LAW IN NETHERLANDS
The Netherlands implemented the EU Data Protection Directive 95/46/EC on 1 September 2001 with the Dutch Personal Data Protection Act (‘Wbp’). Enforcement is through the Dutch Data Protection Authority (‘College Bescherming Persoonsgegevens’).
DEFINITIONS
Definition of personal data
Any data relating to an identified or identifiable natural person.
Definition of sensitive personal data
Personal data regarding a person’s religion or philosophy of life, race, political persuasion, health and sexual life, trade
union membership, criminal behaviour and personal data regarding unlawful or objectionable conduct connected with a
ban imposed as a result of such conduct.
NATIONAL DATA PROTECTION AUTHORITY
The College Bescherming Persoonsgegevens
Juliana van Stolberglaan 4-10
2595 CL DEN HAAG
Postbox 93374
2509 AJ DEN HAAG
T 00.31.70 – 8888 500
F 00.31.70 – 8888 501
www.cbpweb.nl
REGISTRATION
Unless an exemption applies, data controllers who process personal data by automatic means must notify the College
Bescherming Persoonsgegevens so that their processing of personal data may be registered and made public.
Changes to the processing of personal data will require the notification to be amended.
The notification shall, inter alia, include the following information:
· name and address of the data controller
· purpose(s) of the processing
· data subjects or categories of data subjects
· data or categories of data relating to these data subjects
· recipients or categories of recipients
· proposed transfers of personal data to countries outside the European Union, and a general description of the security measures the data controller is planning to take.
If any of the following changes occurs, the data controller must notify the College Bescherming Persoonsgegevens of
· these changes within one year after the previous notification. This concerns changes in:
· the purpose or purposes of the data processing
· the data subjects and recipients or categories of data subjects and recipients
· the security measures, and/or
· the intended transfers to countries outside the European Union.
However, this is only required if the changes are not of a purely incidental nature.
Also, any change to the name or address of the data controller should be notified to the College Bescherming
Persoonsgegevens within one week.
DATA PROTECTION OFFICERS
Companies, industry associations, governments and institutions can appoint a data protection officer. There is no legal
requirement in the Netherlands to do so. The data protection officer ensures that processing of personal data will take
place in accordance with the Wbp. The statutory duties and powers of the data protection officer gives this officer an
independent position within the organisation.
COLLECTION & PROCESSING
Data controllers may collect and process personal data when any of the following conditions are met:
For collecting personal data:
Pursuant to the Wbp, a data controller may only collect personal data if he has a purpose for this. The purpose must be:
· specified
· explicit
· legitimate.
A data controller may not collect data if he has not clearly specified the purpose.
For processing personal data:
· the data subject has unambiguously given his prior consent thereto
· the processing is necessary for the performance of a contract to which the data subject is party
· the processing is necessary in order to comply with a legal obligation to which the data controller is subject
· the transfer is necessary in order to protect the vital interests of the data subject
· the transfer is necessary or legally required in order to protect an important public interest
· the processing is necessary for upholding the legitimate interests of the data controller or of a third party to
· whom the data is supplied, except where the interests or fundamental rights and freedoms of the data subject, in
· particular the right to protection of individual privacy, prevail.
· In addition, personal data may not be further processed in a way incompatible with the purposes for which the data were
· originally collected. Whether further processing is incompatible depends on different circumstances, such as:
· the relationship between the purpose of the intended processing and the purposes for which the data originally
· was obtained
· the nature of the data concerned
· the consequences of the intended processing for the data subject
· the manner in which the data have been obtained
· the extent to which appropriate guarantees have been put in place with respect to the data subject.
Also, personal data may only be processed, where, given the purposes for which they are collected or subsequently
processed, they are adequate, relevant and not excessive.
Finally, the Wbp sets out strict rules in relation to sensitive data. The main rule is that such data may not be processed,
unless the data subject has given its explicit consent to it. However, there are exemptions to this rule which may apply
in certain circumstances.
TRANSFER
Transfer of a data subject’s personal data to non EU/European Economic Area countries is allowed if the countries
provide ‘adequate protection’. For transfer of data to the United States, companies which adhere to the US/EU Safe
Harbor principles are deemed to offer adequate protection.
Data controllers may transfer personal data out of the European Economic Area to countries which are not deemed to
offer adequate protection if any of the following exceptions apply:
· the data subject has unambiguously given its consent thereto
· the transfer is necessary for the performance of the contract between the data controller and the data subject
· the transfer is necessary in respect of an important public interest, or for the establishment, exercise or defence
in law of any right
· the transfer is necessary in order to protect the vital interests of the data subject
· the transfer occurred from a register that was set by law and can be consulted by anyone or by any person
demonstrating a legitimate interest
the transfer is based on unchanged Model Clauses as referred to in article 26(4) of Directive 95/46/EC on the
protection of individuals with regard to the processing of personal data and on the free movement of such data,
or a permit thereto has been granted by the Minster of Justice, after consultation of the College Bescherming
Persoonsgegevens. In order to obtain such permit, certain conditions should be met. One of these conditions
can be implementing Binding Corporate Rules ('BCR').
BCR are internal codes of conduct regarding data privacy and security, to ensure that transfers of personal data outside
the European Union will take place in accordance with the EU rules on data protection.
The use of BCRs is not obligatory. It will however bring benefits to both processors and controllers. Once BCRs are approved they can be used by the controller and processor, thereby ensuring compliance with the EU data protection rules without having to negotiate the safeguards and conditions each and every time a contract is entered into.
