DLA Piper Intelligence

Data Protection
Laws of the World

Law

Netherlands
Netherlands

The Netherlands implemented the EU Data Protection Directive 95/46/EC on 1 September 2001 with the Dutch Personal Data Protection Act (Wbp). Enforcement is through the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Last modified 26 Jan 2017
Law
Netherlands

The Netherlands implemented the EU Data Protection Directive 95/46/EC on 1 September 2001 with the Dutch Personal Data Protection Act (Wbp). Enforcement is through the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Last modified 26 Jan 2017
Definitions

Definition of personal data

Any data relating to an identified or identifiable natural person.

Definition of sensitive personal data

Personal data regarding a person’s religion or philosophy of life, race, political persuasion, health and sexual life, trade union membership, criminal behaviour and personal data regarding unlawful or objectionable conduct connected with a ban imposed as a result of such conduct.

Last modified 26 Jan 2017
Authority

Autoriteit Persoonsgegevens
Juliana van Stolberglaan 4-10

2595 CL DEN HAAG
Postbox 93374
2509 AJ DEN HAAG

T 00.31.70 – 8888 500
F 00.31.70 – 8888 501

www.autoriteitpersoonsgegevens.nl

Last modified 26 Jan 2017
Registration

Unless an exemption applies, data controllers who process personal data by automatic means must notify the Autoriteit Persoonsgegevens so that their processing of personal data may be registered and made public. Changes to the processing of personal data will require the notification to be amended.

The notification shall, inter alia, include the following information:

  • name and address of the data controller
     
  • purpose(s) of the processing
     
  • data subjects or categories of data subjects
     
  • data or categories of data relating to these data subjects
     
  • recipients or categories of recipients
     
  • proposed transfers of personal data to countries outside the European Union, and
     
  • a general description of the security measures the data controller is planning to take.

If any of the following changes occurs, the data controller must notify the Autoriteit Persoonsgegevens of these changes within one year after the previous notification. This concerns changes in:

  • the purpose or purposes of the data processing

  • the data subjects and recipients or categories of data subjects and recipients

  • the security measures, and/or

  • the intended transfers to countries outside the European Union.

However, this is only required if the changes are not of a purely incidental nature.

Also, any change to the name or address of the data controller should be notified to the Autoriteit Persoonsgegevens within one week.

Last modified 26 Jan 2017
Data Protection Officers

Companies, industry associations, governments and institutions can appoint a data protection officer. There is no legal requirement in the Netherlands to do so. The data protection officer ensures that processing of personal data will take place in accordance with the Wbp. The statutory duties and powers of the data protection officer gives this officer an independent position within the organisation.

Last modified 26 Jan 2017
Collection & Processing

Data controllers may collect and process personal data when any of the following conditions are met:

For collecting personal data:

Pursuant to the Wbp, a data controller may only collect personal data if he has a purpose for this.

The purpose must be:

  • specified
  • explicit, and
  • legitimate.

A data controller may not collect data if he has not clearly specified the purpose.

For processing personal data:

  • the data subject has unambiguously given his prior consent thereto
     
  • the processing is necessary for the performance of a contract to which the data subject is party
     
  • the processing is necessary in order to comply with a legal obligation to which the data controller is subject
     
  • the transfer is necessary in order to protect the vital interests of the data subject
     
  • the transfer is necessary or legally required in order to protect an important public interest, oe
     
  • the processing is necessary for upholding the legitimate interests of the data controller or of a third party to whom the data is supplied, except where the interests or fundamental rights and freedoms of the data subject, in particular the right to protection of individual privacy, prevail.

In addition, personal data may not be further processed in a way incompatible with the purposes for which the data were originally collected. Whether further processing is incompatible depends on different circumstances, such as:

  • the relationship between the purpose of the intended processing and the purposes for which the data originally was obtained
     
  • the nature of the data concerned
     
  • the consequences of the intended processing for the data subject
     
  • the manner in which the data have been obtained, and
     
  • the extent to which appropriate guarantees have been put in place with respect to the data subject.

Also, personal data may only be processed, where, given the purposes for which they are collected or subsequently processed, they are adequate, relevant and not excessive.

Finally, the Wbp sets out strict rules in relation to sensitive data. The main rule is that such data may not be processed, unless the data subject has given his explicit consent to it. However, there are exemptions to this rule which may apply in certain circumstances.

Last modified 26 Jan 2017
Transfer

Transfer of a data subject’s personal data to non EU/European Economic Area (EEA) countries is allowed if the countries provide ‘adequate protection’.

Data controllers may transfer personal data out of the EEA to countries which are not deemed to offer adequate protection if any of the following exceptions apply:

  • the data subject has unambiguously given its consent thereto

  • the transfer is necessary for the performance of the contract between the data controller and the data subject

  • the transfer is necessary in respect of an important public interest, or for the establishment, exercise or defence in law of any right

  • the transfer is necessary in order to protect the vital interests of the data subject

  • the transfer occurred from a register that was set by law and can be consulted by anyone or by any person demonstrating a legitimate interest

  • the transfer is based on unchanged Model Clauses as referred to in article 26(4) of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, or

  • a permit thereto has been granted by the Minister of Justice, after consultation of the Autoriteit Persoonsgegevens. In order to obtain such permit, certain conditions should be met. One of these conditions can be implementing Binding Corporate Rules (BCR).

