!
Unofficial translation
This translation is provided for reference purposes! only and without any warranty or
representation regarding its accuracy or completeness. Reliance on this translation is at
your own risk. If you would like to report a translation error or inaccuracy, we encourage you
to please!contact us.
GENERAL DATA PROTECTION REGULATION IMPLEMENTATION ACT
Act dated May!16,!2018 containing rules for implementing
Regulation!(EU)!2016/679 of the European Parliament and of the Council of
27!April!2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and
repealing Directive!95/46/EC (General Data Protection Regulation) (PbEU
2016, L!119) (General Data Protection Regulation Implementation Act
We Willem-Alexander, by the Grace of God, King of the Netherlands, Prince of
Oranje-Nassau, etc., etc., etc.
Greetings to all those who shall see or hear these presents! Be it known:
Whereas We consider it to be necessary to lay down legal rules for
implementing Regulation!(EU)!2016/679 of the European Parliament and of
the Council of 27!April!2016 on the protection of natural persons with regard
to the processing of personal data and on the free movement of such data,
and repealing Directive!95/46/EC (General Data Protection Regulation) (PbEU
2016, L!119);
In view of Article!10(2) and (3) of the Constitution;
We, therefore, having heard the Advising Division of the Council of State, and
in consultation with the States General, have approved and decreed as We
hereby approve and decree:
Chapter 1. General Provisions
Article!1. Definitions
The following terms will be defined as follows in this Act and in provisions
based upon it:
Special categories of personal data: The categories of personal data
referred to in Article!9(1) of the Regulation;
Our Minister: Our Minister for Legal Protection;
Personal data relating to matters of criminal law: Personal data relating to
criminal convictions and offenses or related security measures as
referred to in Article!10 of the Regulation as well as personal data
regarding a court-ordered injunction due to unlawful or objectionable
conduct;
Regulation: Regulation!(EU)!2016/679 of the European Parliament and of
the Council of 27!April!2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of
such data, and repealing Directive!95/46/EC (General Data Protection
Regulation) (PbEU 2016, L!119).
Article!2. Material Scope
1. This Act and the provisions based upon it apply to the processing of
personal data wholly or partly by automated means and to the
processing of personal data that forms part of a filing system or is
intended to form part of a filing system.
2. Contrary to Paragraph!1, this Act does not apply to the processing of
personal data insofar as the Dutch Personal Records Database Act, the
Dutch Elections Act or the Wet raadgevend referendum (Dutch advisory
referendum act) apply.
3. With the exception of the provisions set out in Article!3, this Act does not
apply to the processing of personal data as referred to in Article!2(2) of
the Regulation.
Article!2a. Taking Account of the Needs of Micro, Small and Medium-
Sized Enterprises
The Data Protection Authority must take into account the specific needs of
micro, small and medium-sized enterprises as referred to in Article!2 of the
annex to the Commission Recommendation 2003/361/EC of 6!May!2003
concerning the definition of micro, small and medium-sized enterprises
(PbEU 2003 L124).
Article!3. Mutatis Mutandis Provision on Processing Outside of the
Scope of Application of the Regulation
1. This Act and the provisions based upon it also apply to the processing
of personal data:
a. in the context of activities falling outside of the scope of
application of Union law;
b. by the armed forces in the performance of activities that fall
within the scope of application of Title!V, Chapter!2 of the
Treaty on European Union.
2. The Regulation applies mutatis mutandis to the processing of
personal data as referred to in Paragraph!1.
3. Paragraphs!1 and 2 do not apply to:
a. the processing of personal data by the armed forces insofar as
Our Minister of Defense so decides with a view to the
deployment or provision of the armed forces in the
performance of the tasks described in Article!97 of the
Constitution;
b. the processing of personal data insofar as the Wet op de
inlichtingen- en veiligheidsdiensten 2017 (Dutch intelligence
and security services act of 2017)applies.
4. The Data Protection Authority must be notified as quickly as possible
of a decision as referred to in Paragraph!3(a).
Article!4. Territorial Scope
1. This Act and the provisions based upon it apply to the processing of
personal date in the context of activities by an establishment of a
controller or a processor in the Netherlands.
2. This Act and the provisions based upon it apply to the processing of
personal data of data subjects in the Netherlands by a controller or
processor not based in the European Union when such processing
is related to:
a. the offering of goods or services to these data subjects in the
Netherlands, irrespective of whether or not payment by the
data subjects is required; or
b. the monitoring of their behavior if this behavior takes place
within the Netherlands.
Article!5. Permission of Legal Representative
1. If Article!8 of the Regulation does not apply and the data subject is
under sixteen years of age, the consent of the data subject's legal
representative is required instead of the consent of the data subject.