SECURITY
Data controllers and processors must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access.
BREACH NOTIFICATION
The Wbp does not yet provide for a data security breach notification duty.
Mandatory breach notification
There is no mandatory requirement in the Wbp. However, a legislative bill introduces the obligation to report such a data
breach as soon as possible to the College Bescherming Persoonsgegevens. If a data breach is not reported, the
College Bescherming Persoonsgegevens can impose a fine up to EUR 200,000.
ENFORCEMENT
In the case of possible violations of the Wbp, the College Bescherming Persoonsgegevens can impose the following
sanctions:
enforce an administrative order; the data controller would be forced to change its policy with immediate effect
administrative fines up to a maximum of EUR 4,500 may be imposed by the Authority in case of violation of the
notification duty penal sanctions could be punished with a fine of the second category in the case of contravention of:
the duty to designate a person or body in the Netherlands to act on behalf of a party who are not established in the European Union, but make use of means situated in the Netherlands the notification duties mentioned before, or
transfer of personal data to a country outside the European Union that is not considered to guarantee an adequate level of protection, or transfer without permit to those countries.
It is very likely that in 2015, the power of the College Bescherming Persoonsgegevens to impose fines will be extended
to violations of general obligations under the Wbp with respect to the use and processing of personal data, like
violations of retention periods or security measures that have to be taken.
ELECTRONIC MARKETING
Electronic marketing is partially regulated in Article 11.7 of the Dutch Telecommunications Act ('Tw'). In the context of
this Article electronic marketing could be defined as SMS, e-mail, fax and similar media for the purposes of unsolicited
communication related to commercial, charitable or ideal purposes without the individuals’ prior express consent.
Electronic marketing directed to corporations does not require prior consent if: the advertiser/electronic marketer uses electronic address data which are meant to be for this particular purpose, and if the individual is located outside the EU, the advertiser/electronic marketer complies with the relevant rules of that particular country in this respect.
On the basis of Article 11.7 of the Tw electronic marketing to individuals is in principle prohibited. If certain conditions
are being met, such as prior express consent, electronic marketing directly to individuals can be allowed. Furthermore,
electronic marketing to individuals is also allowed if it is restricted to the marketing of existing customers and restricted
to similar products/services of the advertiser/electronic marketer. In the last case, the advertiser/electronic marketer is
obliged to provide opt-out possibilities to his customers when obtaining the data from the customers and in every
marketing message sent.
ONLINE PRIVACY
Traffic Data
Traffic Data is regulated in Article 11.5 of the Tw. Traffic Data held by a public electronic communications services
provider ('CSP') must be erased or anonymised when it is no longer necessary for the purpose of the transmission of a
communication. However, Traffic Data can be retained if:
· it is being used to provide a value added service, and
· consent has been given for the retention of the Traffic Data.
· Traffic Data can only be processed by a CSP for:
· the management of billing or traffic
· dealing with customer enquiries
· the prevention of fraud
· the provision of a value added service (subject to consent)
· market research (subject to consent)
Location Data
(Traffic Data not included) – Location Data is regulated in Article 11.5a of the Tw. Location Data may only be processed:
if these data are being processed in anonymous form with informed consent of the individual
Cookie Compliance
The amended E-Privacy Directive requires the user to consent to the use of cookies. On 5 June 2012, the Netherlands
implemented the E-Privacy Directive through the Dutch Telecommunications Act in Article 11.7a. (hereinafter: Article
11.7a). The Authority for Consumers and Markets ('ACM') is entrusted with the enforcement of Article 11.7a.
The main rule is that the website operator needs to obtain prior consent from a user before using cookies (opt in) and
needs to clearly and unambiguously inform the user about these cookies (purpose, type of cookie, etc). It is necessary to obtain the informed consent of users to the use of cookies by way of a 'yes/confirmed' as well as a 'no/change cookie
settings' button or a similar arrangement. Implicit consent is not sufficient under Dutch law. Please note that the website
operator is entitled to refuse users access to its website(s) if no consent is given.
The requirement to obtain prior consent from a user does not apply where such storage or access is strictly necessary
for the provision of an information society service requested by the subscriber or user. An example is that of where a
user of a website has chosen the goods they wish to buy and the user clicks the ‘add to basket’ or ‘proceed to checkout’
button, the website remembers what they have chosen from the previous page. This cookie is deemed ‘strictly
necessary’ to provide the service requested by the user, therefore no consent to the storage of such a cookie is
required.
Following upcoming legislation, the use of cookies that have little or no impact on the user's privacy (eg first party
analytic cookies, affiliate or performance cookies used for the purpose of paying affiliates or cookies used for testing the
effectiveness of certain banners) will be allowed without consent, on the condition that:
· the data collected by such cookies are not used for, among other things, creating profiles by the website owner and/or the third party with whom the data are shared
· website owners sharing the data with a third party take additional measures in order to limit any possible privacy impact.
Furthermore, new regulations are considered that would make it possible to obtain users 'implied consent'. The duty to
inform users about the use of cookies still applies. The effective date of such new legislation is unknown. The information collected through cookies are to be considered ‘personal data’, unless the party which places the cookies can prove otherwise. This goes only for tracking cookies, whereby the surfing behaviour of customers on several different websites is being observed (and the information obtained is being used for commercial purposes).
In case of violation of electronic marketing or online privacy legislation, the ACM can impose fines up to EUR 450,000 per violation.