Data Protection in the Netherlands
Data Protection in the Netherlands | |
---|---|
Data Protection Authority: | Autoriteit Persoonsgegevens (AP) (The Netherlands) |
National Implementation Law (Original): | Uitvoeringswet Algemene verordening gegevensbescherming |
English Translation of National Implementation Law: | n/a |
Official Language(s): | Dutch |
National Legislation Database(s): | Link |
English Legislation Database(s): | n/a |
National Decision Database(s): | Link |
Legislation
History
Before a unified law on data protection was introduced, several sector specific regulations, such the Electronic Communications Act and the Telecommunications Act, included data protection rules.
Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data was transposed in Dutch law in 1988 in the form of the Wet persoonsregistraties. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data was transposed in the form of the Wet bescherming persoonsgegevens.
Wet bescherming persoonsgegevens established a stronger data protection by emphasizing individuals' rights over their personal data and giving the Dutch Data Protection Authority (DPA) a broader power.
As the GDPR took effect in the European Union (EU) on May 25, 2018, it replaced both the Data Protection Directive (95/46/EC) and the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens).
National constitutional protections
The right to privacy is protected by articles 10 (general right to privacy), 11 (inviolability of one's body), and 13 (secrecy of correspondence) of the constitution.
Provisions of treaties which "by nature and content" may bound, will do so automatically once published (article 93 of the constitution). Because of this, treaties such as the ECHR and ratified protocols have the status of law.
National GDPR implementation law
In Netherlands the GDPR is implemented by the Uitvoeringswet Algemene verordening gegevensbescherming[1] (“Dutch GDPR Implementation Act”).
Age of consent
In relation to information society services the age of consent is 16 years following Article 8(1) GDPR. There is no specific age of consent for other support and advisory services offered directly and for free to a minor, following Article 5(5) UAVG. In all other situations, the age of consent is 16 years, following Article 5(1) UAVG.
Freedom of Speech
Pursuant to Article 43 of the Dutch GDPR Implementation Act, if personal data is processed exclusively for journalistic purposes or academic, artistic, or literary forms of expression, then the regulations pertaining to data subject rights do not apply.
Employment context
The details on processing of personal data in an employment context are regulated in the privacy booklet published by the Dutch Data Protection Authority. The booklet contains matters such as how to exercise the right of consent with regard to processing and protection of employee personal data and digital employee tracking systems. The Dutch Data Protection Authority also published further explanations on its website.
Research
As per the Article 44 of the Dutch GDPR Implementation Act, and Articles 15, 16, and 18 of the GDPR do not apply in case personal data is processed by institutions or services for scientific research or statistics, and the required safeguards are implemented to ensure that the personal data can only be used for such purposes.
Other relevant national provisions and laws
- Wet politiegegevens (the Police Data Act), regulates the protection of personal data at the police.
- Wet justitiele en strafvorderlijke gegevens (the Judicial and Criminal Data Act) regulates the processing of judicial data.
- Kieswet (Elections Act)
- Wet raadgevend referendum (Advisory Referendum Act)
- Wet Basisregistratie Personen (Personal Records Database) regulates the correct use of personal data of the residents of the Netherlands.
National ePrivacy Law
The Telecommunications Act is the primary legislation governing the telecommunications sector in the Netherlands, including a chapter on privacy and telecommunications transposing the Directive on Privacy and Electronic Communications (2002/58/EC).
Data Protection Authority
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is the national data protection authority for the Netherlands.
→ Details see AP (The Netherlands)
Judicial protection
Civil Courts
Under Art. 79 GDPR, civil (and other) proceedings can be brought directly against a data controller. The rules of civil procedure are laid down in the Dutch Code of Civil Procedure.
Administrative Courts
Appeals from the Dutch DPA can be brought before one of the District Courts of First Instance (Rechtbank - Rb.) and further to the Administrative Jurisdiction Division of the Council of State (Afdeling Bestuursrechtspraak van de Raad van State - ABRvS).
Constitutional Court
There is no constitutional court in the Netherlands. Courts are explicitly prohibited by article 120 of the constitution to judge the constitutionality of national laws or treaties.
Supreme Court
Hoge Raad
As the highest court in the fields of civil, criminal and tax law in the Netherlands, the Supreme Court ('Hoge Raad') is responsible for hearing appeals in cassation and for a number of specific tasks with which it is charged by law.
Het Parket bij de Hoge Raad
The main task of the Procurator General of the Supreme Court is to provide the members of the Supreme Court with independent advice – known as an ‘advisory opinion’ (conclusion)- on how to rule in the cassation proceedings before them.