Dutch DPA proposes to amend the Dutch Data Protection Act

02 November 2005

Gerrit-Jan Zwenne

In The Netherlands, the Ministry of Justice is currently in the process of preparing some amendments to the Dutch Data Protection Act (“Wet bescherming persoonsgegevens”). In view of this the Data Protection Authority has submitted a proposal for amendments to the Act in order to resolve a number of practical problems that it has observed through the years. In its proposal, submitted in August this year, the Authority particularly proposes to clarify and elaborate on the regime for the processing of special or sensitive data, such as health data, data about ethnic origin, and the like. Further, the Authority proposes to soften some aspect of the requirement that prior investigation by the Authority is mandatory for, inter alia, the recording of personal data without informing the data subject. Moreover, the Authority proposes to introduce instruments that enable the data subject to verify whether a controller has complied with a request to no longer process his or her data for commercial or charitable purposes.

Elaborating the regime for special or sensitive data

The Act contains a rigid regime for the processing of so-called special or sensitive data, i.e. data concerning a person's religion or philosophy of life, race, political persuasion, health and sexual life, or personal data concerning trade union membership, as well as data concerning a person’s criminal behaviour, or unlawful or objectionable conduct connected with a ban imposed with regard to such conduct. In principle such data may not be processed, unless by certain controllers for specific purposes, e.g. a doctor may process health data for the medical treatment of his or her patients, a trade union may process trade union membership data if the objects of the trade union or trade union federation require this.

The Authority advises the Minister to elaborate on the exemptions to the prohibition on the processing of such special or sensitive data. Particularly, the Authority points out, accountants and auditors experience difficulties with the processing of such data for verification purposes. For example, accountants need to process health data to verify the distributions made by municipalities in accordance with the health services legislation. However, the wording of the Act does not allow this processing. The Authority is of the opinion that, if really necessary for these purposes, accountants and auditors must be able to process the special data by means of random checks. In this respect the Authority stresses that, although the problem occurs with both auditors and accountants, there is a difference in the approach in view of the fact that only the accountants are part of a statutorily regulated professional group.

Also the National Ombudsman has informed the Authority that he encounters difficulties with the availability of special data during investigations. The Authority requests the Minister to consider whether this issue can be solved with a general exemption ground in the Act and/or provisions in other general administrative or special acts.

In addition, a number of care insurers, in order to have recourse, want to be notified by care providers, such as hospitals, when one of their patients is (likely to be) a victim of a road accident. In practice hospitals are hesitant to provide this for reasons related to medical professional secrecy. Consequently, they feel they can only provide the data with patients’ explicit consent. According to the Authority, however, such notification is not contrary to the medical professional secrecy, provided the notification is restricted to situations which definitely concern road accidents and the patients are informed about the provision of their date to care insurers. Furthermore the patient must have the possibility to object to the provision of his data (opt-out). If these conditions are met, in the Authority’s opinion the patients’ explicit consent should not be required.

In addition the Authority finds that the so-called vital interests of the data subject, i.e. life-threatening situations, should also justify the processing of special or sensitive data. At the moment, the Act does not provide for this. To correct this, the Authority proposes to include a provision in the Act that stipulates that sensitive or special data may also be processed if this is necessary in order to protect the vital interests of the data subject.

The Authority’s proposals are, to a certain extent, in line with the proposal submitted by Austria, Finland, Sweden, UK and The Netherlands to the European Commission in the context of the first Implementation Report (COM(2003) 265 final). These proposals suggested the application of the rigid regime for the processing of the special or sensitive data, only if these data clearly describe intimate personal characteristics, and their processing is particularly likely to infringe fundamental freedoms or privacy.

Softening the prior investigation requirement

Pursuant to the Act a so-called prior investigation must be applied for if, in the legislator’s opinion, the processing forms a special risk to the personal privacy of the persons involved. This implies that controllers must apply for prior investigation if they plan to record data on the basis of their own observations without informing the data subjects of this. For example if an employer wants to monitor employees without informing them, e.g. within the context of a fraud investigation. Strictly speaking, in such cases the controller must always apply for prior investigation. However, the Authority wants to limit this requirement to the secret processing of personal data with a structural nature: no prior investigation should be required for occasional processing of personal data without informing the data subject.

Verification of compliance with data subject’s opt-out request

Moreover, the Authority proposes to introduce instruments that enable data subjects to verify whether a controller has complied with the data subject’s request to no longer process his or her data for commercial or charitable purposes (opt-out). These instruments could also be useful with respect to the use of the right to have personal data removed or blocked.

The Authority’s proposal (in Dutch) can be downloaded from www.cbpweb.nl.