Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Netherlands - Data Protection Overview
Back

Netherlands - Data Protection Overview

July 2022

1. Governing Texts

In the Netherlands, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Dutch GDPR Implementation Act (available in Dutch here) (an unofficial English version of the Act as of 2019 is available here) ('the Act') mainly govern the processing of personal data in the Netherlands. The relevant supervisory authority is the Dutch data protection authority ('AP'), which is becoming more and more active from both a guidance and enforcement perspective.

1.1. Key acts, regulations, directives, bills

The GDPR took effect on 25 May 2018 in the EU, replacing the EU Data Protection Directive (Directive 95/46/EC) and the former Dutch Personal Data Protection Act (only available in Dutch here).

Although the GDPR introduced a single legal framework in the EU, it includes several provisions allowing EU Member States to enact national legislation regarding certain elements of the GDPR in the Netherlands. These elements are set out in the Act.

1.2. Guidelines

The supervisory authority for data protection in the Netherlands is AP. The AP often refers to the guidelines released by the European Data Protection Board ('EDPB'), but also publishes guidelines, Q&A's and explanations on different topics under the GDPR and the Act, including, but not limited to:

  • general information regarding the GDPR, such as legal bases for processing, data subject rights, the role of processors and controllers, the data protection officer ('DPO'), and accountability (only available in Dutch here);
  • GDPR guidance for small and medium-sized enterprises ('SMEs') (only available in Dutch here);
  • the security of personal data, personal data breaches, and notification requirements in case of a personal data breach (only available in Dutch here);
  • financial data, the processing of personal data by financial service providers and payment service providers, the Payment Services Directive (EU) 2015/2366 (only available in Dutch here);
  • the use of pictures, video, and CCTV (only available in Dutch here);
  • the processing of health data and medical data, the use of medical records, and the processing of personal data by healthcare providers (only available in Dutch here);
  • the processing of identity documentation, citizen service numbers, and biometric personal data (only available in Dutch here);
  • international data transfers, the one-stop-shop mechanism, Binding Corporate Rules ('BCRs'), and passenger data (only available in Dutch here);
  • publishing personal data on the internet, direct marketing, Internet of Things ('IoT'), cookies, apps, and television (only available in Dutch here);
  • the processing of personal data by schools (only available in Dutch here);
  • the processing of personal data by the Government of the Netherlands, municipalities, associations, and churches (only available in Dutch here);
  • the processing of personal data by the police, in the judicial system, and during private investigations (only available in Dutch here);
  • the processing of personal data in an employment context, benefits, and the Works Council (only available in Dutch here);
  • COVID-19 related issues (only available in Dutch here);
  • Guidance for setting up strong internal supervision by the DPO (only available in Dutch here).
  • Guidelines on DPO's (only available in Dutch here) ('Guidelines on DPO's');
  • Recommendations for DPOs in hospitals (only available in Dutch here);
  • Guidance on positioning of the DPO - Principles: roles, processes and responsibilities (only available in Dutch here) ('the Guidance on positioning');
  • Guidance on DPIAs (only available in Dutch here) ('Guidance on DPIAs'); and
  • Guidance on prior consultation (only available in Dutch here) ('the Prior Consultation Guidelines').

Coronavirus related issues

The AP has issued guidance relating to the Coronavirus epidemic and privacy-related concerns (only available in Dutch here), as well as more specific guidance addressing topics including:

  • vaccination (only available in Dutch here);
  • contact tracing and temperature measuring (only available in Dutch here);
  • rapid Coronavirus tests (only available in Dutch here);
  • Coronavirus apps (only available in Dutch here);
  • education during Coronavirus (only available in Dutch here);
  • safe remote working (only available in Dutch here);
  • workplace issues (only available in Dutch here); and
  • access to medical files (only available in Dutch here).

1.3. Case law

Examples of Dutch case law concerning the GDPR, and the Act include the following:

