visitor’s browser to request content from the company providing the plugin; then the browser transmitted the visitor’s personal data to the social plugin company. This happened as soon as the visitor consulted the website and regardless of whether or not the visitor:

  • was aware of such an operation;
  • was a member of the social media platform; or
  • had clicked on the plugin.

Click here for the full GT Alert on the CJEU’s finding, the website operator’s responsibilities, and key takeaways for website operators.

Brexit Update: Impact of New UK Prime Minister

Posted in Brexit, GT Alert

The UK’s new prime minister, Boris Johnson, will take office on 24 July 2019, just over three months before the UK is due to leave the EU, on 31 October 2019.

When the UK voted to leave the EU in June 2016, few predicted that Brexit would not yet be achieved over three years later. But repeated failure to gain UK parliamentary approval of the draft withdrawal agreement terms negotiated by then-Prime Minister Theresa May in late 2018 resulted in the original 29 March 2019 Brexit date being postponed to the current 31 October 2019 deadline. This failure also led to Theresa May announcing her intention to stand down as leader of the governing Conservative Party and as prime minister.

To read the full GT Alert, click here.

For more on Brexit, click here.

First fine imposed by the Dutch Data Protection Authority since GDPR

Posted in data protection, GDPR, privacy


The Dutch Data Protection Authority imposed an administrative fine of
EUR 460,000 on Haga Hospital in The Hague on 18 June 2019 (published 16 July 2019) (link in Dutch). It is the first fine imposed in the Netherlands for a violation of the General Data Protection Regulation (GDPR).

The hospital is facing this fine because it did not sufficiently secure its medical log files. Several dozen hospital employees (approximately 85) had unnecessary access to a specific medical file. This medical file belonged to a famous Dutch reality star whose hospital admittance received a lot of media attention in the Netherlands in 2018. A whistleblower published about the unlawful access to the medical file through the website Publeaks, eventually leading to an investigation by the Dutch Data Protection Authority.

Data breach

The breach lies in the fact that the hospital did not meet the requirement to have a two-factor authentication process in place to protect the medical files. Furthermore, the medical log files were not evaluated regularly. This omission resulted in a breach of article 32(1) of the GDPR, according to the Dutch Data Protection Authority. This article requires data controllers and processors to implement the appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

The Dutch Data Protection Authority applied the 2019 Dutch fining policy rules to determine the EUR 460,000 fine amount.

The Dutch Data Protection Authority has also imposed an order on the hospital, subject to penalty, that aims to cure this continuing GDPR breach. If the infringement is not fixed within 15 weeks, the hospital will incur an additional penalty of EUR 100,000 per two weeks with a maximum amount of EUR 300,000.

First Dutch fine under GDPR

Although some consider an earlier fine issued to a transportation network company on 6 November 2018 of
EUR 600,000 for a data breach as the “first Dutch GDPR fine”, (link in Dutch) the fine issued to the hospital is the first fine imposed solely under the GDPR by the Dutch Data Protection Authority and also not under the GDPR’s statutory predecessor (which was the case with the transportation network’s fine).

The hospital has already stated that it plans to appeal the height of the fine.

For more on the data protection and the Netherlands, click here.

Data Centers Stop in Amsterdam and Schiphol Airport Region

Posted in data center, English Language, governing law, property law, real estate

The municipalities of Amsterdam and Haarlemmermeer (home to Schiphol Amsterdam Airport) have announced a temporary halt of the realization of new data centers in their region. According to these municipalities, data centers take up too much space and consume too much energy.

Amsterdam and Schiphol are logical locations for data centers for various reasons (e.g., access to important internet connection points). There are currently 34 data centers in Amsterdam.

Until now, several zoning plans – implicitly – have allowed for the realization of data centers, which would fall in the zoning as “business purposes” or likewise. In such cases, the municipal executive has had limited means to prevent the realization of new data centers. To halt the growth and pending regional regulation, both municipalities have taken a preliminary planning decision (voorbereidingsbesluit) to amend the relevant zoning plan(s). As a result, new building permit applications for data centers will in principle be suspended until a new draft zoning plan has been adopted.

A preliminary planning decision can remain in force for a maximum of one year. If no new draft zoning plan is adopted within this term, the suspension of any filed applications is lifted, and the filed building permit applications must in principle be granted (if in line with the existing zoning plan and other requirements). A preliminary planning decision can be renewed after the initial one-year term. This renewal will, however, no longer affect any permit applications filed during the first preliminary planning decision’s term.

It may take some time for the municipalities to develop new draft zoning plans. For parties active in data center development in the Netherlands, it is therefore important to monitor the developing policies of these municipalities and to prepare a strategy to deal with the municipal actions in an optimal way. Interested parties are entitled to participate and comment on the draft zoning plan.

Dutch Heating Supply Act Revised: Consequences for Landlords

Posted in Dutch Property Law, Dutch Real Estate Law, governing law, property law, real estate


Starting 1 July 2019, the scope of the Dutch Heating Supply Act (Warmtewet) (the Act) will be revised. The revision will have significant consequences for landlords of residential units or business space (including office and retail) who supply heat to their tenants. As of July 1, landlords will be exempted from the Act.[1] This blog post explains the current obligations of landlords pursuant to the Act and the consequences of the Revised Act for landlords.

