ENG

Netherlands

Stage of legislative progress 
Eg. pre-consultation, in consultation

GGDPR Execution Act ("UAVG", "Uitvoeringswet Algemene verordening gegevensbescherming") has passed. The GDPR Execution Act ("UAVG", "Uitvoeringswet Algemene verordening gegevensbescherming") became effective  22 May 2018.

Discussions in Parliament considered that further area-specific data protection rules could be introduced at a later stage. 

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

GDPR Execution Act ("UAVG") is to repeal the current Dutch Data Protection Act ("Wbp"). On 9-12-2016 the Dutch Ministry of Security & Justice (in charge of privacy and data protection matters) issued the GDPR Execution Act (Uitvoeringswet Algemene Verordening Gegegevensbescherming). Purpose of this Execution Act is to effectuate the GDPR and repeal the current Dutch Data Protection Act (Wet bescherming persoonsgegevens).

Timescale for implementation 
Eg. pre-consultation, in consultation

The proposal was adopted by the House of Representatives on 13 March 2018. The Senate (Committee of Justice and Security) adopted the final report on 24 April 2018.

The Act was adopted as a formality on May 15, 2018. The GDPR Execution Act ("UAVG") became effective on 22 May 2018.

In discussions in Parliament it was considered that further area-specific data protection rules could be introduced at a later stage.

Areas where Member States must have local laws:

Personal data and freedom of expression 

Article 41 GDPR Execution Act provides that the GDPR Execution order does not apply where personal data are processed exclusively for journalistic purposes or for the purposes of academic, artistic or literary expressions. In addition it sums up a list of chapters and articles in the GDPR that are also not applicable for these purposes: (a) article 7(3), 11(2);(b) chapter III;(c) chapter IV (with the exception of articles 24, 25, 28, 29 and 32);(d) chapter V;(e) chapter VI; and (f) chapter VII. " Art. 41 UAVG limits the scope of certain obligations in connection with (compelling) general interests in alignment with art 23 GDPR. Therefore, it provides for exceptions to the rights of the data subject and the duties of the controller. The GDPR partially (art. 12 - 21 and 34 GDPR) does not apply (insofar appropriate and proportionate) to data processing in view of - inter alia - important public interest objectives, public security, the protection of the data subject or of the rights and freedoms of others; and/or the collection of civil claims.

Penalties

n/a

Areas where Member States may have local laws:

Professional secrecy 

Art. 34 of the GDPR (on the duty to report data breaches to the data subject) shall not apply to financial undertakings that qualify as such under the Dutch Financial Supervision Act (art 42 UAVG), as these have own notification obligations under sector-specific legislation.

In art. 39 UAVG, it is stressed that a DPO is obliged to maintain confidentiality with regard to all matters that have become known to him through a complaint or request from the data subjects concerned, unless the person concerned agrees to disclosure.

Scientific, historical or statistical purposes 

Article 42 GDPR Execution Act: where processing takes place solely for scientific or historical research purposes, or statistical purposes, the controller may declare articles 15, 16 and 18 of the GDPR inapplicable. Data subjects will not have rights of access, rectification or restriction of processing for this data.

Employment

No material derogations.

Based on article 9 (2) sub b GDPR, article 30(1) UAVG provides the exceptions to the prohibition to process health data in an employment context. Processing health data is not prohibited if the processing is done by employers or institutions working for them, and in so far as the processing is necessary for:
a. proper implementation of statutory regulations, pension schemes or collective agreements that provide for entitlements that depend on the health status of the data subject; or
b. the reintegration or supervision of employees or benefit recipients in connection with illness or incapacity for work.

Based on article 9 (2) sub g GDPR, article 25 UAVG provides the exceptions to the prohibition to process ethnical and racial data: such data can be processed for positive discrimination/equal treatment purposes.

Based on article 9 (2) sub g GDPR, article 29 UAVG provides the exceptions to the prohibition to process biometric data: such data can be processed for identification of an individual if the processing is necessary for authentication or security purposes.

Article 33(3) UAVG states that personal data of a criminal nature relating to personnel employed by the controller may only be processed if this is done in accordance with the procedures to follow based on the Works Councils Act.

Personal data of deceased persons 

No provisions

Children online

16 years.

Special rules for special categories of data
The UAVG allows derogations for processing data relating to racial and ethnic origin, religious or philosophical belief, and political opinions.
The GDPR Execution Act UAVG includes provisions which provide for a limited list of purposes /specific circumstances under which derogation from the prohibition of special categories of personal data is allowed (note that most are in line with derogations currently found under the Dutch data Protection Act): racial and ethnic origin (article 22), religious or philosophical belief (article 29), political opinions (article 30).

Regarding processing of personal data relating to criminal convictions and offences or related security measures, a list is provided of categories of processors that may process such data (article 31 and wet politiegegevens & wet justitiële en strafvorderlijke gegevens) - this is the same as current Dutch local law on criminal data."

Article 25 UAVG ethnic and racial data can be processed for positive discrimination/equal treatment purposes.

Genetic, biometric or health data

The UAVG provides a limited list of purposes for which processing genetic data, biometric data and health data is allowed.

Article 23 restricts the categories of data processors which may process health data, where processing is based on GDPR Arts. 9(2)(g)+(b)+(h) (employment or social security law; public interest + law; care and treatment).

Article 29 UAVG biometric data can be processed for identification of an individual if the processing is necessary for authentication or security purposes.

Designation of a Data Protection Officer

No material derogations. DPO is obliged to maintain confidentiality with regard to all matters that have become known to him through a complaint or request from the data subjects concerned, unless the person concerned agrees to disclosure (Art. 39 UAVG).

National identification numbers/any other identifier of general application

In line with art. 6 GDPR, art. 44 UAVG provides that national identification numbers may only be processed if such processing is provided for by law, and only for those purposes as stipulated in the relevant legislation.

Other:

Any other areas under discussion

UAVG stipulates that:

  • Article 22 GDPR does not apply where automated processing/profiling is necessary for compliance with a legal obligation or if processing is necessary for the performance of a task carried out in the public interest. This exception only applies if there is a specific legal basis for profiling.
  • There exists a legal obligation to take into account the needs of micro, small and medium-sized enterprises (art. 2a UAVG).
  • The prohibition to subject data subjects to automated decision-making does not apply where the law makes this compulsory. This may indirectly enable 'big data' applications (art. 40 UAVG)