  • privacy aspects relating to removal requests of, and the legal basis for, registrations with the Dutch Credit Registration Office ('BKR'). Multiple judgements available, such as Court of Appeal Arnhem-Leeuwarden ECLI:NL:GHARL:2019:103453 of December 2019 (only available in Dutch here) and Court of Appeal Arnhem-Leeuwarden ECLI:NL:GHARL:2020:4769 of 23 June 2020 (only available in Dutch here), Court of Justice Oost-Brabant ECLI:NL:RBOBR:2020:2534 of 7 May 2020 (available in Dutch here). Council of State ECLI:NL:HR:2021:1814 of 3 December 2021 (only available in Dutch here);
  • balancing interests relating to a removal request of an incident registration after filing a falsified tax overview. Court of Appeal Arnhem-Leeuwarden ECLI:NL:GHARL:2020:3464 of 28 April 2020 (only available in Dutch here);
  • scope of right of access, for instance in relation to internal notes relating to certain actions within an enterprise, telephone conversations and e-mails, and information on employees of Dutch bank and their actions. Court of Appeal Amsterdam ECLI:NL:GHAMS:2020:648 of 3 March 2020 (available in Dutch here);
  • privacy aspects of camera surveillance by a private company. Council of State ECLI:NL:RVS:2020:594 of 26 February 2020 (available in Dutch here);
  • the legitimacy of requiring employees to use biometric data to log onto a cash register system. Court of Justice Amsterdam ECLI:NL:RBAMS:2019:6005 of 12 August 2019 (only available in Dutch here);
  • the right of access to (the copies of) exams taken by a data subject, including to the written notes of the examiner with regard to the exam answers provided by the data subject. Court of Justice The Hague ECLI:NL:RBDHA:2019:5110 of 2 May 2019 (only available in Dutch here);
  • the right to erasure with respect to information available on Google, such as Court of Justice Gelderland ECLI:NL:RBGEL:2018:5600 of 22 October 2019 (only available in Dutch here) and the appeal with the Council of State ECLI:NL:HR:2022:329 of 25 February 2022 (only available in Dutch here);
  • mass claim for compensation in damages for GDPR breaches against Salesforce and Oracle. Claimant is declared inadmissible. Court of Justice Amsterdam ECLI:NL:RBAMS:2021:7647 of 29 December 2021 (only available in Dutch here);
  • balancing of interests relating to a commercial interest and journalistic purpose. An appeal to an administrative fine from the AP. Court of Justice Midden-Nederland ECLI:NL:RBMNE:2020:5111 of 23 November 2020 (only available in Dutch here);
  • scope of the right to rectification, for instance, the right to rectification is not intended to correct or delete impressions, opinions, research results, and/or conclusions with which the data subject does not agree. Court of Appeal Hertogenbosch ECLI:NL:GHSHE:2022:80 of 13 January 2022 (only available in Dutch here);
  • right to access, for instance whether there is a right to inspect (by means of full copies) the integral documentation in which personal data is (possibly) included, such as underlying documents and personal notes of others. Court of Appeal Hertogenbosch ECLI:NL:GHSHE:2021:2252 of 15 July 2021 (only available in Dutch here).

Mass damage compensation claims for GDPR breaches

In the Netherlands there is an uptick in class action procedures due to the entry into force of the Dutch Act on Collective Settlement of Mass Damage Claims of 20 March 2019 ('Wet Collectieve Afwikkeling Massaschade') in 2020. Multiple class actions have been initiated that are based on claims of GDPR non-compliance, such as:

  • TikTok – Foundation Take Back Your Privacy and the Dutch Consumer Association ('Consumentenbond'). This €1.5 billion claim alleges that TikTok exploits the personal data of child users, in violation of the GDPR and Dutch and European consumer law. Amongst others, the claim argues that TikTok:
    • does not comply with the principles of data minimisation and transparency;
    • processes personal data without a lawful basis; and
    • does not obtain valid consent from children and, where necessary, there parents or guardians;
  • TikTok - Foundation for Market Information Research ('Stichting Onderzoek Marktinformatie') ('SOMI') (more information available here). This €1.4 billion claim alleges that TikTok violates Dutch and EU privacy and consumer laws and unlawfully exposes minors to harmful content. Amongst others, the claims argues that TikTok is violating the GDPR by:
    • profiling children for marketing purposes;
    • failing to obtain valid consent for the use of personal data;
    • not specifying which personal data are collected for which purposes;
    • failing to provide children with special protection;
    • collecting and storing more personal data than necessary; and
    • failing to meet the requirements for storing and securing personal data; and 
  • Salesforce and Oracle – the Privacy Collective. This €10 billion claim alleges that Salesforce and Oracle unlawfully processed the personal data of website visitors, among other things, because of their crucial role in the Real Time Bidding ('RTB') process. The Privacy Collective was declared inadmissible by the Dutch Court of Amsterdam (ECLI:NL:RBAMS:2021:7647 of 29 December 2021, only available in Dutch here). The Privacy Collective has filed an appeal to this decision.

2. Scope of Application

2.1. Personal scope

The personal scope of the Act is equivalent to the personal scope of the GDPR. It applies to all processing of personal data, wholly or in-part through automated means, by private and public organisations of personal data of directly or indirectly identifiable natural persons. The Act does not apply in case data is effectively anonymised in accordance with the GDPR and the guidance of the EDPB, or if the data relates to deceased individuals.

2.2. Territorial scope

The territorial and extraterritorial scope of the Act is equivalent to the territorial and extraterritorial scope of the GDPR. This means that the Act applies to the processing of personal data:

  • in the context of the activities of an establishment of a controller or a processor in the Netherlands, regardless of whether the processing takes place in the EU or not; and
  • of data subjects who are in the Netherlands by a controller or processor not established in the EU, where the processing activities are related to:
    • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Netherlands; or
    • the monitoring of their behaviour as far as their behaviour takes place within the Netherlands.

2.3. Material scope

The material scope of the Act is similar to the material scope of the GDPR. The Act applies to:

  • the processing of personal data wholly or partly by automated means;
  • the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system;
  • the processing of personal data in the course of an activity which falls outside the scope of EU law; and
  • the processing of personal data by the armed forces when performing activities that fall within the scope of Chapter 2 of Title V of Treaty on the Functioning of the European Union.