Current Heating Supply Act

Currently, landlords who lease out at least 25 residential units or landlords of business space who supply heat through a connection to a maximum of 100 kilowatts to their tenants qualify as “heat suppliers” under the Act. As a result, they are subject to the Act. The Act imposes various obligations on heat suppliers, for example:

  • executing a heat supply agreement with tenants (with certain mandatory elements);
  • charging no more than the statutory maximum prices and other reasonable costs to tenants;
  • providing a full and sufficiently specified invoice at least once a year;
  • notifying the Dutch competition authority (Netherlands Authority for Consumers & Markets) (Autoriteit Consument & Markt); and
  • under certain circumstances, being subject to a permit from the Dutch competition authority.

These obligations impose a significant administrative burden on suppliers. Most of these obligations will no longer apply for landlords under the Revised Act.

Consequences of the Revised Act

Pursuant to the Revised Act, “landlords” owning residential or business space for lease purposes will no longer qualify as heat suppliers and will be exempted from (most of) the obligations imposed by the Act. The requirements concerning the method of measurement of heat consumption pursuant to articles 8 and 8a of the Act will, however, continue to apply for such landlords. Pursuant to these articles, heat suppliers must, inter alia, charge costs for heating supply based on an individual heat meter or based on a cost distribution system (kostenverdeelsystematiek) which clearly sets out the costs for all tenants.

Under the Revised Act, the rules regarding service costs under tenancy law will be applicable to landlords of residential space that supply heat to their tenants (e.g., pursuant to the Dutch Civil Code or Service Costs Decree (Besluit servicekosten)). Contrary to rules concerning residential space, no specific statutory rules on service costs in connection with the lease of business space are in place. This allows parties to arrange the distribution of such costs in the lease agreement (in accordance with articles 8 and 8a of the Act).

Starting 1 July 2019, landlords are no longer obliged to execute heat supply agreements with their tenants. Previously executed supply agreements declaring the Act applicable, however, remain in force. Landlords could, in consultation with each tenant, amend those agreements in such a way that the Act is no longer applicable, or try to terminate the agreement on other grounds.

[1] Other provisions of the revision will enter into effect on 1 January 2020. In this post we only explain the exemption of landlords starting 1 July 2019.

For more on Dutch real estate law, click here.

Modern Technologies and Personal Data Processing in Real Estate

Posted in data protection, Dutch Property Law, Dutch Real Estate Law, GDPR, privacy, real estate


Modern technologies and personal data are increasingly important for real estate businesses. Robotics, Wi-Fi tracking, augmented and virtual reality, sensor technology, and the Internet of Things (e.g., a physical smart object in an internet-based structure) are some of the technologies being used. Through such modern technologies, a landlord has access to a large amount of data with respect to the owned property.

Collecting, sorting, and analyzing such data can provide the landlord with new insights on the building and its users, and can enable the landlord to predict their behavior. The accuracy of such predictions will generally improve if the landlord can develop a large dataset and combine a variety of information (e.g., by using data from a real estate portfolio). Predicting the behavior of a building’s users can, amongst other things, improve the service level, help retain tenants, and reduce maintenance costs.

The technological possibilities for data processing in real estate seem endless. However, the legislature has put in place certain limits.

Statutory limits to personal data processing in the EU

Under the EU General Data Protection Regulation (GDPR), processing of personal data requires a legal basis (e.g., consent or the execution of a contract). Personal data can in principle only be processed for specified and legitimate purposes. Data subjects must be informed about all personal data processing, and the data controller cannot freely share the personal information with third parties. In addition, using personal data to predict a person’s behavior and for decision-making may qualify as “profiling” and “automated individual decision-making” under the GDPR.

Profiling and automated individual decision-making have a somewhat negative connotation, as they are believed to create unfair stereotypes and social division. As a result, profiling and automated individual decision-making are subject to scrutiny. Profiling under the GDPR is “any form of automated processing carried out on personal data for the purpose of evaluation of certain personal aspects to a natural person, in particular to analyze or predict aspects with regard to work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements”.

Automated decision-making under the GDPR is defined as “making a decision by technological means without human involvement”.

Data subjects must be informed about any profiling or automated individual decision-making that occurs, the logic employed to justify such profiling, and the expected consequences of the processing. In addition, data controllers must consider objections against personal data processing, which can be made at any time.

