In its judgment of September 21, 2005 one of the highest administrative courts in the Netherlands, the administrative law division of the Dutch Council of State (“Raad van State”) determined that the Dutch Data Protection Authority (DPA) does not have the authority to impose fines on data controllers for failure to notify processing that already existed on September 1, 2001 (the date the Data Protection Act “Wet bescherming persoonsgegevens” entered into force in the Netherlands).
In its judgment the Council of State confines the Authority’s power to impose fines for failure to notify to processing that commenced after September 1, 2001. As this was not the intention of the legislature, a proposal to amend the Data Protection Act is being prepared. Nevertheless, fines that have already been collected by the Authority for failure to notify processing that began pre-1 September 2001 will have to be refunded.
The DPA will continue to check compliance with the notification obligation by means of annual random checks. In the event that the DPA discovers non-compliance with the notification obligation, it will take action. If necessary, the DPA will impose a penalty payment to enforce the notification. If data processing that began post-1 September 2001 turns out not to have been notified in time, the DPA is still allowed to impose a fine.
Notifications of data processing are included in a public register that can be consulted through the DPA’s website at . At the moment, the public register contains about 28,000 notifications and was consulted 25,866 times in 2004. The DPA analyses the notifications received. Such analysis gives insight into the nature of the processing of personal data in different lines of business and different social sectors.
The Council of State’s judgment (in Dutch) can be downloaded from the Dutch jurisprudence website, rechtspraak.nl at and from the DPA’s website at
By Gerrit-Jan Zwenne, Bird & Bird, The Hague; email@example.com