However, the Act does not apply to the processing of personal data:

  • in so far as such processing is subject to the Personal Records Database Act (only available in Dutch here), the Elections Act, or the Advisory Referendum Act of 2014 (only available in Dutch here);
  • as set out in Article 2(2) of the GDPR;
  • by the armed forces, in so far as the Minister of Defence decides on this for purposes of deploying the armed forces or making them available to carry out the tasks described in Article 97 of the Constitution of the Kingdom of the Netherlands 2008; and
  • in so far as it is subject to the Intelligence and Security Services Act 2002.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The supervisory authority for data protection in the Netherlands, the AP, was appointed in accordance with Article 51 of the GDPR and Article 6 of the Act.

3.2. Main powers, duties and responsibilities

The AP has the power to exercise its authorities and tasks as assigned to supervisory authorities under Articles 57 and 58 of the GDPR, and specifically to the AP under Articles 14 to 21(a) of the Act. The powers as set out in the Act refer to the powers as included in the Dutch General Administrative Law Act (only available in Dutch here) ('the Administrative Act'). Pursuant to the GDPR and Act, the AP can among other things:

  • impose administrative fines;
  • impose orders under penalty;
  • monitor compliance;
  • exercise advisory powers;
  • cooperate with other supervisory authorities; and
  • proceed legal action against infringements regarding transfers to third countries.

The AP is bound by the requirements as included in the Administrative Act.

4. Key Definitions

Data controller: There are no variations from the GDPR.

Data processor: There are no variations from the GDPR.

Personal data: There are no variations from the GDPR.

Sensitive data: There are no variations from the GDPR.

Health data: There are no variations from the GDPR.

Biometric data: There are no variations from the GDPR.

Pseudonymisation: There are no variations from the GDPR.

5. Legal Bases

The Act does not contain additional legal bases for the processing of personal data. Therefore, only the legal bases under Article 6 GDPR apply.

5.1. Consent

Legal basis under the GDPR apply.

5.2. Contract with the data subject

Legal basis under the GDPR apply.

5.3. Legal obligations

Legal basis under the GDPR apply.

5.4. Interests of the data subject

Legal basis under the GDPR apply.

5.5. Public interest

Legal basis under the GDPR apply.

5.6. Legitimate interests of the data controller

Legal basis under the GDPR apply.

5.7. Legal bases in other instances

National implementation of Article 89 of the GDPR

According to Article 44 of the Act, Articles 15, 16, and 18 of the GDPR do not apply in case personal data is processed by institutions or services for scientific research or statistics, and the required safeguards are put in place to ensure that the personal data can only be used for such purposes.

According to Article 45 of the Act, Articles 15, 16, 18(1)(a), and 20 of the GDPR do not apply in cases where personal data is processed that is included in archives within the meaning of the Dutch Public Records Act 1995 (only available in Dutch here) ('the Public Records Act'). The data subject has the right of access to the archived records, unless the request for access cannot reasonably be granted because the request is not specified sufficiently. A data subject has the right to add its own understanding of the relevant data to the archived records in cases where incorrect personal data is processed.

Processing national identification numbers

According to Article 46 of the Act, the processing of national identification numbers is only allowed if such processing is provided for by law, and only for the purposes prescribed by that law.

6. Principles

In the Netherlands, the principles of data protection law are set out in the GDPR. This means that all personal data must be:

  • processed lawfully, fairly, and in a transparent manner;
  • collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation);
  • adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
  • accurate and, where necessary, kept up to date (accuracy);
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation); and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (integrity and confidentiality).

The controller is responsible for ensuring that the principles are met and must be able to demonstrate compliance at all times.

7. Controller and Processor Obligations

7.1. Data processing notification

There are no national notification or registration requirements applicable under the Act.

However, the Prior Consultation Guidelines stipulate that prior consultation is required if the outcome of a DPIA indicates a high risk and the data controller is unable to find measures that would limit that risk. Furthermore, the Prior Consultation Guidelines contain a list of steps enabling organisations to determine if prior consultation is necessary (the Prior Consultation Guidelines).

If prior consultation is necessary, then the request for prior consultation can be made by a data controller or a data protection officer by sending a form available on the AP's website together with the DPIA to the AP's address. Afterwards, the AP will make an assessment of the information received within 14 weeks, which may be extended if the request is complex. After completing its assessment, the AP will send back a letter to the organisation, containing the result of the prior consultation.

7.2. Data transfers

Dutch law does not provide for data localisation requirements. In addition, the Act does not provide for additional restrictions on the transfer of personal data as set out in the GDPR.

7.3. Data processing records

There are no national variations or requirements with regard to the obligation for data controllers and/or data processors to maintain data processing records.

7.4. Data protection impact assessment

There is no overview of activities subject to prior consultation or authorisation.

