On February 9th, important changes to Dutch privacy regulation, the Data Protection Act, went into effect. Through these changes, companies that use the Standard Contractual Clauses (link) approved by the European Commission, no longer require a permit for the transfer of personal data to countries outside of the European Economic Area. This will generally lead to a reduction of the administrative burden on these companies. 

Before these changes, when a company (data exporter) wished to have personal data processed by a company (data importer) in a country outside of the EEA, it generally required a permit to do so. This is because it is considered that those countries do not to offer appropriate safeguards for the protection of personal data. 

By using the Standard Contractual Clauses, these appropriate safeguards are guaranteed through the contract between the data exporter and the data importer. Before the amendment, a permit from the Ministry of Justice was still required when using the Standard Contractual Clauses. This requirement has now been removed from the Data Protection Act. 

Other changes to the Data Protection Act that came into force are higher fines (from € 7,600 to a maximum of € 19,000), additional obligations for the data controller when data subjects opt-out of direct marketing and removal of the requirement for Data Protection Officers (Functionaris voor de Gegevensbescherming) to file an annual report.


For questions regarding the above, please feel free to contact: 
Gerrit-Jan Zwenne: gerrit-jan.zwenne@twobirds.com or Berend van der Eijk: berend.van.der.eijk@twobirds.com