Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Netherlands - Data Protection Overview
May 2024
1. Governing Texts
In the Netherlands, the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and the Dutch GDPR Implementation Act (available in Dutch here) (an unofficial English version of the Act as of 2019 is available here) (the Act) mainly govern the processing of personal data in the Netherlands. The relevant supervisory authority is the Dutch data protection authority (AP), which is becoming more and more active from both a guidance and enforcement perspective.
1.1. Key acts, regulations, directives, bills
The GDPR took effect on May 25, 2018 in the EU, replacing the EU Data Protection Directive (Directive 95/46/EC) and the former Dutch Personal Data Protection Act (only available in Dutch here).
Although the GDPR introduced a single legal framework in the EU, it includes several provisions allowing EU Member States to enact national legislation regarding certain elements of the GDPR in the Netherlands. These elements are set out in the Act.
1.2. Guidelines
The supervisory authority for data protection in the Netherlands is AP. The AP often refers to the guidelines released by the European Data Protection Board (EDPB) but also publishes guidelines, Q&A's, and explanations on different topics under the GDPR and the Act, including, but not limited to:
general information regarding the GDPR, such as legal bases for processing, data subject rights, the role of processors and controllers, the data protection officer (DPO), and accountability (only available in Dutch here);
Guidance on AI and algorithms (only available in Dutch here);
GDPR guidance for small and medium-sized enterprises (SMEs) (only available in Dutch here);
the security of personal data, personal data breaches, and notification requirements in case of a personal data breach (only available in Dutch here);
financial data, the processing of personal data by financial service providers and payment service providers, the Payment Services Directive (EU) 2015/2366 (only available in Dutch here);
the use of pictures, video, and CCTV (only available in Dutch here);
the processing of health data and medical data, the use of medical records, and the processing of personal data by healthcare providers (only available in Dutch here);
the processing of identity documentation, citizen service numbers, and biometric personal data (only available in Dutch here);
international data transfers, the one-stop-shop mechanism, Binding Corporate Rules (BCRs), and passenger data (only available in Dutch here);
publishing personal data on the internet, direct marketing, Internet of Things (IoT), cookies, apps, and television (only available in Dutch here). The AP has announced it is going to monitor more frequently whether websites are properly asking consent for (tracking) cookies in 2024;
the processing of personal data by schools (only available in Dutch here);
the processing of personal data by the Government of the Netherlands, municipalities, associations, and churches (only available in Dutch here);
the processing of personal data by the police, in the judicial system, and during private investigations (only available in Dutch here);
the processing of personal data in an employment context, benefits, and the Works Council (only available in Dutch here);
Guidelines on DPOs (only available in Dutch here) (Guidelines on DPOs);
Recommendations for DPOs in hospitals (only available in Dutch here);
Guidance on the positioning of the DPO - Principles: roles, processes, and responsibilities (only available in Dutch here) (the Guidance on positioning);
Guidance on DPIAs (only available in Dutch here) (Guidance on DPIAs); and
Guidance on prior consultation (only available in Dutch here) (the Prior Consultation Guidelines).
1.3. Case law
Examples of Dutch case law concerning the GDPR, and the Act include the following (please note that a considerable amount of case law concerning the GDPR is published in the Netherlands on a regular basis, the list below only contains a very brief overview of such case law);
privacy aspects relating to removal requests of, and the legal basis for, registrations with the Dutch Credit Registration Office (BKR). Multiple judgments available, such as Court of Appeal Arnhem-Leeuwarden (Court of Appeal Arnhem-Leeuwarden) ECLI:NL:GHARL:2019:103453 of December 3, 2019 (only available in Dutch here) and Court of Appeal Arnhem-Leeuwarden ECLI:NL:GHARL:2020:4769 of June 23, 2020 (only available in Dutch here), District Court of Oost-Brabant ECLI:NL:RBOBR:2020:2534 of May 7, 2020 (only available in Dutch here), Dutch Supreme Court ECLI:NL:HR:2021:1814 of December 3, 2021 (only available in Dutch here) and Court of Appeal Amsterdam ECLI:NL:GHAMS:2023:3102 of December 12, 2023 (only available in Dutch here);
balancing interests relating to a removal request of an incident registration after filing a falsified tax overview. Court of Appeal Arnhem-Leeuwarden ECLI:NL:GHARL:2020:3464 of April 28, 2020 (only available in Dutch here);
scope of right of access, for instance in relation to internal notes relating to certain actions within an enterprise, telephone conversations and e-mails, and information on employees of Dutch bank and their actions. Court of Appeal Amsterdam ECLI:NL:GHAMS:2020:648 of March 3, 2020 (only available in Dutch here);
privacy aspects of camera surveillance by a private company. Council of State ECLI:NL:RVS:2020:594 of February 26, 2020 (only available in Dutch here);
the legitimacy of requiring employees to use biometric data to log onto a cash register system. District Court of Amsterdam ECLI:NL:RBAMS:2019:6005 of August 12, 2019 (only available in Dutch here);
the right of access to (the copies of) exams taken by a data subject, including to the written notes of the examiner with regard to the exam answers provided by the data subject. District Court of The Hague ECLI:NL:RBDHA:2019:5110 of May 2, 2019 (only available in Dutch here);
the right to erasure with respect to information available on Google, such as District Court of Gelderland ECLI:NL:RBGEL:2018:5600 of October 22, 2019 (only available in Dutch here) and the appeal with the Dutch Supreme Court ECLI:NL:HR:2022:329 of February 25, 2022 (only available in Dutch here);
balancing of interests relating to commercial interest and journalistic purpose. An appeal to an administrative fine from the AP. District Court of Midden-Nederland ECLI:NL:RBMNE:2020:5111 of November 23, 2020 (only available in Dutch here). Further preliminary questions on the definition of 'legitimate interests' were referred to the European Court of Justice by the District Court of Amsterdam (preliminary ruling currently pending, Case C-621/22). District Court of Amsterdam ECLI:NL:RBAMS:2022:5565 of September 22, 2022 (only available in Dutch here);