2. If the data subject has been placed under guardianship or is the
subject of an administration or protection order, the consent of the
legal representative is required instead of the consent of the data
subject insofar as the data subject has no legal capacity or
authorization to act in the matter in question.
3. The legal representative of the data subject may revoke consent at
any time.
4. The data subject's rights as referred to in Chapter III of the
Regulation are to be exercised by the data subject's legal
representatives if the data subject is under sixteen years of age, has
been placed under guardianship or is the subject of an
administration or protection order and insofar as the data subject
has no legal capacity or authorization to act in the matter in
question.
5. This article does not apply to assistance and advisory services
offered directly and free-of-charge to a minor or a person placed
under guardianship.
Chapter 2. The Data Protection Authority
Subsection!2.1. Establishment and Structure of the Data Protection
Authority
Article!6. Establishment and Designation As a Supervisory Authority
1. A Data Protection Authority must be established.
2. The Data Protection Authority is the supervisory authority to which
Article!51(1) of the Regulation refers.
3. Without prejudice to Article!57 of the Regulation, the Data Protection
Authority is responsible for supervising the processing of personal
data in accordance with the provisions under and pursuant to the
Regulation or Act.
4. Our Minister may assign tasks to the Data Protection Authority in
consultation with the Data Protection Authority for the purpose of
implementing a binding EU legal act.
Article!7. Composition
1. The Data Protection Authority consists of a chair and two other
members.
2. Extraordinary members may also be appointed to the Data Protection
Authority. When appointing extraordinary members, efforts will be
made to include a cross-section of society.
3. The chair, other members and extraordinary members of the Data
Protection Authority are appointed by royal decree upon nomination
by Our Minister.
4. The chair must meet the requirements for appointment as a court
judge under or pursuant to Article!5 of the Wet rechtspositie
rechterlijke ambtenaren (Dutch judicial officers (legal status) act).
5. The appointment referred to in Paragraph!3 is for a five-year term.
6. The chair, other members and extraordinary members of the Data
Protection Authority may be reappointed once for another five-year
term.
7. Our Minister will discharge the chair, other members and
extraordinary members of the Data Protection Authority at their own
request.
8. Article!12 of the Kaderwet zelfstandige bestuursorganen (Dutch non-
departmental public bodies framework act) does not apply.
9. An Advisory Council advises the Data Protection Authority on general
aspects of the protection of personal data. The members come from
different sectors of society and are appointed by Our Minister upon
nomination by the chair of the Data Protection Authority. The
members are appointed for a maximum term of four years. They may
be reappointed twice, each time for a maximum term of four years.
The reimbursement of expenses incurred by the members of the
Advisory Council is determined by a ministerial order.
Article!8. Disciplinary Measures for the Chair and Other Members
Articles!46c, 46d(2), 46f, 46g, 46i, with the exception of (1)(c), 46j 46l, (1) and
(3), 46m, 46n, 46o and 46p of the Dutch judicial officers (legal status) act
apply mutatis mutandis to the chair and other members of the Data Protection
Authority, on the understanding that:
a. the disciplinary measures referred to in Article!46c(1) regarding other
members of the Data Protection Authority are to be imposed by the
chair of the Data Protection Authority;
b. the prohibition stated in Article!46c(1)(b) against engaging in a
meeting or conversation with parties or their lawyers or authorized
agents, or accepting special information or written documents from
them, does not apply to the chair and other members of the Data
Protection Authority;
a. the disciplinary measure referred to in Article!46c(1) is imposed by
the president of The Hague Court of Appeal on the chair of the Data
Protection Authority.
Article!9. Legal Status of Chair, Other Members and Extraordinary
Members
The legal status of the chair, other members and extraordinary members is
governed by or pursuant to an order in council.
Article!10. Secretariat
1. The Data Protection Authority has a secretariat staffed by officials
who are appointed, promoted, disciplined, suspended and
discharged by the Data Protection Authority.
2. With regard to the secretariat's officials, the authorities assigned to
the competent authority under or pursuant to the Dutch Central and
Local Government Personnel Act, are to be exercised by the Data
Protection Authority, with the exception of the authority to make
rules, or more-specific rules.
Article!11. Budget, Justification and Representative Authority
1. Without prejudice to Article!25 of the Dutch non-departmental public
bodies framework act, the Data Protection Authority draws up a draft
budget annually prior to the budget year.
2. In the departmental budget referred to in Article!2.1(6) of the
Comptabiliteitswet 2016 (Dutch government accounts act of 2016),
Our Minister allocates the Data Protection Authority a budget from
the national budget annually.
