The Netherlands implemented the EU Data Protection Directive 95/46/EC on 1 September 2001 with the Dutch Personal Data Protection Act ("Wbp"). Enforcement is through the Dutch Data Protection Authority ("College Bescherming Persoonsgegevens").
DEFINITION OF PERSONAL DATA
Any data relating to an identified or identifiable natural person.
DEFINITION OF SENSITIVE PERSONAL DATA
Personal data regarding a person's religion or philosophy of life, race, political persuasion, health and sexual life, trade union membership, criminal behaviour and personal data regarding unlawful or objectionable conduct connected with a ban imposed as a result of such conduct.
NATIONAL DATA PROTECTION AUTHORITY
The College Bescherming Persoonsgegevens
Unless an exemption applies, data controllers who process personal data by automatic means must notify the College Bescherming Persoonsgegevens so that their processing of personal data may be registered and made public. Changes to the processing of personal data will require the notification to be amended.
The notification shall, inter alia, include the following information:
- name and address of the data controller;
- purpose(s) of the processing;
- data subjects or categories of data subjects;
- data or categories of data relating to these data subjects;
- recipients or categories of recipients;
- proposed transfers of personal data to countries outside the European Union; and
- a general description of the security measures the data controllers is planning to take.
If any of the following changes occurs, the data controller must notify the College Bescherming Persoonsgegevens of these changes within one year after the previous notification. This concerns changes in:
- the purpose or purposes of the data processing;
- the data subjects and recipients or categories of data subjects and recipients;
- the security measures; and/or
- the intended transfers to countries outside the European Union.
However, this is only required if the changes are not of a purely incidental nature.
Also, any change to the name or address of the data controller should be notified to the College Bescherming Persoonsgegevens within one week.
DATA PROTECTION OFFICERS
Companies, industry associations, governments and institutions can appoint a data protection officer. There is no legal requirement in the Netherlands to do so. The data protection officer ensures that processing of personal data will take place in accordance with the Wbp. The statutory duties and powers of the data protection officer gives this officer an independent position within the organization.
COLLECTION AND PROCESSING
Data controllers may collect and process personal data when any of the following conditions are met:
For collecting personal data:
Pursuant to the Wbp, a data controller may only collect personal data if he has a purpose for this.
The purpose must be
- explicit; and
A data controller may not collect data if he has not clearly specified the purpose.
For processing personal data:
- the data subject has unambiguously given his prior consent thereto;
- the processing is necessary for the performance of a contract to which the data subject is party;
- the processing is necessary in order to comply with a legal obligation to which the data controller is subject;
- the transfer is necessary in order to protect the vital interests of the data subject;
- the transfer is necessary or legally required in order to protect an important public interest; or
- the processing is necessary for upholding the legitimate interests of the data controller or of a third party to whom the data is supplied, except where the interests or fundamental rights and freedoms of the data subject, in particular the right to protection of individual privacy, prevail.
In addition, personal data may not be further processed in a way incompatible with the purposes the data was collected. Whether further processing is incompatible depends on different circumstances, such as:
- the relationship between the purpose of the intended processing and the purposes for which the data originally was obtained;
- the nature of the data concerned;
- the consequences of the intended processing for the data subject;
- the manner in which the data have been obtained; and
- the extent to which appropriate guarantees have been put in place with respect to the data subject.
Also, personal data may only be processed, where, given the purposes for which they are collected or subsequently processed, they are adequate, relevant and not excessive.
Finally, the Wbp sets out strict rules in relation to sensitive data. The main rule is that such data may not be processed, unless the data subject has given its explicit consent to it.
Transfer of a data subject's personal data to non EU/European Economic Area countries is allowed if the countries provide "adequate protection". For transfer of data to the United States, companies which adhere to the US/EU Safe Harbor principles are deemed to offer adequate protection.
Data controllers may transfer personal data out of the European Economic Area to countries which are not deemed to offer adequate protection if any of the following exceptions apply:
- the data subject has unambiguously given its consent thereto;
- the transfer is necessary for the performance of the contract between the data controller and the data subject;
- the transfer is necessary in respect of an important public interest, or for the establishment, exercise or defence in law of any right;
- the transfer is necessary in order to protect the vital interests of the data subject;
- the transfer occurred from a register that was set by law and can be consulted by anyone or by any person demonstrating a legitimate interest;
- the transfer is based on unchanged Model Clauses as referred to in article 26(4) of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data; or
- a permit thereto has been granted by Minster of Justice, after consultation of the College Bescherming Persoonsgegevens. In order to obtain such permit, certain conditions should be met. One of these conditions can be implementing Binding Corporate Rules (BCR).