scope of the right to rectification, for instance, the right to rectification is not intended to correct or delete impressions, opinions, research results, and/or conclusions with which the data subject does not agree. Court of Appeal of 's-Hertogenbosch ECLI:NL:GHSHE:2022:80 of January 13, 2022 (only available in Dutch here);
right to access, for instance, whether there is a right to inspect (by means of full copies) the integral documentation in which personal data is (possibly) included, such as underlying documents and personal notes of others. Court of Appeal of Hertogenbosch ECLI:NL:GHSHE:2021:2252 of July 15, 2021 (only available in Dutch here);
scope of the definition of data relating to criminal law matters, the Court of Appeal Arnhem-Leeuwarden held that the combination of IP addresses and contact details of Internet service provider (ISP) users suspected of downloading copyright infringing material is considered the processing of criminal data. Court of Appeal Arnhem-Leeuwarden ECLI:NL:GHARL:2022:8676 of October 11, 2022 (only available in Dutch here);
on automated individual decision-making, for instance, the Court of Appeal Amsterdam held that, amongst others, useful information on the underlying logic of automated decision-making must be provided to data subjects subject to automated decisions which significantly affect them. Court of Appeal Amsterdam ECLI:NL:GHAMS:2023:793, ECLI:NL:GHAMS:2023:796, and ECLI:NL:GHAMS:2023:804 of April 4, 2023 (only available in Dutch here, here, and here); and
on tracking cookies, for instance the District Court Amsterdam held that any joint controller remains individually responsible for ensuring that valid and lawful consent is obtained for the placement of tracking cookies In that same judgment, the District Court also held that controllers are obliged to disclose the identity of recipients when data subjects submit an Article 15 GDPR access request. District Court Amsterdam ECLI:NL:RBAMS:2023:6530 of October 18, 2023 (only available in Dutch here).
Mass damage compensation claims for GDPR breaches
In the Netherlands, there is an uptick in class action procedures due to the entry into force of the Dutch Act on Redress of Mass Damages in Collective Action (WAMCA) in 2020 (available in Dutch here). Multiple class actions have been initiated that are based on claims of GDPR non-compliance, such as:
TikTok – Foundation Mass Damage & Consumer (SMC) (only available in Dutch here). This €6 billion claim alleges that TikTok exploits the personal data of its users, in violation of the GDPR, and various Dutch laws, including the Dutch Telecommunications Act (only available in Dutch here), consumer and advertising laws and media law;.
TikTok – Foundation Take Back Your Privacy (STBYP) and the Dutch Consumer Association (Consumentenbond) (only available in Dutch here and here). This €1.5 billion claim alleges that TikTok exploits the personal data of child users, in violation of the GDPR and Dutch and European consumer law. Amongst others, the claim argues that TikTok:
does not comply with the principles of data minimization and transparency;
processes personal data without a lawful basis; and
does not obtain valid consent from children and, where necessary, their parents or guardians;
TikTok - Foundation for Market Information Research (SOMI) (more information available here). This €1.4 billion claim alleges that TikTok violates Dutch and EU privacy and consumer laws and unlawfully exposes minors to harmful content. Amongst others, the claims argues that TikTok is violating the GDPR by:
profiling children for marketing purposes;
failing to obtain valid consent for the use of personal data;
not specifying which personal data are collected for which purposes;
failing to provide children with special protection;
collecting and storing more personal data than necessary; and
failing to meet the requirements for storing and securing personal data.
Regarding the three claims against TikTok: the District Court Amsterdam declared SOMI to be admissible in the proceedings against TikTok on October 25, 2023, ECLI:NL:RBAMS:2023:6694 (only available in Dutch here). On January 10, 2024, the District Court Amsterdam declared STBYP and SMC to be admissible in the proceedings against TikTok as well. STBYP has been appointed as the exclusive representative for minors and SMC has been appointed as the exclusive representative for adults (ECLI:NL:RBAMS:2024:83, only available in Dutch here);
Salesforce and Oracle – the Privacy Collective.This €10 billion claim alleges that Salesforce and Oracle unlawfully processed the personal data of website visitors, among other things, because of their crucial role in the Real Time Bidding (RTB) process. The Privacy Collective was declared inadmissible by the District Court of Amsterdam (ECLI:NL:RBAMS:2021:7647 of 29 December 29, 2021, only available in Dutch here). The Privacy Collective has filed an appeal to this decision. The judgment of the Court of Appeal of Amsterdam is expected on June 18, 2024;
Amazon – Foundation Data Protection The Netherlands (SDBN) (only available in Dutch here). This claim alleges that Amazon violated the GDPR, the Dutch Telecommunications Act, and the Dutch Unfair Commercial Practices Act (only available in Dutch here), with its personalized advertising practices, its use of tracking cookies without data subjects’ consent and its insufficient level of data security. The subpoena was issued on October 18, 2023;
Adobe – SDBN also filed a claim against Adobe (only available in Dutch here). This claim alleges that Adobe violated the GDPR, Dutch laws, including the Dutch Telecommunications Act, and various fundamental rights by creating consumer profiles to show personalized advertising and by placing tracking cookies without data subjects’ consent. The subpoena was issued on December 13, 2023; and
Twitter – SDBN also filed a claim against Twitter (only available in Dutch here). This claim alleges that Twitter violated the GDPR and Dutch law, including the Dutch Telecommunications Act, with its previous company MoPub. MoPub gathered user data through more than 30.000 apps, which it consequently shared with commercial parties. SDBN’s president, Anouk Ruhaak, implied that damages could reach several billion euros. The subpoena was issued on September 13, 2023.
