Library of Congress

Law Library of Congress

The Library of Congress > Law Library > News & Events > Global Legal Monitor

Netherlands: Data Protection Act Amended

(May 3, 2012) On February 9, 2012, amendments to the Dutch Personal Data Protection Act came into force. (Personal Data Protection Act (Unofficial Translation), Institute for Information Law (updated Dec. 15, 2005); Wet bescherming persoonsgegevens (July 6, 2000), OVERHEID.NL.) The revised Act now provides that companies that use European Commission-approved standard contractual clauses no longer need to have a permit to transfer personal data to countries outside the European Economic Area (EEA), a change that is deemed likely to reduce the administrative burden on such companies. (The Netherlands: Amendment to Dutch Data Protection Act, HSP (Mar. 30, 2012).) Before the amendment was adopted, even companies that used the standard contract clauses were required to obtain the permit, because the non-EEA countries “were not considered to offer appropriate safeguards for the protection of personal data,” and as a result of the requirement “[d]elays could be significant.” (Id.)

The European Commission has reportedly issued “helpful guidelines and model contract clauses which may ease current restrictions on the flow of personal data” from data controllers in the 27 Member States of the European Union and three EEA member countries (Iceland, Liechtenstein, and Norway) to data controllers or data processors in countries that do not, in the EC's view, ensure adequate data protection. (Id.)

Other changes to the Personal Data Protection Act made through the recently adopted amendments include:

    • higher fines for violations, from €7,600 (about US$10,060) to up to €19,000 (about US$25,150), for companies that fail to register their personal data processing with the governing authority, the College Bescherming Persoonsgegevens (Data Protection Authority, or DPA), and for intentional acts of omission;
    • additional obligations for data controllers if data subjects choose not to be made subject to direct marketing;
    • simplification of the requirement that all the controllers of a blacklist, e.g., banks, insurance companies, and international groups of companies, which use blacklists and for which they therefore may collect criminal data, must obtain a statement from the DPA (which conducts a prior investigation when the collection of criminal data is involved) that the data processing is legal – now only one of the controllers need obtain a statement, on which their other branches or groups can also rely; and
    • a stipulation that the processing of sensitive data may be made without a data subject's consent, when necessary to protect the vital interest (in particular the health) of the data subject. (Id.; Amendment to Dutch Data Protection Act, TECHLAW (Feb. 2012).)

From December 20, 2011, to February 29, 2012, the Dutch government circulated for public comment a more comprehensive draft revision of the Act, which addresses the use of camera images (particularly images of criminal acts from security cameras installed by individuals or companies) and reporting obligations in connection with data leaks (namely, the need to notify the DPA of serious security flaws in the automated processing of personal data when that data is placed at significant risk of loss or unlawful processing). (Amendment to Dutch Data Protection Act, supra; Wijziging Wbp (gebruik camerabeelden en meldplicht datalekken) [Amendment Wbp (camera image use and data leak reporting obligations)], OVERHEID.NL (last visited May 1, 2012).)