Netherlands

Privacy Culture

Very advantageous tax conditions have led many multinational companies to open their offices in the Netherlands. On 1 January 2008 a record number of nearly 800,000 companies were registered in the Netherlands. Most of these entities need to comply with Dutch data protection and privacy laws that are strictly enforced by the local regulator. 

The 2015 EuroBarometer Survey on Data Protection issued by the European Commission a third of Dutch citizens feel they have no control at all over their information provided online. Dutch citizens seem to be less concerned (64% claim to be concerned) about their personal data being used for a different purpose than the one it was collected for compared to other Europeans (69% are concerned). 

Legal History

The basic act laying down rules for data protection and privacy in the Netherlands is the Personal Data Protection Act, which was enacted on 1 September 2001 (Wet bescherming persoonsgegevens or 'WBP'). In addition to the WBP there are other regulations that partially govern the processing of personal data.

Sectorial laws regulating data protection & privacy in the Netherlands:

The Dutch Telecommunication Act (Telecommunicatiewet)- this act implements Directive 2002/58/EC on the protection of privacy in the electronic communications sector;
The Dutch Civil Code (Burgerlijk wetboek)- certain provisions relating to medical data;
Police Data Act (Wet politiegegevens);
The Basic Registration of Persons Act (Wet basisregistratie personen).

Enforcement and Court Action

The main body responsible for enforcement of the WBP is as of 1 January 2016 “Autoriteit Persoonsgegevens” or the Dutch DPA, formerly known as the “College Bescherming Persoonsgegevens” or “CBP”. The tasks and powers of the Dutch DPA can be roughly divided into four sections:

Supervision: the DPA undertakes investigations assessing compliance with the law, conducts preliminary examinations to assess the legitimacy of certain processing operations that involve specific risks, assesses codes of conduct for specific sectors relating to the processing of personal data, mediates in disputes, keeps a public register of notifications of processing operations, and assesses requests for granting exemptions from the prohibition to process sensitive data;
Providing advice: the DPA provides advice on legislative proposals adviss the Minister of Security and Justice on permits for the transfer of personal data to a third country that does not offer an adequate level of protection;
providing information, education and accountability;
international assignments.

The CBP has power to impose the following sanctions:

Enforcement of an administrative order - the CBP may force the data controller to amend its policy with immediate effect and in a manner compliant with the law;
Administrative fines - In case of violation of the notification duty e.g. non-notification, commencing of data processing prior to notification, incomplete notification, failure to inform the DPA of amendments, and failure to report data security breaches, the DPA may impose an administrative fine of up to 820.000,00 EUR or even 10% of the annual net turnover of a company;
Penalty fines - In case of certain breaches e.g. transferring personal data to a third country that does not provide an adequate level of protection, or infringement of the notification duty that qualifies as a criminal violation, the data controller may be punished with a penalty fine. 

The DPA has power to impose administrative fines and measures. Nevertheless, contraventions that constitute a crime can be only prosecuted by the Office of the Public Prosecutor (Openbaar Ministerie) and sanctions can be imposed only by the Dutch criminal court. Infringements of the WBP that qualify as criminal violations are subject to a penalty fine of up to 8.100,00 EUR for individuals or up to 20.250,00 EUR for companies. Deliberate offences are punished with a penalty of 20.250,00 EUR or imprisonment of six months at most for individuals and a fine of 81.000,00 EUR for companies. 

Corporate Risk

In May 2015, the Dutch Senate passed a bill imposing an obligation on data controllers to notify the DPA and affected individuals about a breach of security measures protecting personal data named The Bill on Notification of data leaks (Wetsvoorstel Meldplicht datalekken en uitbreiding bestuurlijke boetebevoegdheid Cbp, or 'the Bill'). The rationale behind introducing such measure is the necessity to address and mitigate the increasing number of security incidents involving personal data and the lack of such formal regulation at EU level. While the EU General Data Protection Regulation contains similar provisions on data breach notification duty, the Dutch government decided to regulate this matter pro-actively by means of national law.

In 2014 the former CBP conducted 85 investigations and issued 13 enforcement orders. Most of investigations were concentrated on online profiling and consent. However, between years 2012 and 2014 no administrative fines were imposed. In December 2014 the CBP lodged administrative proceedings against Google. The CBP threatened to issue an administrative order and to impose a hefty fine up to in case its order is not complied with. The CBP sought to compel Google to require unambiguous consent from data subjects for using their data in return for Google’s services. As a result, the company undertook certain measures that would help it to comply with the CBP's demand. Nevertheless, the CBP announced that Google operations will still be under scrutiny with regard to its compliance with the WBP. The CBP, now renamed to DPA, remains very active with regard to investigating foreign companies by cooperating closely with other data protection authorities, for example in recent WhatsApp and Facebook investigations.  

Future Outlook

On 4 May 2016, the official texts of the General Data Protection Regulation have been published in the EU Official Journal and will be applicable from 25 May 2018 onwards. The Netherlands as a member of the EU will be bound by it and has already begin preparations for it. One of the most notable changes will be the power of the DPA to impose significant monetary penalties up to a maximum fine of 4% annual global turnover or 20m EUR, whichever is higher.

Sources


1. DataGuidance, Global Privacy Enforcement Report 2015 [Cecile Park Publishing Ltd.]

2. Mattias Lindberg in The International Comparative Legal Guide to Data Protection 2015, Sweden- Data Protection 2015, 13/05/2015
http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2015/sweden 

3. European Commission, EUROBAROMETER Survey on Data Protection, 28/02/2015 – 09/03/2015
http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_fact_nl_en.pdf 

4. CBS Statistics Netherlands, Record number of companies in the Netherlands, 02/10/2008
http://www.cbs.nl/en-GB/menu/themas/bedrijven/publicaties/artikelen/archief/2008/2008-2574-wm.htm 

5. Quinten Kroes, Tineke van de Bunt, Netherlands Data Protection 2015, [International Comparative Legal Guides <http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2015/netherlands>

6. Autoriteit Persoonsgegevens, Tasks and powers of the Dutch DPA, https://autoriteitpersoonsgegevens.nl/en/node/1930 



Data Privacy Recruitment Ltd. 

All rights reserved. All opinions expressed to be treated strictly as guidance and not as legal advice. 

September 2016
London, the United Kingdom