2. Scope of Application
2.1. Personal scope
The personal scope of the Act is equivalent to the personal scope of the GDPR. It applies to all processing of personal data, wholly or in-part through automated means, by private and public organizations of personal data of directly or indirectly identifiable natural persons. The Act does not apply in case data is effectively anonymized in accordance with the GDPR and the guidance of the EDPB, or if the data relates to deceased individuals.
2.2. Territorial scope
The territorial and extraterritorial scope of the Act is equivalent to the territorial and extraterritorial scope of the GDPR. This means that the Act applies to the processing of personal data:
in the context of the activities of an establishment of a controller or a processor in the Netherlands, regardless of whether the processing takes place in the EU or not; and
of data subjects who are in the Netherlands by a controller or processor not established in the EU, where the processing activities are related to:
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Netherlands; or
the monitoring of their behavior as far as their behavior takes place within the Netherlands.
2.3. Material scope
The material scope of the Act is similar to the material scope of the GDPR. The Act applies to:
the processing of personal data wholly or partly by automated means;
the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system;
the processing of personal data in the course of an activity which falls outside the scope of EU law; and
the processing of personal data by the armed forces when performing activities that fall within the scope of Chapter 2 of Title V of Treaty on the Functioning of the European Union.
However, the Act does not apply to the processing of personal data:
- in so far as such processing is subject to the Personal Records Database Act (only available in Dutch here), the Elections Act, or the Advisory Referendum Act of 2014 (only available in Dutch here);
- as set out in Article 2(2) of the GDPR;
- by the armed forces, in so far as the Minister of Defense decides on this for purposes of deploying the armed forces or making them available to carry out the tasks described in Article 97 of the Constitution of the Kingdom of the Netherlands 2008; and
- in so far as it is subject to the Intelligence and Security Services Act 2002.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
The supervisory authority for data protection in the Netherlands, the AP, was appointed in accordance with Article 51 of the GDPR and Article 6 of the Act.
3.2. Main powers, duties and responsibilities
The AP has the power to exercise its authority and tasks as assigned to supervisory authorities under Articles 57 and 58 of the GDPR, and specifically to the AP under Articles 14 to 21(a) of the Act. The powers as set out in the Act refer to the powers as included in the Dutch General Administrative Law Act (only available in Dutch here) (the Administrative Act). Pursuant to the GDPR and Act, the AP can among other things:
impose administrative fines;
impose orders under penalty;
monitor compliance;
exercise advisory powers;
cooperate with other supervisory authorities; and
proceed legal action against infringements regarding transfers to third countries.
The AP is bound by the requirements as included in the Administrative Act.
4. Key Definitions
Data controller: There are no variations from the GDPR.
Data processor: There are no variations from the GDPR.
Personal data: There are no variations from the GDPR.
Sensitive data: There are no variations from the GDPR.
Health data: There are no variations from the GDPR.
Biometric data: There are no variations from the GDPR.
Pseudonymization: There are no variations from the GDPR.
5. Legal Bases
The Act does not contain additional legal bases for the processing of personal data. Therefore, only the legal bases under Article 6 GDPR apply.
5.1. Consent
Legal basis under the GDPR apply.
5.2. Contract with the data subject
Legal basis under the GDPR apply.
5.3. Legal obligations
Legal basis under the GDPR apply.
5.4. Interests of the data subject
Legal basis under the GDPR apply.
5.5. Public interest
Legal basis under the GDPR apply.
5.6. Legitimate interests of the data controller
Legal basis under the GDPR apply.
5.7. Legal bases in other instances
National implementation of Article 89 of the GDPR
According to Article 44 of the Act, and Articles 15, 16, and 18 of the GDPR do not apply in case personal data is processed by institutions or services for scientific research or statistics, and the required safeguards are put in place to ensure that the personal data can only be used for such purposes.
According to Article 45 of the Act, and Articles 15, 16, 18(1)(a), and 20 of the GDPR do not apply in cases where personal data is processed that is included in archives within the meaning of the Dutch Public Records Act 1995 (only available in Dutch here) (the Public Records Act). The data subject has the right of access to the archived records, unless the request for access cannot reasonably be granted because the request is not specified sufficiently. A data subject has the right to add its own understanding of the relevant data to the archived records in cases where incorrect personal data is processed.
Processing national identification numbers
According to Article 46 of the Act, the processing of national identification numbers is only allowed if such processing is provided for by law, and only for the purposes prescribed by that law.
6. Principles
In the Netherlands, the principles of data protection law are set out in the GDPR. This means that all personal data must be:
processed lawfully, fairly, and in a transparent manner;
collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation);
adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimization);
accurate and, where necessary, kept up to date (accuracy);
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation); and
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (integrity and confidentiality).
The controller is responsible for ensuring that the principles are met and must be able to demonstrate compliance at all times.
7. Controller and Processor Obligations
7.1. Data processing notification
There are no national notification or registration requirements applicable under the Act.