However, the AP has published an overview of types of processing activities which require a Data Protection Impact Assessment ('DPIA') (only available in Dutch here). This includes processing activities relating to:

  • large-scale or systematic monitoring:
    • in covert investigations, such as for private investigative agencies, anti-fraud investigations, online research (e.g. online copyright infringement), and covert camera surveillance;
    • of (special categories of) personal data for fraud prevention, including blacklists);
    • for the purpose of assessing creditworthiness, such as by establishing credit scores;
    • of financial data from which the financial positions or individuals' expenditure patterns can be derived;
    • of genetic data, such as DNA analyses;
    • in public spaces by means of for example cameras and drones;
    • of employees;
    • of location data;
    • of communications data;
    • relating to IoT applications; and
    • of biometric data for identification purposes; and
  • blacklists of personal data concerning criminal convictions and offences, wrongful conduct, obstinate behaviour, and payment performance;
  • large-scale processing of health data (not applicable to individual physicians or health care professionals);
  • partnerships between municipalities or other governmental bodies and other public or private parties in case special categories of personal data or sensitive personal data are shared;
  • large-scale or systematic flexible camera surveillance;
  • systematic and extensive assessment of personal traits by means of automated processing (profiling), such as the assessment of professional performance; or
  • large-scale automated processing of personal data in order to monitor or influence behaviour.

National activities not subject to prior consultation/authorisation

There is no overview of processing activities that are not subject to prior consultation or authorisation.

In its Guidance on DPIAs, the AP has indicated that a DPIA is not required for data processing activities that:

  • will probably not constitute a high privacy risk;
  • are highly similar to other processing activities for which a DPIA has already been conducted;
  • are governed by another European or Dutch law and during the drafting stage of this law a DPIA has been carried out, unless the AP finds that a DPIA is nevertheless required; or
  • are included on a list of processing activities for which no DPIA is required (such a list has currently not been prepared by the AP).

The AP has issued a DPIA checklist for processing under the Act (only available in Dutch here).In addition, the AP has issued a DPIA checklist for processing that commenced before the implementation of the GDPR (only available in Dutch here).

7.5. Data protection officer appointment

According to Article 39 of the Act, a DPO is bound to secrecy of information which has been made available to them by means of a data subject's complaint or request, unless the data subject provides consent to the disclosure of the information.

The AP has issued Guidelines on DPO's which is based on the Article 29 Working Party's ('WP29') Guidelines on Data Protection Officers (adopted on 13 December 2016, as revised and adopted on 5 April 2017).

A DPO is under a duty to keep information revealed to him/her, in relation to a complaint or request from a data subject, confidential unless the data subject concerned agrees to the disclosure of such information (Article 39 of the Act).

The Guidance on positioning provides the following eight principles of DPO's:

  • the DPO must be visible within the organisation;
  • the DPO must be involved, and at an earlier stage, to help organisations identify, evaluate, and mitigate any risks associated with processing operations;
  • the DPO must be sufficiently well resourced to be able to perform their tasks;
  • the DPO must be aware of the communication from the AP with the organisation;
  • the DPO acts as a contact point for data subjects for handling data subject requests;
  • the DPO is protected by the AP's during an investigation into the organisation;
  • the AP's can request records of reports and opinions from the DPO's; and
  • the DPO must be independent.

Furthermore, organisations are under an obligation to notify the contact details of their DPO to the AP. Notification can be made through the notification form (only available in Dutch here) ('Notification Form'). In accordance with the privacy statement on the AP's website (only available in Dutch here) ('the Privacy Statement'), the AP maintains an internal register of DPOs notified by organisations. 

In line with the Privacy Statement, DPOs' personal data are retained by the AP as long as he/she is notified as DPO with the AP. Personal data of a former DPO are deleted once the information that a person is no longer a DPO is passed to the AP, which can be done through the Notification Form. The form is subsequently deleted after three months, in line with the Privacy Statement. 

DPOs notified with the AP can send their administrative questions, or questions about the GDPR and the related laws to the AP, by sending an email to [email protected].

7.6. Data breach notification

The Act does not provide any variations or exemptions on the data breach notification obligation.

The AP has published guidance regarding data breach notifications on its website, which is based on the data breach guidelines of the EDPB. The AP has also published tips and tricks on notifications for professionals (only available in Dutch here).

Notification to the AP

The Act does not contain variations or exemptions to the breach notification obligations under Article 33 of the GDPR.

The AP has to be notified by electronically sending a completed notification form as available on the website of the AP (only available in Dutch here). An existing notification can also be amended or withdrawn on the website by using the reference number of the notification.

Notification to data subjects

The Act only provides an exemption to the breach notification obligations under Article 34 of the GDPR for financial enterprises. According to Article 42 of the Act, financial enterprises as defined in the Dutch Act on Financial Supervision of 28 September 2006 (only available in Dutch here) ('the Financial Supervision Act') are exempt from the obligation under Article 34 of the GDPR to inform data subjects of a personal data breach.

Sectoral obligations

As set out above, certain financial enterprises are exempt from the obligation under Article 34 of the GDPR to inform data subjects of a personal data breach.