BCR are internal codes of conduct regarding data privacy and security, to ensure that transfers of personal data outside the European Union will take place in accordance with the EU rules on data protection.

The use of BCRs is not obligatory. It will however bring benefits to both processors and controllers.

Once BCRs are approved they can be used by the controller and processor, thereby ensuring compliance with the EU data protection rules without having to negotiate the safeguards and conditions each and every time a contract is entered into.

Last modified 26 Jan 2017
Security

Data controllers and processors must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access.

Last modified 26 Jan 2017
Breach Notification

Since 1 January 2016, a data breach, i.e. any security incident that leads or may lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed, must be reported to the Autoriteit Persoonsgegevens, if such data breach has or may have serious disadvantageous consequences for the protection of personal data.

In addition, data subjects need to be informed about a data breach if such data breach is likely to have unfavourable consequences to their privacy.

Last modified 26 Jan 2017
Enforcement

In the case of possible violations of the Wbp, the Autoriteit Persoonsgegevens can impose the following sanctions:

  • enforce an administrative order under which the data controller would be forced to change its policy with immediate effect; or
  • administrative fines up to a maximum of EUR 820,000 or 10% of the annual turnover of the previous year may be imposed by the Autoriteit Persoonsgegevens in case of violation of the Wbp.
Last modified 26 Jan 2017
Electronic Marketing

Electronic marketing is partially regulated in Article 11.7 of the Dutch Telecommunications Act (Tw). In the context of this Article electronic marketing could be defined as SMS, e-mail, fax and similar media for the purposes of unsolicited communication related to commercial, charitable or ideal purposes without the individuals’ prior express consent.

Electronic marketing directed to corporations does not require prior consent if:

  • the advertiser/electronic marketer uses electronic address data which are meant to be for this particular purpose, and
  • if the individual is located outside the EU, the advertiser/electronic marketer complies with the relevant rules of that particular country in this respect.

On the basis of Article 11.7 of the Tw electronic marketing to individuals is in principle prohibited. If certain conditions are being met, such as prior express consent, electronic marketing directly to individuals can be allowed. Furthermore, electronic marketing to individuals is also allowed if it is restricted to the marketing of existing customers and restricted to similar products/services of the advertiser/electronic marketer. In the latter case, the advertiser/electronic marketer is obliged to provide opt-out possibilities to his customers when obtaining the data from the customers and in every marketing message sent.

Last modified 26 Jan 2017
Online Privacy

Traffic Data

Traffic Data is regulated in Article 11.5 of the Tw. Traffic Data held by a public electronic communications services provider (CSP) must be erased or anonymised when it is no longer necessary for the purpose of the transmission of a communication. However, Traffic Data can be retained if:

  • it is being used to provide a value added service, and
  • consent has been given for the retention of the Traffic Data.

Traffic Data can only be processed by a CSP for:

  • the management of billing or traffic
  • dealing with customer enquiries
  • the prevention of fraud
  • the provision of a value added service (subject to consent)
  • market research (subject to consent)

Location Data

(Traffic Data not included) – Location Data is regulated in Article 11.5a of the Tw. Location Data may only be processed:

  • if these data are being processed in anonymous form
  • with informed consent of the individual

Cookie Compliance

The Netherlands implemented the E-Privacy Directive through the Dutch Telecommunications Act in Article 11.7a (hereinafter: Article 11.7a). The Authority for Consumers and Markets ("ACM") is entrusted with the enforcement of Article 11.7a.

The main rule is that the website operator needs to obtain prior consent from a user before using cookies (opt in) and needs to clearly and unambiguously inform the user about these cookies (purpose, type of cookie, etc). Implicit consent is accepted under Dutch law. Please note that the website operator is entitled to refuse users access to its website(s) if no consent is given.

The requirement to obtain prior consent from a user does not apply in case of functional cookies that have little or no impact on the user's privacy (e.g. first party cookies).

The use of analytic cookies, affiliate or performance cookies used for the purpose of paying affiliates or cookies used for testing the effectiveness of certain banners will be allowed without consent, on the condition that:

  • the data collected by such cookies are not used for, among other things, creating profiles by the website owner and/or the third party with whom the data are shared; and
  • website owners sharing the data with a third party take additional measures in order to limit any possible privacy impact.

The information collected through cookies are to be considered "personal data", unless the party which places the cookies can prove otherwise. This goes only for tracking cookies, whereby the surfing behaviour of customers on several different websites is being observed (and the information obtained is being used for commercial purposes).

In case of violation of electronic marketing or online privacy legislation, the ACM can impose fines of up to EUR 900,000 per violation.

Last modified 26 Jan 2017
Contacts
Richard van Schaik
Richard van Schaik
Partner & Co-Chair of EMEA Data Protection and Privacy Group
T +31 20 541 9828
Robin de Wit
Robin de Wit
Associate
T +31 20 5419674
Last modified 26 Jan 2017