However, the Prior Consultation Guidelines stipulate that prior consultation is required if the outcome of a DPIA indicates a high risk and the data controller is unable to find measures that would limit that risk. Furthermore, the Prior Consultation Guidelines contain a list of steps enabling organizations to determine if prior consultation is necessary.
If prior consultation is necessary, then the request for prior consultation can be made by a data controller or a data protection officer by sending a form available on the AP's website together with the DPIA to the AP's address. Afterwards, the AP will make an assessment of the information received within 14 weeks, which may be extended if the request is complex. After completing its assessment, the AP will send back a letter to the organization, containing the result of the prior consultation.
7.2. Data transfers
Dutch law does not provide for data localization requirements. In addition, the Act does not provide for additional restrictions on the transfer of personal data as set out in the GDPR.
7.3. Data processing records
There are no national variations or requirements with regard to the obligation for data controllers and/or data processors to maintain data processing records.
7.4. Data protection impact assessment
There is no overview of activities subject to prior consultation or authorization.
However, the AP has published an overview of types of processing activities which require a Data Protection Impact Assessment (DPIA) (only available in Dutch here). This includes processing activities relating to:
large-scale or systematic monitoring:
in covert investigations, such as for private investigative agencies, anti-fraud investigations, online research (e.g., online copyright infringement), and covert camera surveillance;
of (special categories of) personal data for fraud prevention, including blacklists);
for the purpose of assessing creditworthiness, such as by establishing credit scores;
of financial data from which the financial positions or individuals' expenditure patterns can be derived;
of genetic data, such as DNA analyses;
in public spaces by means of for example, cameras and drones;
of employees;
of location data;
of communications data;
relating to IoT applications; and
of biometric data for identification purposes; and
blacklists of personal data concerning criminal convictions and offenses, wrongful conduct, obstinate behavior, and payment performance;
large-scale processing of health data (not applicable to individual physicians or health care professionals);
partnerships between municipalities or other governmental bodies and other public or private parties in case special categories of personal data or sensitive personal data are shared;
large-scale or systematic flexible camera surveillance;
systematic and extensive assessment of personal traits by means of automated processing (profiling), such as the assessment of professional performance; or
large-scale automated processing of personal data in order to monitor or influence behavior.
National activities not subject to prior consultation/authorization
There is no overview of processing activities that are not subject to prior consultation or authorization.
In its Guidance on DPIAs, the AP has indicated that a DPIA is not required for data processing activities that:
will probably not constitute a high privacy risk;
are highly similar to other processing activities for which a DPIA has already been conducted;
are governed by another European or Dutch law, and during the drafting stage of this law a DPIA has been carried out, unless the AP finds that a DPIA is nevertheless required; or
are included on a list of processing activities for which no DPIA is required (such a list has currently not been prepared by the AP).
The AP has issued a DPIA checklist for processing under the Act (only available in Dutch here). In addition, the AP has issued a DPIA checklist for processing that commenced before the implementation of the GDPR (only available in Dutch here).
7.5. Data protection officer appointment
According to Article 39 of the Act, a DPO is bound to secrecy of information which has been made available to them by means of a data subject's complaint or request, unless the data subject provides consent to the disclosure of the information.
The AP has issued Guidelines on DPOs, which is based on the Article 29 Working Party's (WP29) Guidelines on Data Protection Officers (adopted on December 13, 2016, as revised and adopted on April 5, 2017).
A DPO is under a duty to keep information revealed to them, in relation to a complaint or request from a data subject, confidential unless the data subject concerned agrees to the disclosure of such information (Article 39 of the Act).
The Guidance on positioning provides the following eight principles of DPO's:
the DPO must be visible within the organization;
the DPO must be involved, and at an earlier stage, to help organizations identify, evaluate, and mitigate any risks associated with processing operations;
the DPO must be sufficiently well resourced to be able to perform their tasks;
the DPO must be aware of the communication from the AP with the organization;
the DPO acts as a contact point for data subjects for handling data subject requests;
the DPO is protected by the AP's during an investigation into the organization;
the AP's can request records of reports and opinions from the DPO's; and
the DPO must be independent.
Furthermore, organizations are under an obligation to notify the contact details of their DPO to the AP. Notification can be made through the notification form (only available in Dutch here) (Notification Form). In accordance with the privacy statement on the AP's website (only available in Dutch here) (the Privacy Statement), the AP maintains an internal register of DPOs notified by organizations.
In line with the Privacy Statement, DPOs' personal data are retained by the AP as long as he/she is notified as DPO with the AP. Personal data of a former DPO are deleted after two years once the information that a person is no longer a DPO is passed to the AP, which can be done through the Notification Form. The form is subsequently deleted after three months, in line with the Privacy Statement.
DPOs notified with the AP can send their administrative questions, or questions about the GDPR and the related laws to the AP, by sending an email to [email protected]
7.6. Data breach notification
The Act does not provide any variations or exemptions on the data breach notification obligation.
The AP has published guidance regarding data breach notifications on its website, which is based on the data breach guidelines of the EDPB. The AP has also published tips and tricks on notifications for professionals (only available in Dutch here).
Notification to the AP
The Act does not contain variations or exemptions to the breach notification obligations under Article 33 of the GDPR.
The AP has to be notified by electronically sending a completed notification form as available on the website of the AP (only available in Dutch here). An existing notification can also be amended or withdrawn on the website by using the reference number of the notification.