7.7. Data retention

The Act does not contain any provisions or exemptions in relation to retention and deletion of personal data.

7.8. Children's data

The Act does not deviate from the minimum age of 16 years for providing consent as set out in Article 8 of the GDPR. In cases where a child is below the age of 16 years, its legal representative's consent is required.

Article 5 of the Act determines that the minimum age for consent also applies for services other than information society services offered to children. The Explanatory Memorandum provides the example of an agreement to deliver a product at home other than via an order on the internet.

7.9. Special categories of personal data

According to Article 9(2) of the GDPR and Article 22 of the Act, the processing of special categories of personal data is permitted in cases where:

  • the data subject has provided explicit consent for the processing of its personal data for one or more specified purposes;
  • the processing is necessary to protect the data subject's vital interests or another natural person where the data subject is physically or legally incapable of providing consent;
  • the processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside that body without the consent of the data subjects;
  • the processing relates to personal data that is manifestly made public by the data subject; or
  • the processing is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity.

According to Articles 9(2)(g) of the GDPR and Article 23 of the Act, the processing of special categories of personal data is also permitted in case:

  • the processing is necessary to comply with an obligation under international law;
  • the data is processed by the AP or the National Ombudsman, provided that such processing is necessary for the performance of their statutory duties, and safeguards are implemented to ensure that the privacy of the data subject is not disproportionately adversely affected; or
  • the processing is necessary in addition to the processing of personal data of a criminal law nature (as set out below) for the purposes for which the latter data is processed.

According to Article 9(2)(j) of the GDPR and Article 24 of the Act, the prohibition on the processing of special categories of personal data is not applicable in case:

  • the processing is necessary for scientific research, historical research, or statistical purposes in accordance with Article 89(1) of the GDPR;
  • such research serves a public interest;
  • obtaining explicit consent is impossible or would require a disproportionate effort; and
  • safeguards are provided to ensure that the data subject's privacy is not disproportionately adversely affected.

According to Article 9(2)(g) of the GDPR and Article 25 of the Act, the prohibition on the processing of personal data revealing racial or ethnic origin is not applicable in case the purpose of processing is:

  • the data subject's identification, insofar as the processing for that purpose is inevitable; or
  • granting persons from a certain ethnic or cultural minority group a privileged position in order to remove or mitigate actual disadvantages relating to racial or ethnic origin insofar as:
    • the processing is necessary for this purpose;
    • the data involves the data subject's place of birth, their parents or grandparents, or other statutorily established criteria in order to determine objectively whether an individual belongs to a certain ethnic or cultural minority group; and
    • the data subject has not objected to the processing in writing.

According to Article 9(2)(g) of the GDPR and Article 26 of the Act, the prohibition on the processing of personal data revealing political opinions is not applicable in cases where the processing occurs in relation to requirements regarding such opinions which may reasonably be posed in connection with the fulfilment of functions in administrative bodies and advisory bodies.

According to Article 9(2)(g) of the GDPR and Article 27 of the Act, the prohibition on the processing of personal data revealing religious or philosophical beliefs is not applicable in cases where institutions other than foundations, associations, or any other not-for-profit bodies with a political, philosophical, religious, or trade union aim process the personal data, and the processing is necessary with regard to mental health treatment, unless the data subject has objected to the processing in writing. Such personal data may not be disclosed to third parties without the data subject's consent.

According to Article 9(2)(g) of the GDPR and Article 28 of the Act, the processing of genetic data is allowed in respect of the data subject from whom the data has been obtained. Furthermore, the prohibition on the processing of genetic personal data is not applicable in case:

  • a substantial medical interest prevails; 
  • the processing is necessary for scientific research serving a public interest or for statistical purposes;
  • the data subject provides explicit consent (unless obtaining consent is impossible or requires a disproportionate effort); and
  • safeguards are implemented to ensure that the data subject's privacy is not disproportionately affected.

According to Article 9(2)(g) of the GDPR and Article 29 of the Act, the prohibition on the processing of biometric data for identification purposes is not applicable in cases where such processing is necessary for authentication or security purposes.

According to Articles 9(2)(b), (g), and (h) of the GDPR and Article 30 of the Act, the prohibition on the processing of health data is not applicable in cases where the health data is processed by:

  • administrative bodies, pension funds, or employers, and the processing is necessary for:
    • executing statutory obligations, pension rules, or collective employee arrangements that provide for claims depending on data subjects' health; or
    • reintegration purposes or support of employees or beneficiaries relating to illness or disabilities;
  • schools in order to provide special support or facilities to students relating to their health condition;
  • parole institutions, rehabilitation institutions, the Dutch Child Protection Agency, and similar institutions in order to execute their statutory duties;
  • the Dutch Minister for Legal Protection and the Dutch Minister of Justice and Security insofar as the processing is necessary for the execution of freedom restricting measures;
  • health professionals, institutions, and facilities for healthcare or social services insofar as necessary for a proper treatment of the data subject, or to manage the relevant professional practice; or
  • insurance companies insofar as the processing is necessary for:
    • assessing insurance risks, provided that the data subject has not objected; or
    • executing an insurance agreement or the assisting in the execution of an insurance agreement.