3. The Data Protection Authority adopts the budget in accordance with
the budget referred to in Paragraph!2.
4. The Data Protection Authority is represented judicially and
extrajudicially by the chair and other members, or one of them.
5. The members determine the division of duties, involving the
extraordinary members insofar as is possible.
Article!12. Restriction of the Obligation to Provide Information to the
Minister
Article!20 of the Dutch non-departmental public bodies framework act does
not apply if the Data Protection Authority received the information from third
parties subject to the condition that the confidential nature thereof is
maintained.
Article!13. Exceptions to Authorities Relating to Policy Rules,
Destruction and Neglect of Duties
1. Articles!21 and 22 of the Dutch non-departmental public bodies
framework act do not apply to the Data Protection Authority.
2. Article!23 of the Dutch non-departmental public bodies framework
act only applies in respect of the financial management activities
and administrative organization of the Data Protection Authority.
Subsection!2.2 The Exercise of Duties and Authorities of the Data
Protection Authority
Article!14. Tasks and Authorities
1. The Data Protection Authority is authorized to perform the duties and
exercise the authorities granted to the supervisory authority under or
pursuant to the Regulation.
2. Section!3.4 of the Algemene wet bestuursrecht (Dutch general
administrative law act) applies to the preparation of a decision
regarding approval of a code of conduct or the amendment or
extension thereof, as referred to in Article!40(5) of the Regulation.
3. If the provisions of Article!83(4), (5) and (6) of the Regulation are
violated, the Data Protection Authority may impose an administrative
fine not to exceed the amounts stated in said paragraphs.
4. Articles!5:4 through 5:10a of the Dutch general administrative law act
apply mutatis mutandis to the corrective powers referred to in
Article!58(2)(b) through (j) of the Regulation.
5. Without prejudice to Article!4:15 of the Dutch general administrative
law act, the Data Protection Authority may suspend the time limit for
issuing a decision insofar as this is necessary for compliance with
the Data Protection Authority's obligations under Articles!60 through
66 of the Regulation. Paragraphs!3 and 4 of Article!4:15 of the Dutch
general administrative law act apply mutatis mutandis to said
suspension.
Article!15. Monitoring of Compliance
1. The members and extraordinary members of the Data Protection
Authority, the officials of the secretariat of the Data Protection
Authority and the persons designated by a resolution of the Data
Protection Authority are responsible for monitoring compliance with
the Regulation and with the processing of personal data in
accordance with the provisions under or pursuant to the law.
2. The persons referred to in Paragraph!1 are authorized to enter a
dwelling without the resident's permission.
3. The persons referred to in Paragraph!1 require an explicit, special
authorization from the Data Protection Authority in order to exercise
the authority stated in Paragraph!2, without prejudice to the
provisions of Article!2 of the Algemene wet op het binnentreden
(Dutch general act on entry of a dwelling).
4. No obligation to maintain confidentiality may be invoked insofar as
information or cooperation is requested in connection with the data
subject's own involvement in the processing of personal data.
5. This article and Title!5.2 of the Dutch general administrative law act
apply mutatis mutandis insofar as this is necessary for the proper
performance of the Data Protection Authority's duties in the context
of Chapter VII of the Regulation.
Article!16. Administrative Enforcement Order
1. The Data Protection Authority may impose an administrative
enforcement order to enforce the obligations under or pursuant to
the Regulation or this Act.
2. The Data Protection Authority may impose an administrative
enforcement order to enforce Article!5:20(1) of the Dutch general
administrative law act insofar as such action concerns the obligation
to assist with a claim by a person designated under or pursuant to
Article!15(1).
Article!17. Fine for Unlawful Processing of Personal Data Relating to
Matters of Criminal Law
1. In the event of violation of the provisions in Article!10 of the
Regulation or Article!31 of this Act, the Data Protection Authority may
impose an administrative fine of not more than EUR!20,000,000 or,
for an enterprise, not more than 4% of the total annual global sales
for the previous financial year, whichever is greater.
2. Article!83, Paragraphs!(1) through (3) of the Regulation apply mutatis
mutandis.
Article!18. Administrative Fine for Public Authorities
1. If a public agency or public body violates the provisions of Article!83,
Paragraphs!(4), (5) or (6) of the Regulation, the Data Protection
Authority may impose an administrative fine not to exceed the
amounts stated in said paragraphs.
2. Article!83, Paragraphs!(1) through (3) of the Regulation apply.
Article!19. Cooperation with Other Supervisory Authorities
1. The Data Protection Authority is authorized to make agreements with
other supervisory authorities in the interests of efficient, effective
monitoring of the processing of personal data and to adopt
cooperation protocols with these supervisory authorities for this
purpose. Any cooperation protocol is to be announced in the Dutch
government gazette.