Notification to data subjects
The Act only provides an exemption to the breach notification obligations under Article 34 of the GDPR for financial enterprises. According to Article 42 of the Act, financial enterprises as defined in the Dutch Act on Financial Supervision of 28 September 2006 (only available in Dutch here) (the Financial Supervision Act) are exempt from the obligation under Article 34 of the GDPR to inform data subjects of a personal data breach.
Sectoral obligations
As set out above, certain financial enterprises are exempt from the obligation under Article 34 of the GDPR to inform data subjects of a personal data breach.
7.7. Data retention
The Act does not contain any provisions or exemptions in relation to the retention and deletion of personal data.
7.8. Children's data
The Act does not deviate from the minimum age of 16 years for providing consent as set out in Article 8 of the GDPR. In cases where a child is below the age of 16 years, its legal representative's consent is required.
Article 5 of the Act determines that the minimum age for consent also applies for services other than information society services offered to children. The Explanatory Memorandum provides the example of an agreement to deliver a product at home other than via an order on the internet.
7.9. Special categories of personal data
According to Article 9(2) of the GDPR and Article 22 of the Act, the processing of special categories of personal data is permitted in cases where:
the data subject has provided explicit consent for the processing of its personal data for one or more specified purposes;
the processing is necessary to protect the data subject's vital interests or another natural person where the data subject is physically or legally incapable of providing consent;
the processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside that body without the consent of the data subjects;
the processing relates to personal data that is manifestly made public by the data subject; or
the processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity.
According to Articles 9(2)(g) of the GDPR and Article 23 of the Act, the processing of special categories of personal data is also permitted in case:
the processing is necessary to comply with an obligation under international law;
the data is processed by the AP or the National Ombudsman, provided that such processing is necessary for the performance of their statutory duties, and safeguards are implemented to ensure that the privacy of the data subject is not disproportionately adversely affected; or
the processing is necessary in addition to the processing of personal data of a criminal law nature (as set out below) for the purposes for which the latter data is processed.
According to Article 9(2)(j) of the GDPR and Article 24 of the Act, the prohibition on the processing of special categories of personal data is not applicable in case:
the processing is necessary for scientific research, historical research, or statistical purposes in accordance with Article 89(1) of the GDPR;
such research serves a public interest;
obtaining explicit consent is impossible or would require a disproportionate effort; and
safeguards are provided to ensure that the data subject's privacy is not disproportionately adversely affected.
According to Article 9(2)(g) of the GDPR and Article 25 of the Act, the prohibition on the processing of personal data revealing racial or ethnic origin is not applicable in case the purpose of processing is:
the data subject's identification, insofar as the processing for that purpose is inevitable; or
granting persons from a certain ethnic or cultural minority group a privileged position in order to remove or mitigate actual disadvantages relating to racial or ethnic origin insofar as:
the processing is necessary for this purpose;
the data involves the data subject's place of birth, their parents or grandparents, or other statutorily established criteria in order to determine objectively whether an individual belongs to a certain ethnic or cultural minority group; and
the data subject has not objected to the processing in writing.
According to Article 9(2)(g) of the GDPR and Article 26 of the Act, the prohibition on the processing of personal data revealing political opinions is not applicable in cases where the processing occurs in relation to requirements regarding such opinions which may reasonably be posed in connection with the fulfillment of functions in administrative bodies and advisory bodies.
According to Article 9(2)(g) of the GDPR and Article 27 of the Act, the prohibition on the processing of personal data revealing religious or philosophical beliefs is not applicable in cases where institutions other than foundations, associations, or any other not-for-profit bodies with a political, philosophical, religious, or trade union aim process the personal data, and the processing is necessary with regard to mental health treatment, unless the data subject has objected to the processing in writing. Such personal data may not be disclosed to third parties without the data subject's consent.
According to Article 9(2)(g) of the GDPR and Article 28 of the Act, the processing of genetic data is allowed in respect of the data subject from whom the data has been obtained. Furthermore, the prohibition on the processing of genetic personal data is not applicable in case:
a substantial medical interest prevails;
the processing is necessary for scientific research serving a public interest or for statistical purposes;
the data subject provides explicit consent (unless obtaining consent is impossible or requires a disproportionate effort); and
safeguards are implemented to ensure that the data subject's privacy is not disproportionately affected.
According to Article 9(2)(g) of the GDPR and Article 29 of the Act, the prohibition on the processing of biometric data for identification purposes is not applicable in cases where such processing is necessary for authentication or security purposes.
According to Articles 9(2)(b), 9(2)(g), and 9(2)(h) of the GDPR and Article 30 of the Act, the prohibition on the processing of health data is not applicable in cases where the health data is processed by:
administrative bodies, pension funds, or employers, and the processing is necessary for:
executing statutory obligations, pension rules, or collective employee arrangements that provide for claims depending on data subjects' health; or
reintegration purposes or support of employees or beneficiaries relating to illness or disabilities;
schools in order to provide special support or facilities to students relating to their health condition;
parole institutions, rehabilitation institutions, the Dutch Child Protection Agency, and similar institutions in order to execute their statutory duties;
the Dutch Minister for Legal Protection and the Dutch Minister of Justice and Security insofar as the processing is necessary for the execution of freedom restricting measures;
health professionals, institutions, and facilities for healthcare or social services insofar as necessary for a proper treatment of the data subject, or to manage the relevant professional practice; or
insurance companies insofar as the processing is necessary for:
assessing insurance risks, provided that the data subject has not objected; or
executing an insurance agreement or the assisting in the execution of an insurance agreement.
The controllers mentioned above have to be subject to confidentiality requirements.