The controllers mentioned above have to be subject to confidentiality requirements.

Personal data of a criminal law nature

According to Article 1 of the Act, personal data of a criminal law nature means 'personal data relating to criminal convictions and criminal offences or related security measures as referred to in Article 10 of the GDPR, as well as personal data relating to a prohibition imposed by the court in response to wrongful conduct or objectionable behaviour'.

According to Article 31 of the Act, personal data of a criminal law nature can only be processed, without prejudice to Article 10 of the GDPR, in case this is allowed under Articles 32 and 33 of the Act.

According to Article 32 of the Act, processing personal data of a criminal law nature is allowed in case:

  • the data subject has provided explicit consent for the processing of that personal data for one or more specified purposes;
  • the processing is necessary for the protection of the data subject's vital interests or of another natural person where the data subject is physically or legally incapable of providing consent;
  • the processing relates to personal data which is manifestly made public by the data subject;
  • the processing is necessary for the establishment, exercise, or substantiation of legal claims or in the event courts are acting in their legal capacity;
  • the processing is necessary for reasons of substantial public interest in order to comply with international legal obligations, or for the AP or National Ombudsman to perform their statutory tasks; or
  • the processing is necessary for scientific research, historical research, or statistical purposes in accordance with Article 89(1) of the GDPR, provided that the conditions set out in Article 24(b), (c), and (d) of the Act are met (as set out above).

According to Article 33 of the Act, processing personal data of a criminal law nature is allowed:

  • by bodies responsible for law enforcement;
  • by and for the benefit of (groups of) controllers cooperating under public law, insofar as necessary to perform their tasks, provided that safeguards have been implemented in order to ensure that the data subject's privacy will not be disproportionately adversely affected;
  • if the processing is necessary to supplement the processing of health data for the purpose of a proper treatment or care of the data subject;
  • by a controller that processes the personal data for its own purposes:
    • to assess a data subject's request to take a decision regarding them, or to provide a service to them; or
    • to protect the controller's interests relating to criminal offences that have been committed or, based on facts and circumstances, are expected to be committed against the controller or its employees;
  • with respect to employees which are employed by the controller if such processing is carried out in accordance with the rules adopted in accordance with the procedure as set out in the Dutch Works Councils Act; or
  • on behalf of a third party:
    • by controllers acting pursuant to a licence under the Private Security Organisations and Investigation Agencies Act of 1997 (only available in Dutch here);
    • in case the third party is a legal entity that is part of the same group of companies as referred to in Article 2:24b of the Dutch Civil Code (only available in Dutch here); or
    • in case the AP has granted a licence for such processing, which will only be granted (and may be subject to additional conditions) if the processing is necessary for a substantial interest of the third party concerned and safeguards have been implemented to ensure that data subject's privacy will not be disproportionately adversely affected.

7.10. Controller and processor contracts

The Act does not contain additional requirements further to the GDPR.

8. Data Subject Rights

Article 41 of the Act implements the exemptions as set out in Article 23 of the GDPR, allowing controllers not to apply certain data subject rights as described in Articles 12 to 21 and 34 of the GDPR. According to Article 41 of the Act, a controller does not need to apply the aforementioned rights in case it is necessary and proportionate for safeguarding matters relating to:

  • national security;
  • national defence;
  • public security;
  • the prevention, investigation, detection, and/or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security;
  • other important objectives of general public interest of the EU or the Netherlands, in particular an important economic or financial interest of the EU or the Netherlands, including monetary, budgetary and taxation matters, public health and social security;
  • the protection of judicial independence and judicial proceedings;
  • the prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions;
  • a monitoring, inspecting, or regulating function connected, even occasionally, to the exercise of official authority in cases referred to under Sections 23(a) to (g) of the GDPR;
  • the protection of the data subject or the rights and freedoms of others; or
  • the enforcement of civil law claims.

Furthermore, according to Article 43 of the Act, the provisions relating to data subject rights (as implemented in Chapter 3 of the Act) do not apply in case personal data is solely processed for journalistic purposes or for the benefit of academic, artistic, or literary expression forms.

8.1. Right to be informed

According to Articles 44, 45, and 47 of the Act, the right of information and access in Article 15 of the GDPR is not applicable in cases of:

  • processing personal data by institutions or services for scientific research or statistics, where the required safeguards are put in place to ensure that the personal data can only be used for such purposes;
  • archiving in the public interest as regards governmental archives in the context of the Public Records Act, provided that a data subject has a right of access in archive records, unless a request is not specified sufficiently; or
  • statutorily established public registers, in case applicable law provides for a special procedure for rectifying, complementing, deleting, or shielding personal data.