2. The Data Protection Authority and the supervisory authorities referred
to in Paragraph!1 are authorized, on their own initiative and if
requested to do so, to share data regarding the processing of
personal data if such data is needed for the performance of their
duties or in order to satisfy a legal obligation incumbent upon them.
Article!20. Legal Action against Infringements of the Regulation
Regarding Transfer to a Third Country
1. If an investigation regarding the transfer of personal data to a country
outside of the European Union or to an international organization,
initiated at the request of an interested party, gives the Data
Protection Authority good cause to assume that an adequac
decision as referred to in Article 45(1) of the Regulation in relation to
the relevant country or international organization or a decision made
by the European Commission regarding the adoption or approval of
standard clauses as referred to in Article 46(2)(c) and (d) of the
Regulation offers inadequate safeguards for a suitable level of data
protection, the Data Protection Authority may submit a request to the
Administrative Jurisdiction Division of the Council of State to issue a
declaratory decision that the relevant decision is valid.
2. The request must be signed and must include as a minimum:
a. the date;
b. the grounds for the request;
c. the names of the interested party and the party who is the
subject of the investigation referred to in Paragraph!1.
3. A copy of the interested party's request to which the application by
the Data Protection Authority referred to in Paragraph!2 pertains, for
the enforcement of rules under or pursuant to the law regarding the
protection of personal data, is to be submitted with the application
along with other documents pertinent to the matter.
4. Without prejudice to Article!4:15 of the Dutch general administrative
law act, the time limit for issuing a decision on the request for
enforcement is suspended from the day after the day on which the
Data Protection Authority notified the requester that Paragraph!1 is
being applied until the day on which the Administrative Jurisdiction
Division of the Council of State has made a pronouncement as
referred to in Paragraph!6.
5. Titles!8.1 and 8.2 of the Dutch general administrative law act apply
mutatis mutandis to the handling of the request, with the exception
of Articles!8:1 through 8:10, 8:41, Sections!8.2.2a and 8.2.4a and
Articles!8:70, 8:72 and 8:74. The parties referred to in
Paragraph!2(c) are considered parties to the legal action.
6. If the Administrative Jurisdiction Division of the Council of State
decides that the European Commission's decision brought before it
is valid, regardless of whether or not this occurs after a reference for
a preliminary ruling to the Court of Justice of the European Union on
the basis of Article 267 of the Treaty on the Functioning of the
European Union, it will issue a declaratory decision to that effect. If,
after reference for a preliminary ruling to the Court of Justice of the
European Union, it decides that the decision brought before it is
invalid, it will reject the request.
7. The Administrative Jurisdiction Division of the Council of State may
decide to stay the request if a request for a preliminary ruling
regarding the validity of the decision in question is pending with the
Court of Justice of the European Union.
8. There is no recourse against the stay of the request by the
Jurisdiction Division of the Council of State.
Article!21. Designation of Certification Body
By ministerial order, either the Data Protection Authority or the Raad voor
Accreditatie (Dutch Accreditation Council) or both of them will be designated
as the certification body as referred to in Article!43 of the Regulation.
Chapter 3. Clauses for the Implementation of the Regulation
Subsection!3.1 Special Categories of Personal Data
Article!22. Prohibition on Processing Special Categories of Personal
Data and General Exceptions to the Regulation
1. In accordance with Article 9(1) of the Regulation, processing of
personal data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, or trade union membership, and
the processing of genetic data, biometric data for the purpose of
uniquely identifying a natural person, data concerning health or data
concerning a natural person's sex life or sexual orientation is
prohibited.
2. In accordance with Article 9(2)(a), (c), (d), (e) and (f) of the
Regulation, the prohibition on processing special categories of
personal data does not apply if:
a. the data subject has given explicit consent for the personal
data in question to be processed for one or more clearly
defined purposes;
b. the processing is necessary in order to protect the vital
interests of the data subject or of another natural person
where the data subject is not physically or legally capable of
giving consent;
c. the processing is carried out in the course of its legitimate
activities with appropriate safeguards by a foundation,
association or any other not-for-profit body with a political,
philosophical, religious or trade union aim and on condition
that the processing relates solely to the members or to former
members of the body or to persons who have regular contact
with it in connection with its purposes and that the personal
data is not disclosed outside that body without the consent of
the data subjects;
d. the processing relates to personal data that is manifestly made
public by the data subject; or
e. the processing is necessary for the establishment, exercise or
defense of legal claims or whenever courts are acting in their
judicial capacity.
