Support Centre

Netherlands

Summary

Law: Act Implementing the GDPR (in Dutch here) (an unofficial English version of the Act is available here) ('the Act') and the General Data Protection Regulation (Regulation (EU) 2016/679)

Regulator: Dutch data protection authority ('AP')

Summary: Netherlands implemented the GDPR in 2018 and utilised its legislative freedom to derogate from the GDPR in certain areas. In particular, under the Act, Chapter 3 of the GDPR (regarding data subjects' rights) does not apply where personal data is processed for either journalistic purposes or for the purposes of academic, artistic, or literary expression. The AP has released several guidelines and explanations on topics such as data security, financial data, and direct marketing. In its guidance on the use of cookies, the AP stated that the use of cookie walls violates the GDPR. Regarding its enforcement of the Act, the AP has investigated and issued decisions on several topics including, for example, violations of the right of access and right to erasure. Sanctions are outlined in its policy rules and are categorised into specific categories with corresponding bandwidths.

Insights

The Whistleblower Protection Act implements Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937) ('the Whistleblowing Directive'), by amending and renaming the House for Whistleblowers Act of 2016.

Joke Bodewits, from Hogan Lovells, and Fenneke Buskermolen outlines key changes under the Whistleblower Protection Act vis-à-vis the House for Whistleblowers Act regarding the scope of application and protection of whistleblowers, internal reporting procedures of employers, and the enforcement and sanctions regime, with concluding thoughts on next steps.

On 3 May 2022, the Dutch data protection authority ('AP') approved the code of conduct for Smart Grid Management ('the code of conduct'). The approval of the code of conduct is conditional on the AP’s approval of a supervisory body for the code of conduct, to be established within the next two years.

In this Insight article, Chantal Van Dam, from Hogan Lovells, and Fenneke Buskermolen explore the different layers of the code of conduct, further highlighting the obligations, compliance, and supervision structure it sets out, as well as next steps in light of the code of conduct's approval.

The bill on the Data Processing by Partnerships Act ('WSG') aims to provide a legal basis for the processing of personal data by designated partnerships and further constitutes a framework with a number of general rules with regard to the tasks, structure and functioning of these partnerships. Anouschka Van de Graaf, Senior Associate at Dentons, discusses the purposes of the bill, alongside concerns regarding its contents.

In July 2021, the Dutch Data Protection Authority, Autoriteit Persoonsgegevens ("AP"), published their guidance for smart cities and the development of smart city applications. This guidance is intended for municipalities in the Netherlands that plan to, or currently, collect and process personal data in a public space with the use of smart sensors and measuring equipment. The AP has deemed this guidance necessary as municipalities in the past have not always paid sufficient attention to the applicable privacy legislation, such as the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Chantal van Dam and Femke van der Eijk, of Hogan Lovells, discuss the guidance in this article.

With restrictions being lifted across Europe and businesses planning their return to the office, many employers, in an endeavour to prevent the spread of COVID-19, are faced with the dilemma of whether they can require their employees to be vaccinated or to show proof of their vaccination status. Besides the health and safety concerns associated with the introduction of such measures, there are also some key privacy-related considerations. In particular, an individual's vaccination status falls within the scope of health data under Article 4(15) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and is therefore a special category of personal data under Article 9 of the GDPR, meaning processing is generally prohibited, unless an exception applies.

This article outlines the local requirements in the UK, Germany, the Netherlands, France, and Italy.

Your company might need its whistleblowing policy updated and implemented before 17 December 2021. Why? Before 17 December 2021, the new EU Whistleblower Directive ('the Directive') needs to be implemented in National Law throughout all EU Member States. Marc Elshof and Anouschka van de Graaf, Partner and Senior Associate respectively at Dentons, discuss this process in the Dutch context.

On 1 July 2021, an amendment1 to the Telecommunications Act 1998 (as amended) ('the Telecommunications Act') came into force, requiring opt-in consent to telemarketing. Chantal Van Dam and Femke van der Eijk, from Hogan Lovells, provide a brief overview of what impact the amendment has had on the Telecommunications Act.

This article addresses the data protection rules for children that apply in the Netherlands. It elaborates on specific requirements enshrined in EU and local data protection law and guidance and considers enforcement actions of the Dutch data protection authority ('AP'). Furthermore, it introduces the Dutch Code for Children's Rights ('the Code') and explains the principles of the Code and how companies may benefit from it. Chantal van Dam, Senior Associate at Hogan Lovells LLP, discusses this topic and its nuances.

Feedback