8.2. Right to access

According to Articles 44, 45, and 47 of the Act, the right to access in Article 15 GDPR is not applicable in case of:

  • processing personal data by institutions or services for scientific research or statistics, where the required safeguards are put in place to ensure that the personal data can only be used for such purposes;
  • archiving in the public interest as regards governmental archives in the context of the Public Records Act, provided that a data subject has the right to add their interpretation to relevant archived files in case personal data is incorrect; and
  • statutorily established public registers, in case applicable law provides for a special procedure for rectifying, complementing, deleting, or shielding personal data.

8.3. Right to rectification

According to Articles 44, 45, and 47 of the Act, the right to rectification in Article 16 of the GDPR is not applicable in case of:

  • processing personal data by institutions or services for scientific research or statistics, where the required safeguards are put in place to ensure that the personal data can only be used for such purposes;
  • archiving in the public interest as regards governmental archives in the context of the Public Records Act, provided that a data subject has the right to add their interpretation to relevant archived files in case personal data is incorrect; and
  • statutorily established public registers, in case applicable law provides for a special procedure for rectifying, complementing, deleting, or shielding personal data.

Furthermore, according to Article 47 of the Act, the notification obligation in Article 19 of the GDPR does not apply in case of any rectification of personal data which is being processed for statutorily established public registers, in case the applicable law provides for a special procedure for rectifying, complementing, deleting, or shielding personal data.

8.4. Right to erasure

The Act has not implemented variations on the right to erasure in Article 17 of the GDPR. However, according to the Explanatory Memorandum to Article 47 of the Act, the right to erasure is not applicable in cases where personal data is processed for statutorily established public registers, as this processing is necessary to comply with a legal or statutory obligation.

Furthermore, according to Article 47 of the Act, the notification obligation of Article 19 of the GDPR does not apply in case of any erasure of personal data (Article 17(1) of the GDPR) which is being processed for statutorily established public registers, in case applicable law provides for a special procedure for rectifying, complementing, deleting, or shielding personal data.

8.5. Right to object/opt-out

According to Article 47(2) of the Act, the right to object in Article 21 of the GDPR is not applicable in case of statutorily established public registers.

8.6. Right to data portability

According to Article 45 of the Act, the right to data portability of Article 20 of the GDPR is not applicable in case of archiving in the public interest as regards governmental archives in the context of the Public Records Act.

8.7. Right not to be subject to automated decision-making

According to Article 40 of the Act, Article 22(1) of the GDPR is not applicable in the case where the automated individual decision-making, other than when made on the basis of profiling, is necessary to comply with a statutory obligation of the controller, or is necessary for the fulfilment of a task of public interest. In that case, the controller has to take adequate measures in order to protect the rights and freedoms, and interests of the data subject. In case the controller is not an administrative body, appropriate measures have been taken to ensure that the right to human intervention, the right for the data subject to express its point of view, and the right to challenge the decision, are secured.

8.8. Other rights

The Act does not contain any other rights in addition to the rights provided by the GDPR.

Variations of GDPR on right to restriction of processing

According to Articles 44 and 47 of the Act, the right to restriction of processing in Article 18 of the GDPR is not applicable in cases of:

  • processing personal data by institutions or services for scientific research or statistics, where the required safeguards are put in place to ensure that the personal data can only be used for such purposes; and
  • statutorily established public registers, in case applicable law provides for a special procedure for rectifying, complementing, deleting, or shielding personal data; for example, according to the Dutch Land Registry Act of 1989 (only available in Dutch here), the registry can provide for feedback in case data appears to be incorrect, which will be reflected in the registry during the period the data is being investigated.

According to Article 45 of the Act, Article 18(1)(a) is not applicable in case of archiving in the public interest as regards governmental archives in the context of the Public Records Act.

Furthermore, according to Article 47 of the Act, the notification obligation in Article 19 of the GDPR does not apply in case of any restriction of processing of personal data which is being processed for statutorily established public registers, in case applicable law provides for a special procedure for rectifying, complementing, deleting, or shielding personal data.

9. Penalties

Act sanction provisions

The Act contains the following sanction provisions in addition to the fines the AP can impose based on Article 83 of the GDPR:

  • according to Article 16 of the Act, the AP can impose an administrative enforcement order to enforce the obligations as set out in the GDPR or the Act, and/or an order under penalty on the basis of Article 5:20 of the Administrative Law Act;
  • according to Article 17 of the Act, the AP can impose an administrative fine in case of a violation of Article 10 of the GDPR or Article 31 of the Act (i.e. unlawful processing of personal data of a criminal law nature) of up to €20 million, or, if it involves an undertaking, up to 4% of the total worldwide turnover in the preceding financial year, whatever is higher;
  • according to Article 18 of the Act, the AP can impose an administrative fine on public authorities in case of a breach of Articles 83(4), (5), or (6) of the GDPR; and
  • according to Article 21a of the Act, the AP can impose an administrative fine of up to €20 million, or up to 4% of the total worldwide annual turnover in the preceding financial year, whichever is higher, in case of a violation of rules on access by payment service providers to the personal data of payment service users as set out in Article 3.17(7) of the Financial Supervision Act.