Personal data of a criminal law nature
According to Article 1 of the Act, personal data of a criminal law nature means 'personal data relating to criminal convictions and criminal offenses or related security measures as referred to in Article 10 of the GDPR, as well as personal data relating to a prohibition imposed by the court in response to wrongful conduct or objectionable behavior.'
According to Article 31 of the Act, personal data of a criminal law nature can only be processed, without prejudice to Article 10 of the GDPR, in case this is allowed under Articles 32 and 33 of the Act.
According to Article 32 of the Act, processing personal data of a criminal law nature is allowed in the following cases:
the data subject has provided explicit consent for the processing of that personal data for one or more specified purposes;
the processing is necessary for the protection of the data subject's vital interests or of another natural person where the data subject is physically or legally incapable of providing consent;
the processing relates to personal data which is manifestly made public by the data subject;
the processing is necessary for the establishment, exercise, or substantiation of legal claims or in the event courts are acting in their legal capacity;
the processing is necessary for reasons of substantial public interest in order to comply with international legal obligations, or for the AP or National Ombudsman to perform their statutory tasks; or
the processing is necessary for scientific research, historical research, or statistical purposes in accordance with Article 89(1) of the GDPR, provided that the conditions set out in Article 24(b), (c), and (d) of the Act are met (as set out above).
According to Article 33 of the Act, processing personal data of a criminal law nature is allowed:
by bodies responsible for law enforcement;
by and for the benefit of (groups of) controllers cooperating under public law, insofar as necessary to perform their tasks, provided that safeguards have been implemented in order to ensure that the data subject's privacy will not be disproportionately adversely affected;
if the processing is necessary to supplement the processing of health data for the purpose of a proper treatment or care of the data subject;
by a controller that processes the personal data for its own purposes:
to assess a data subject's request to take a decision regarding them, or to provide a service to them; or
to protect the controller's interests relating to criminal offenses that have been committed or, based on facts and circumstances, are expected to be committed against the controller or its employees;
with respect to employees which are employed by the controller if such processing is carried out in accordance with the rules adopted in accordance with the procedure as set out in the Dutch Works Councils Act; or
on behalf of a third party:
by controllers acting pursuant to a license under the Private Security Organizations and Investigation Agencies Act of 1997 (only available in Dutch here);
in case the third party is a legal entity that is part of the same group of companies as referred to in Article 2:24b of the Dutch Civil Code (only available in Dutch here); or
in case the AP has granted a license for such processing, which will only be granted (and may be subject to additional conditions) if the processing is necessary for a substantial interest of the third party concerned and safeguards have been implemented to ensure that data subject's privacy will not be disproportionately adversely affected.
7.10. Controller and processor contracts
The Act does not contain additional requirements further to the GDPR.
8. Data Subject Rights
Article 41 of the Act implements the exemptions as set out in Article 23 of the GDPR, allowing controllers not to apply certain data subject rights as described in Articles 12 to 21 and 34 of the GDPR. According to Article 41 of the Act, a controller does not need to apply the aforementioned rights in case it is necessary and proportionate for safeguarding matters relating to:
national security;
national defense;
public security;
the prevention, investigation, detection, and/or prosecution of criminal offenses or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security;
other important objectives of general public interest of the EU or the Netherlands, in particular an important economic or financial interest of the EU or the Netherlands, including monetary, budgetary and taxation matters, public health and social security;
the protection of judicial independence and judicial proceedings;
the prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions;
a monitoring, inspecting, or regulating function connected, even occasionally, to the exercise of official authority in cases referred to under Sections 23(a) to (g) of the GDPR;
the protection of the data subject or the rights and freedoms of others; or
the enforcement of civil law claims.
Furthermore, according to Article 43 of the Act, the provisions relating to data subject rights (as implemented in Chapter 3 of the Act) do not apply in case personal data is solely processed for journalistic purposes or for the benefit of academic, artistic, or literary expression forms.
8.1. Right to be informed
According to Articles 44, 45, and 47 of the Act, the right of information and access in Article 15 of the GDPR is not applicable in cases of:
processing personal data by institutions or services for scientific research or statistics, where the required safeguards are put in place to ensure that the personal data can only be used for such purposes;
archiving in the public interest as regards governmental archives in the context of the Public Records Act, provided that a data subject has a right of access in archive records, unless a request is not specified sufficiently; or
statutorily established public registers, in case applicable law provides for a special procedure for rectifying, complementing, deleting, or shielding personal data.
8.2. Right to access
According to Articles 44, 45, and 47 of the Act, the right to access in Article 15 GDPR is not applicable in case of:
processing personal data by institutions or services for scientific research or statistics, where the required safeguards are put in place to ensure that the personal data can only be used for such purposes;
archiving in the public interest as regards governmental archives in the context of the Public Records Act, provided that a data subject has the right to add their interpretation to relevant archived files in case personal data is incorrect; and
statutorily established public registers, in case applicable law provides for a special procedure for rectifying, complementing, deleting, or shielding personal data.
8.3. Right to rectification
According to Articles 44, 45, and 47 of the Act, the right to rectification in Article 16 of the GDPR is not applicable in case of:
processing personal data by institutions or services for scientific research or statistics, where the required safeguards are put in place to ensure that the personal data can only be used for such purposes;
archiving in the public interest as regards governmental archives in the context of the Public Records Act, provided that a data subject has the right to add their interpretation to relevant archived files in case personal data is incorrect; and
statutorily established public registers, in case applicable law provides for a special procedure for rectifying, complementing, deleting, or shielding personal data.