The Dutch Data Protection Authority has stated (link in Dutch) that the tracking of people in the street, in shopping centers or stations via their mobile devices is only allowed in a few rare cases and under strict conditions. It is only allowed, according to the Dutch Data Protection Authority, if explicit prior consent is obtained or if there is a legitimate purpose. Based on this decision by the Dutch Data Protection Authority, tracking activities are only allowed if limited to specific periods and areas and where truly necessary. At other times and places, this measuring equipment should be turned off (link in Dutch). The Dutch Data Protection Authority has already imposed an order (link in Dutch) on Bluetrace, subject to penalty for noncompliance (last onder dwangsom), under the former Dutch Data Protection Act. The company was providing technology which could be used to track Wi-Fi signals of mobile devices arounds stores. Bluetrace had to stop collecting personal data from neighboring residents, erase or anonymize data from shopping passers-by, and provide information in and around the stores about the data processing.

Although the use of data in real estate has much broader applications than WIFI-tracking, the mentioned examples do illustrate the fine line between the technical possibilities for processing personal data and the statutory limits.


Non-compliance with GDPR requirements may lead to severe fines. The regulatory limits to personal data processing do not mean, however, that modern technologies can no longer be used. While the benefits of modern technologies remain available for both landlords and tenants, such technologies must be used in a transparent, fair, and lawful manner. Landlords, amongst other affected parties, will have to address the use of such modern technologies in their lease agreements and privacy policies.

Click here for more on GDPR.

New sustainability clause for ROZ lease agreement office space

Posted in Dutch Property Law, Dutch Real Estate Law, energy label, English Language, governing law, property law, real estate

As reported in our November 2018 GT Amsterdam Law blog post, use of an office building without a minimum energy label C (an energy index of 1.3 or better) will be prohibited as of 1 January 2023.

In view of this prohibition in the Dutch Buildings Decree, the ROZ (Dutch Real Estate Council) has established a new sustainability/green lease provision for the ROZ model Office Space 2015. The new model clause allows the landlord and the tenant to draft agreements on how to comply with the Label C obligation for offices by the 2023 deadline. The clause urges both the landlord and the tenant to consider which energy-saving measures they want to implement and who will bear which costs.

The new model clause has two options: one for when the office building already meets the Label C requirement, the other for when the office building does not. In the first option, both the landlord and the tenant are responsible for choosing the most energy-saving measures in carrying out any maintenance, repair, or renewal to the leased property. In the second option, the landlord and the tenant must determine the necessary measures to meet Label C requirements and divide those responsibilities. Once the leased premises meet the Label C requirements, as in the first option, both the landlord and the tenant are responsible for choosing the most energy-saving measures for any maintenance, repair, or renewal to the leased property.

Furthermore, the new model clause contains language applicable to both situations. If the leased property requires additional energy-saving measures to comply with potential future legislation that is even better than Label C, the division of maintenance/repair/renewal responsibilities between the landlord and the tenant, as stated in Article 11 of the General Provisions, prescribes each party’s responsibility to contribute to the costs of such additional measures. Should the landlord and the tenant not come to an understanding of who takes on which part of the costs, the landlord is entitled to terminate the lease agreement with due observance of six months’ notice (!). The new model clause also addresses the situation in which the tenant has invested in energy-saving measures and how parties should deal with these measures at the end of the lease agreement.

Parties to office building lease agreements, particularly the tenants and the landlords in situations where the building does not comply with Label C, or future legislation prescribes further energy-saving measures more green/efficient than Label C, should pay careful attention to the current and future drafting and negotiation of lease agreements.

OFAC Crystalizes Its Expectations for Economic Sanctions Compliance Programs

Posted in international litigation

On May 2, 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published A Framework for OFAC Compliance Commitments, which details more than 10 pages of long-standing OFAC practices on corporate economic sanctions compliance programs. With this publication, companies operating internationally are now on notice that compliance program elements that used to be simply “best practices” guidance will now be expected by OFAC. With the recent strengthening of certain sanctions regimes in countries such as Iran and Venezuela, the release of the guidance is both timely and telling. Companies – both U.S. and non-U.S. – conducting international business should take note and ensure their existing compliance programs include OFAC-enumerated elements.

Click here to read the full GT Alert.

Greenberg Traurig Shareholder Radboud Ribbert Quoted in Law 360 Intellectual Property Article

Posted in dutch patents, intellectual property, Intellectual Property Litigation, patents, pharmaceuticals

Radboud Ribbert from Greenberg Traurig LLP’s Amsterdam office was recently quoted in a Law360 Intellectual Property article. The article focuses on a recent amendment to the Dutch Patents Act (Rijksoctrooiwet) to include a limitation of the exclusive right of the holder of a patent on a medicine, the Pharmacist’s Exemption.

The full article can be read here (subscription required).

EU Parliament Approves Heavily Disputed Copyright Directive

Posted in Copyright, digital single market, European Directive, European Union Law, Intellectual Property Litigation

On March 26, the parliament of the European Union approved the “Directive on copyright in the Digital Single Market”, one of the most heavily disputed legislative acts in EU history. The Directive now has to be approved by the member states in the European Council, which is usually a formality (and will possibly happen on April 9).

First published as a draft in 2016 as one of the first activities in the EU’s Digital Single Market strategy, the Directive has become infamous in recent months due to the almost unparalleled controversy about, mainly, its Articles 11 and 13 (which in the final text became Articles 15 and 17).

Click here to read the full GT Alert.