AP's Fining Policy Rules

The AP has published its Fining Policy Rules (only available in Dutch here) ('the Policy'), setting out how the amount of a fine is determined. The Policy categorises breaches of various obligations under the GDPR and the Act in penalty categories (I, II, III, and IV). Each of these categories has a penalty bandwidth ranging between a certain minimum and maximum penalty amount. Within the bandwidths, the AP has established a certain penalty amount which can be increased or decreased depending on various factors. Examples of such factors are the nature of the breach, the severity of the breach, the duration of the breach, the number of data subjects involved, the intentional or negligent nature of the breach, and the measures taken to limit damages suffered by the data subjects. To illustrate, a violation of Article 32 of the GDPR (i.e. the security of processing) is categorised in penalty category II. The penalty bandwidth of this category is between €120,000 and €500,000, and the standard penalty amount is €310,000.

9.1 Enforcement decisions

The AP has imposed several administrative fines and other corrective measures (see overview here), including, but not limited to:

Administrative fines

  • administrative fine for the Dutch Tax Authority for blacklist Fraud Signaling Facility - €3.7 million (12 April 2022);
  • administrative fine for the Ministry of Foreign Affairs for poor security of visa applications - €565,000 (April 6, 2022);
  • administrative fine for DPG Media for unnecessarily requesting identity documents - €525,000 (24 February 2022) – objection has been issued against fine decision, the AP will assess the objection;
  • administrative fine for the Dutch Tax Authority for discriminatory and illegal working methods - €2.75 million (7 December 2021);
  • administrative fine for Transavia for poor security of personal data - €400,000 (12 November 2021);
  • administrative fine for TikTok fine for violating children's privacy - €750,000 (22 July 2021) – objection has been issued against fine decision, the AP will assess the objection;
  • administrative fine for UWV for poor security when sending group messages  - €450,000 (7 July 2021);
  • administrative fine for orthodontic practice due to unsecured patient website - €12,000 (10 June 2021) – objection has been issued against fine decision, the AP has declared the objection unfounded;
  • administrative fine for CP&A for violation of the privacy of sick employees - €15,000 (19 May 2021);
  • administrative fine for LocateFamily.com fine for missing representative in EU - €525,000 (12 May 2021);
  • administrative fine for political party PVV Overijssel for failing to report data breach - €7,500 (11 May 2021);
  • administrative fine for the municipality of Enschede for WiFi tracking - €600,000 (29 April 2021) - has objected to the fine decision, the AP will assess the objection;
  • administrative fine for Booking.com for late reporting of data breach - €475,000 (31 March 2021);
  • administrative fine for OLVG for poor security of patient files - €440,000 (11 February 2021);
  • administrative fine for VoetbalTV for not having a legal basis to make and distribute video recordings of amateur football matches - €575,000 (16 July 2020) – VoetbalTV objected to the fine decision with the Dutch courts and the Dutch courts have annulled the fine decision, the AP have filed an appeal;
  • administrative fine for BKR for asking fee for access right - €830,000 (6 July 2020) – BKR has objected to the fine decision with the Dutch courts;
  • administrative fine for unknown company fine for fingerprinting staff - €725,000 (30 April 2020) – the company has objected to the fine decision, the AP will assess the objection;
  • administrative fine for KNLTB for selling member data - €525,000 (3 March 2020) – KNKTB has objected to the fine decision, the AP will assess the objection;
  • administrative fine for Haga Hospital for poor security of patient files - €460,000 (16 July 2019); and
  • administrative fine for Uber for late reporting of data breach - €600,000 (27 November 2018).

Orders subject to an incremental penalty

  • order subject to an incremental penalty to the Dutch Ministry of Foreign Affairs for poor security for visa applications (in addition to fine) max. €500,000 – still ongoing; for insufficient transparency to visa applicants regarding the sharing of personal data with third parties (in addition to fine) max. €300,000 - violation stopped in time (April 6, 2022);
  • order subject to an incremental penalty to LocateFamily.com for missing representative in EU (in addition to fine) max. €120,000 - still ongoing (12 May 2021);
  • order subject to an incremental penalty to a health insurer CZ for too much medical data in authorisation applications (amount not disclosed) – violation stopped in time (February 14, 2020);
  • order subject to an incremental penalty to health insurer Menzis for unauthorised access to medical data max. €750,000 - €50,000 collected (4 November 2019);
  • order subject to incremental penalty to health insurer VGZ for unauthorized access to medical data max. €750,000 - violation stopped in time (4 November 2019);
  • order subject to penalty to Haga Hospital for poor security of patient files max. €300,000 - violation stopped in time (16 July 2019)';
  • second order subject to penalty National Police for poor security of police data max. €320,000 - violation stopped in time (21 December 2018);
  • order subject to penalty UWV for poor security employer portal max. €900,000 - violation stopped in time (30 October 2018);
  • order subject to penalty National Police for poor security of police data max. €200,000 - €40,000 collected (20 September 2018); and
  • order under incremental penalty to TGB for not complying with customer's access request max. €60,000 - €48,000 collected (9 August 2018).