Support Centre

Netherlands

Summary

Law: Act Implementing the GDPR (in Dutch here) (an unofficial English version of the Act is available here) (the Act) and the General Data Protection Regulation (Regulation (EU) 2016/679)

Regulator: Dutch data protection authority (AP)

Summary: The Netherlands implemented the GDPR in 2018 through the Act Implementing the GDPR (available in Dutch here) (an unofficial English version of the Act is available here) (the Act). The Netherlands had utilised its legislative freedom to derogate from the GDPR in certain areas. In particular, under the Act, Chapter 3 of the GDPR (regarding data subjects' rights) does not apply where personal data is processed for either journalistic purposes or for the purposes of academic, artistic, or literary expression.

The Dutch data protection authority (AP) has released several guidelines and explanations on topics such as data security, financial data, and direct marketing. In its guidance on the use of cookies, the AP stated that the use of cookie walls violates the GDPR. Regarding its enforcement of the Act, the AP has investigated and issued decisions on several topics including, for example, violations of the right of access and right to erasure. Sanctions are outlined in its policy rules and are categorised into specific categories with corresponding bandwidths.

Insights

Article 37 of the General Data Protection Regulation (GDPR) obliges data controllers and processors to designate a data protection officer (DPO). As part of this obligation, data controllers and processors are also required to publish the contact details of the DPO and to communicate the DPO's contact details to relevant supervisory authorities. In part one of this Insight series, OneTrust DataGuidance focuses on the requirement to communicate DPO contact details to the relevant supervisory authorities, providing an overview of the rules and guidelines for DPO contact registration across Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.

The bill on the Data Processing by Partnerships Act ('WSG') aims to provide a legal basis for the processing of personal data by designated partnerships and further constitutes a framework with a number of general rules with regard to the tasks, structure and functioning of these partnerships. Anouschka Van de Graaf, Senior Associate at Dentons, discusses the purposes of the bill, alongside concerns regarding its contents.

In July 2021, the Dutch Data Protection Authority, Autoriteit Persoonsgegevens ("AP"), published their guidance for smart cities and the development of smart city applications. This guidance is intended for municipalities in the Netherlands that plan to, or currently, collect and process personal data in a public space with the use of smart sensors and measuring equipment. The AP has deemed this guidance necessary as municipalities in the past have not always paid sufficient attention to the applicable privacy legislation, such as the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Chantal van Dam and Femke van der Eijk, of Hogan Lovells, discuss the guidance in this article.

With restrictions being lifted across Europe and businesses planning their return to the office, many employers, in an endeavour to prevent the spread of COVID-19, are faced with the dilemma of whether they can require their employees to be vaccinated or to show proof of their vaccination status. Besides the health and safety concerns associated with the introduction of such measures, there are also some key privacy-related considerations. In particular, an individual's vaccination status falls within the scope of health data under Article 4(15) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and is therefore a special category of personal data under Article 9 of the GDPR, meaning processing is generally prohibited, unless an exception applies.

This article outlines the local requirements in the UK, Germany, the Netherlands, France, and Italy.

On 1 July 2021, an amendment1 to the Telecommunications Act 1998 (as amended) ('the Telecommunications Act') came into force, requiring opt-in consent to telemarketing. Chantal Van Dam and Femke van der Eijk, from Hogan Lovells, provide a brief overview of what impact the amendment has had on the Telecommunications Act.

This article addresses the data protection rules for children that apply in the Netherlands. It elaborates on specific requirements enshrined in EU and local data protection law and guidance and considers enforcement actions of the Dutch data protection authority ('AP'). Furthermore, it introduces the Dutch Code for Children's Rights ('the Code') and explains the principles of the Code and how companies may benefit from it. Chantal van Dam, Senior Associate at Hogan Lovells LLP, discusses this topic and its nuances.