Furthermore, according to Article 47 of the Act, the notification obligation in Article 19 of the GDPR does not apply in case of any rectification of personal data which is being processed for statutorily established public registers, in case the applicable law provides for a special procedure for rectifying, complementing, deleting, or shielding personal data.
8.4. Right to erasure
The Act has not implemented variations on the right to erasure in Article 17 of the GDPR. However, according to the Explanatory Memorandum to Article 47 of the Act, the right to erasure is not applicable in cases where personal data is processed for statutorily established public registers, as this processing is necessary to comply with a legal or statutory obligation.
Furthermore, according to Article 47 of the Act, the notification obligation of Article 19 of the GDPR does not apply in case of any erasure of personal data (Article 17(1) of the GDPR) which is being processed for statutorily established public registers, in case applicable law provides for a special procedure for rectifying, complementing, deleting, or shielding personal data.
8.5. Right to object/opt-out
According to Article 47(2) of the Act, the right to object in Article 21 of the GDPR is not applicable in case of statutorily established public registers.
8.6. Right to data portability
According to Article 45 of the Act, the right to data portability of Article 20 of the GDPR is not applicable in case of archiving in the public interest as regards governmental archives in the context of the Public Records Act.
8.7. Right not to be subject to automated decision-making
According to Article 40 of the Act, Article 22(1) of the GDPR is not applicable in the case where the automated individual decision-making, other than when made on the basis of profiling, is necessary to comply with a statutory obligation of the controller, or is necessary for the fulfillment of a task of public interest. In that case, the controller has to take adequate measures in order to protect the rights and freedoms, and interests of the data subject. In case the controller is not an administrative body, appropriate measures have been taken to ensure that the right to human intervention, the right for the data subject to express its point of view, and the right to challenge the decision, are secured.
8.8. Other rights
The Act does not contain any other rights in addition to the rights provided by the GDPR.
Variations of GDPR on the right to restriction of processing
According to Articles 44 and 47 of the Act, the right to restriction of processing in Article 18 of the GDPR is not applicable in cases of:
processing personal data by institutions or services for scientific research or statistics, where the required safeguards are put in place to ensure that the personal data can only be used for such purposes; and
statutorily established public registers, in case applicable law provides for a special procedure for rectifying, complementing, deleting, or shielding personal data; for example, according to the Dutch Land Registry Act of 1989 (only available in Dutch here), the registry can provide for feedback in case data appears to be incorrect, which will be reflected in the registry during the period the data is being investigated.
According to Article 45 of the Act, Article 18(1)(a) is not applicable in case of archiving in the public interest as regards governmental archives in the context of the Public Records Act.
Furthermore, according to Article 47 of the Act, the notification obligation in Article 19 of the GDPR does not apply in case of any restriction of processing of personal data which is being processed for statutorily established public registers, in case applicable law provides for a special procedure for rectifying, complementing, deleting, or shielding personal data.
9. Penalties
Act sanction provisions
The Act contains the following sanction provisions in addition to the fines the AP can impose based on Article 83 of the GDPR:
according to Article 16 of the Act, the AP can impose an administrative enforcement order to enforce the obligations as set out in the GDPR or the Act, and/or an order under penalty on the basis of Article 5:20 of the Administrative Law Act;
according to Article 17 of the Act, the AP can impose an administrative fine in case of a violation of Article 10 of the GDPR or Article 31 of the Act (i.e. unlawful processing of personal data of a criminal law nature) of up to €20 million, or, if it involves an undertaking, up to 4% of the total worldwide turnover in the preceding financial year, whatever is higher;
according to Article 18 of the Act, the AP can impose an administrative fine on public authorities in case of a breach of Articles 83(4), (5), or (6) of the GDPR; and
according to Article 21a of the Act, the AP can impose an administrative fine of up to €20 million, or up to 4% of the total worldwide annual turnover in the preceding financial year, whichever is higher, in case of a violation of rules on access by payment service providers to the personal data of payment service users as set out in Article 3.17(7) of the Financial Supervision Act.
AP's Fining Policy Rules
The AP has published updated Fining Policy Rules on December 6, 2023 (only available in Dutch here) (the Policy), setting out how the amount of a fine is determined. The Policy categorizes breaches of various obligations under the GDPR and the Act in penalty categories (I, II, III, and IV). Each of these categories has a penalty bandwidth ranging between a certain minimum and maximum penalty amount. Within the bandwidths, the AP has established a certain penalty amount, which can be increased or decreased depending on various factors. Examples of such factors are the nature of the breach, the severity of the breach, the duration of the breach, the number of data subjects involved, the intentional or negligent nature of the breach, and the measures taken to limit damages suffered by the data subjects. To illustrate, a violation of Article 32 of the GDPR (for instance, the security of processing) is categorized in penalty category II. The penalty bandwidth of this category is between €120,000 and €500,000, and the standard penalty amount is €310,000.
