Netherlands

Overview

Stage of legislative progress 
Eg. pre-consultation, in consultation

The GDPR Execution Act ("UAVG", "Uitvoeringswet Algemene verordening gegevensbescherming") has passed. Although this was not yet officially communicated, the Act will almost certainly become effective together with the GDPR.

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

GDPR Execution Act ("UAVG") is to repeal the current Dutch Data Protection Act ("Wbp").
On 9-12-2016 the Dutch Ministry of Security & Justice (in charge of privacy and data protection matters) issued the GDPR Execution Act (Uitvoeringswet Algemene Verordening Gegegevensbescherming). Purpose of this Execution Act is to effectuate the GDPR and repeal the current Dutch Data Protection Act (Wet bescherming persoonsgegevens).

Timescale for implementation 
Eg. pre-consultation, in consultation

The proposal was adopted by the House of Representatives on 13 March 2018. The Senate (Committee of Justice and Security) adopted the final report on 24 April 2018.

The Act was adopted as a formality on May 15, 2018.

In discussions in Parliament it was considered that further area-specific data protection rules could be introduced at a later stage.


Areas where Member States must have local laws:

Personal data and freedom of expression 

Draft Act provides that Act will not apply where personal data is processed for journalistic purposes or for the purposes
of academic, artistic or literary expressions.
"Article 41 GDPR Execution Act provides that the GDPR Execution order does not apply where personal data are processed exclusively for journalistic purposes or for the purposes
of academic, artistic or literary expressions. In addition it sums up a list of chapters and articles in the GDPR that are also not applicable for these purposes:
(a) article 7(3), 11(2);(b) chapter III;(c) chapter IV (with the exception of articles 24, 25, 28, 29 and 32);(d) chapter V;(e) chapter VI; and (f) chapter VII. "

Penalties

n/a


Areas where Member States may have local laws:

Professional secrecy 

Art. 34 of the GDPR (on the duty to report data breaches to the data subject) shall not apply to financial undertakings that qualify as such under the Dutch Financial Supervision Act (art 42 UAVG), as these have own notification obligations under sector-specific legislation.

In art. 39 UAVG, it is stressed that a DPO is obliged to maintain confidentiality with regard to all matters that have become known to him through a complaint or request from the data subjects concerned, unless the person concerned agrees to disclosure.

Scientific, historical or statistical purposes 

Article 42 GDPR Execution Act provides that where processing takes place solely for scientific or historical research purposes, or statistical purposes, the controller may declare articles 15, 16 and 18 of the GDPR inapplicable. Data subjects will not have rights of access, rectification or restriction of processing for this data.

Employment

No material derogations.

Article 30(1) UAVG provides the exceptions to the prohibition to process health data in an employment context. Processing health data is not prohibited if the processing is done by employers or institutions working for them, and in so far as the processing is necessary for:
a. proper implementation of statutory regulations, pension schemes or collective agreements that provide for entitlements that depend on the health status of the data subject; or
b. the reintegration or supervision of employees or benefit recipients in connection with illness or incapacity for work.

Article 25 UAVG provides the exceptions to the prohibition to process ethnical and racial data: such data can be processed for positive discrimination/equal treatment purposes.

Article 29 UAVG provides the exceptions to the prohibition to process biometric data: such data can be processed for identification of an individual if the processing is necessary for authentication or security purposes.

Article 33(3) UAVG states that personal data of a criminal nature relating to personnel employed by the controller may only be processed if this is done in accordance with the procedures to follow based on the Works Councils Act.

Personal data of deceased persons 

n/a

Children online

16. No derogation The Dutch legislator has chosen to uphold the age of consent for children at 16 years.

Special rules for special categories of data
The UAVG allows derogations for racial and ethnic origin, religious or philosophical belief, and political opinions.
The GDPR Execution Act UAVG includes provisions which provide for a limited list of purposes /specific circumstances under which derogation from the prohibition of special categories of personal data is allowed (note that most are in line with derogations currently found under the Dutch data Protection Act): racial and ethnic origin (article 22), religious or philosophical belief (article 29), political opinions (article 30).

Where it concerns processing of personal data relating to criminal convictions and offences or related security measures, a list is provided of categories of processors that may process such data (article 31 and wet politiegegevens & wet justitiële en strafvorderlijke gegevens) - this is the same as current Dutch local law on criminal data."

Article 25 UAVG ethnic and racial data can be processed for positive discrimination/equal treatment purposes.

Genetic, biometric or health data

The UAVG provides a limited list of purposes for which processing genetic data, biometric data and health data is allowed.

Art 23 restricts the categories of data processors which may process health data, where processing is based on GDPR Arts. 9(2)(g)+(b)+(h) (employment or social security law; public interest + law; care and treatment).

Article 29 UAVG biometric data can be processed for identification of an individual if the processing is necessary for authentication or security purposes.

Designation of a Data Protection Officer

No material derogations. It is stressed that a DPO is obliged to maintain confidentiality with regard to all matters that have become known to him through a complaint or request from the data subjects concerned, unless the person concerned agrees to disclosure (Art. 39 UAVG).

National identification numbers/any other identifier of general application

UAVG states that national identification numbers may only be processed where allowed by law, and only for those purposes as stipulated in the relevant legislation.


Other:

Any other areas under discussion
UAVG stipulates that:
• Article 22 GDPR does not apply where automated processing/profiling is necessary for compliance with a legal obligation or if processing is necessary for the performance of a task carried out in the public interest. This exception only applies if there is a specific legal basis for profiling.
• A legal obligation to take into account the needs of micro, small and medium-sized enterprises was added to the UAVG (art. 2a UAVG).
• The prohibition to subject data subjects to automated decision-making does not apply if the law makes this compulsory. This may indirectly enable 'big data' applications (art. 40 UAVG).