BCR are internal codes of conduct regarding data privacy and security, to ensure that transfers of personal data outside the European Union will take place in accordance with the EU rules on data protection.
The use of BCRs is not obligatory. It will however bring benefits to both processors and controllers.
Once BCRs are approved they can be used by the controller and processor, thereby ensuring compliance with the EU data protection rules without having to negotiate the safeguards and conditions each and every time a contract is entered into.
Data controllers and processors must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access.
The Wbp does not yet provide for a data security breach notification duty.
MANDATORY BREACH NOTIFICATION
There is no mandatory requirement in the Wbp. However, a legislative bill introduces the obligation to report such a data breach as soon as possible to the College Bescherming Persoonsgegevens. If a data breach is not reported, the College Bescherming Persoonsgegevens can impose a fine up to EUR 200,000.
In case of possible violations of the Wbp, the College Bescherming Persoonsgegevens can impose the following sanctions:
- Enforce an administrative order. The data controller would be forced to change its policy with immediate effect;
- Administrative fines up to a maximum of EUR 19,500 may be imposed by the Authority in case of violation of the notification duty; or
- Penal sanctions could be punished with a fine of the second category in case of contravention of:
- the duty to designate a person or body in the Netherlands to act on party who are not established in the European Union, but make use of means situated in the Netherlands;
- the notification duties mentioned before;
- transfer of personal data to a country outside the European Union that is not considered to guarantee an adequate level of protection, or transfer without permit to those countries.
Electronic marketing is partially regulated in Article 11.7 of the Dutch Telecommunications Act. In the context of this Article electronic marketing could be defined as SMS, e-mail, fax and similar media for the purposes of unsolicited communication related to commercial, charitable or ideal purposes without the individuals' prior express consent.
Electronic marketing directed to corporations does not require prior consent if:
- the advertiser/electronic marketer uses electronic address data which are meant to be for this particular purpose;
- if the individual is located outside the EU, the advertiser/electronic marketer complies with the relevant rules of that particular country in this respect.
On the basis of Article 11.7 electronic marketing to individuals is in principle prohibited. If certain conditions are being met, such as prior express consent, electronic marketing directly to individuals can be allowed. Furthermore, electronic marketing to individuals is also allowed if it is restricted to the marketing of existing customers and restricted to similar products/services of the advertiser/electronic marketer. In the last case, the advertiser/electronic marketer is obliged to provide opt-out possibilities to his customers when obtaining the data from the customers and in every marketing message sent.
ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)
Traffic Data – Traffic Data is regulated in Article 11.5 of the Dutch Telecommunications Act. Traffic Data held by a public electronic communications services provider ("CSP") must be erased or anonymised when it is no longer necessary for the purpose of the transmission of a communication. However, Traffic Data can be retained if:
- It is being used to provide a value added service; and
- Consent has been given for the retention of the Traffic Data.
Traffic Data can only be processed by a CSP for:
- The management of billing or traffic;
- Dealing with customer enquiries;
- The prevention of fraud;
- The provision of a value added service (subject to consent); or
- Market research (subject to consent).
Location Data (Traffic Data not included) – Location Data is regulated in Article 11.5a of the Dutch Telecommunications Act.
Location Data may only be processed:
- If these data are being processed in anonymous form; or
- With informed consent of the individual.
The requirement to obtain prior consent from a user does not apply where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user. An example is that of where a user of a site has chosen the goods they wish to buy and the user clicks the "add to basket" or "proceed to checkout" button, the site remembers what they have chosen from the previous page. This cookie is deemed "strictly necessary" to provide the service requested by the user, therefore no consent to the storage of such a cookie is required.
As per 1 January 2013, the information collected through cookies are to be considered 'personal data', unless the party which places the cookies can prove otherwise. This goes only for tracking cookies, whereby the surfing behaviour of customers on several different websites is being observed (and the information obtained is being used for commercial purposes).
In case of violation of electronic marketing or online privacy legislation, the OPTA can impose fines up to EUR 450,000 per violation.
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com