9.1 Enforcement decisions
The AP has imposed several administrative fines and other corrective measures (see overview here), including, but not limited to:
Administrative fines
administrative fine for Uber Technologies Inc. & Uber B.V. for violating transparency obligations – €10,000,000 (December 11, 2023);
administrative fine for International Card Services B.V. for not performing a DPIA – €150,000 (December 18, 2023);
administrative fine for the Municipality of Voorschoten for insufficiently informing data subjects – €30,000 (November 2, 2023);
administrative fine for the Social Insurance Bank (Sociale Verzekeringsbank) for inadequate identity verification - €150,000 (April 13, 2023);
administrative fine for the Dutch police for not performing a data protection impact assessment for using camera cars in Rotterdam - €50,000 (December 21, 2022);
administrative fine for the Dutch Tax Authority for blacklist Fraud Signalling Facility - €3.7 million (April 12, 2022);
administrative fine for the Ministry of Foreign Affairs for poor security of visa applications - €565,000 (April 6, 2022);
administrative fine for DPG Media for unnecessarily requesting identity documents - €525,000 (February 24, 2022) – The District Court Amsterdam ruled that the AP should not have imposed a fine (August 10, 2023). The AP has filed an appeal against this ruling;
administrative fine for the Dutch Tax Authority for discriminatory and illegal working methods - €2.75 million (December 7, 2021);
administrative fine for Transavia for poor security of personal data - €400,000 (November 12, 2021);
administrative fine for TikTok fine for violating children's privacy - €750,000 (July 22, 2021) – objection has been issued against fine decision, the AP will assess the objection;
administrative fine for UWV for poor security when sending group messages - €450,000 (July 7, 2021);
administrative fine for orthodontic practice due to unsecured patient website - €12,000 (June 10, 2021) – objection has been issued against fine decision, the AP has declared the objection unfounded;
administrative fine for CP&A for violation of the privacy of sick employees - €15,000 (May 19, 2021);
administrative fine for LocateFamily.com fine for missing representative in EU - €525,000 (May 12, 2021);
administrative fine for political party PVV Overijssel for failing to report data breach - €7,500 (May 11, 2021);
administrative fine for the municipality of Enschede for WiFi tracking - €600,000 (April 29, 2021) - the District Court Overijssel has overturned this AP fine decision (February 2, 2024). The AP has filed an appeal against this ruling;
administrative fine for Booking.com for late reporting of data breach - €475,000 (March 31, 2021);
administrative fine for OLVG for poor security of patient files - €440,000 (February 11, 2021);
administrative fine for VoetbalTV for not having a legal basis to make and distribute video recordings of amateur football matches - €575,000 (July 16, 2020) – the Administrative Jurisdiction Division of the Council of State confirmed the earlier ruling of a Dutch District Court that the AP had wrongfully imposed a fine upon a VoetbalTV (July 27, 2022).
administrative fine for BKR for asking fee for access right - €830,000 (July 6, 2020) – the District Court of Gelderland mitigated this fine by 20%, to €668,000 (July 17, 2023).
administrative fine for unknown company fine for fingerprinting staff - €725,000 (April 30, 2020) – the company has objected to the fine decision, the AP will assess the objection;
administrative fine for KNLTB for selling member data - €525,000 (March 3, 2020) – the KNLTB argued before the District Court that it should not have received a fine. The District Court of Amsterdam referred questions for preliminary ruling to the Court of Justice of the European Union on the interpretation of the term “legitimate interest” under Article 6(1)(f) GDPR (September 22, 2022). This case is still pending.
administrative fine for Haga Hospital for poor security of patient files - €460,000 (July 16, 2019) - the District Court The Hague has mitigated this fine to €350,000 (March 31, 2021); and
administrative fine for Uber for late reporting of data breach - €600,000 (November 27, 2018).
Orders subject to an incremental penalty
order subject to an incremental penalty to the Dutch Ministry of Foreign Affairs for poor security for visa applications (in addition to fine) max. €500,000 – still ongoing; for insufficient transparency to visa applicants regarding the sharing of personal data with third parties (in addition to fine) max. €300,000 - violation stopped in time (April 6, 2022);
order subject to an incremental penalty to LocateFamily.com for missing representative in EU (in addition to fine) max. €120,000 - still ongoing (May 12, 2021);
order subject to an incremental penalty to a health insurer CZ for too much medical data in authorization applications (amount not disclosed) – violation stopped in time (February 14, 2020);
order subject to an incremental penalty to health insurer Menzis for unauthorized access to medical data max. €750,000 - €50,000 collected (November 4, 2019);
order subject to incremental penalty to health insurer VGZ for unauthorized access to medical data max. €750,000 - violation stopped in time (November 4, 2019);
order subject to penalty to Haga Hospital for poor security of patient files max. €300,000 - violation stopped in time (July 16, 2019);
second order subject to penalty National Police for poor security of police data max. €320,000 - violation stopped in time (December 21, 2018);
order subject to penalty UWV for poor security employer portal max. €900,000 - violation stopped in time (October 30, 2018);
order subject to penalty National Police for poor security of police data max. €200,000 - €40,000 collected (September 20, 2018); and
order under incremental penalty to TGB for not complying with customer's access request max. €60,000 - €48,000 collected (August 9, 2018).
Reprimands
When an organization has committed a minor, less serious violation, the AP can decide to issue a reprimand (see overview here). Since April 12, 2023, AP reprimands are not made public (see here). Therefore, the register of reprimands does not list names of organizations. Reprimands are only made public if a court requires it. The AP has issued several reprimands, including, but not limited to the following issued in 2023:
an organization violated Article 12(3) GDPR by failing to respond to two access requests in a timely manner – hospitality, retail and tourism sector (2023);
an organization violated Articles 12(3), 15(1) and 15(3) GDPR by failing to fully respond to an access request in a timely manner – energy sector (2023);
an organization violated Articles 28(1) and 28(3)(e) GDPR by not fully responding to an access request – energy sector (2023);
an organization violated Article 5(1)(a) and 6(1) GDPR by processing personal data for direct marketing purposes without a legal basis – technology, internet and media and telecommunications sector (2023); and
an organization violated Article 15(1) GDPR by not providing access to logging data – health sector (2023);