Article!23. General Exceptions under National Law
In view of Article 9(2)(g) of the Regulation, the prohibition on processing
special categories of personal data does not apply if:
a. the processing is necessary in order to satisfy an obligation under
international law;
b. the data is processed by the Data Protection Authority or an
ombudsman as referred to in Article!9:17 of the Dutch general
administrative law act, and if processing is necessary for the
performance of their legal duties, on the condition that adequate
safeguards are provided to prevent disproportionate infringement of
the data subject's privacy; or
c. the processing is necessary in addition to the processing of personal
data relating to matters of criminal law for the purposes for which
this data is processed.
Article!24. Exceptions for Scientific or Historical Research or Statistical
Purposes
In view of Article 9(2)(j) of the Regulation, the prohibition on processing
special categories of personal data does not apply if:
a. the processing is necessary for scientific or historical research
purposes or for statistical purposes in accordance with Article!89(1)
of the Regulation;
b. the research referred to in point (a) serves a public interest;
c. requesting explicit consent proves to be impossible or requires
disproportionate effort; and
d. adequate safeguards are provided to prevent disproportionate
infringement of the data subject's privacy.
Article!25. Exceptions for Processing Personal Data Revealing Race or
Ethnic Origin
In view of Article 9(2)(g) of the Regulation, the prohibition on processing
personal data revealing race or ethnic origin does not apply if the processing
occurs:
a. for the purpose of identifying the data subject, and only insofar as
processing for that purpose is unavoidable; or
b. for the purpose of giving a certain ethnic or cultural minority group a
preferential position with the aim of eliminating or reducing actual
disadvantages experienced on the grounds of race or ethnic origin,
and only if:
1.!the processing is necessary to that aim;
2.!the data pertains to the country of birth of the data subject or
the data subject's parents or grandparents, or to other legally
defined criteria allowing for the objective determination of
whether or not a natural person belongs to a certain ethnic or
cultural minority group; and
3.!the data subject has not objected in writing to the processing.
Article!26. Exceptions for Processing Personal Data Revealing Political
Opinions to Fulfill Public Functions
In view of Article 9(2)(g) of the Regulation, the prohibition on processing
personal data revealing political opinions does not apply if the processing is
carried out in connection with reasonable requirements regarding political
opinions imposed with a view to filling openings in administrative and
advisory bodies.
Article!27. Exceptions for Processing Personal Data Revealing Religious
or Philosophical Beliefs for Spiritual Counseling
1. In view of Article 9(2)(g) of the Regulation, the prohibition on
processing personal data revealing religious or philosophical beliefs
does not apply if the processing is carried out by institutions other
than the institutions referred to in Article!22(2)(c), and
insofar as the processing is necessary with a view to the spiritual
counseling of the data subject unless the data subject has objected
in writing.
2. In the cases referred to in Paragraph!1, no personal data is to be
shared with third parties without the data subject's consent.
Article!28. Exceptions for Genetic Data
1. In view of Article 9(2)(g) of the Regulation, the prohibition on
processing genetic data does not apply if this processing occurs in
relation to the data subject from whom said data has been received.
2. In cases other than those referred to in Paragraph!1, the prohibition
on processing genetic data does not apply only if:
a. a serious medical interest prevails; or
b. the processing is necessary for scientific research serving a
public interest or for statistical purposes if:
1.!the data subject has given explicit consent; and
2.!adequate safeguards are provided to prevent
disproportionate infringement of the data subject's
privacy.
3. Consent as referred to in Paragraph!2(b) is not required if
requesting explicit consent proves to be impossible or requires
disproportionate effort.
Article!29. Exceptions for Biometric Data
In view of Article 9(2)(g) of the Regulation, the prohibition on processing
biometric data for the purposes of uniquely identifying a natural person does
not apply if the processing is necessary for authentication or security
purposes.
Article!30. Exceptions for Health Data
1. In view of Article 9(2)(b) of the Regulation, the prohibition on
processing health data does not apply if the processing is
carried out by administrative bodies, pension funds, employers
or agencies working for the benefit of the data subjects and
insofar as the processing is necessary for:
a. proper execution of statutory regulations, pension schemes or
collective employment contracts providing benefits that are
contingent on the health of the data subject; or
b. the reintegration or assistance of employees or individuals
entitled to government assistance in connection with illness or
work disability.
2. In view of Article 9(2)(g) of the Regulation, the prohibition on
processing health data does not apply if the processing is carried
out by:
a. schools, insofar as the processing is necessary with a view to
providing special assistance to students or special
accommodations related to their health;
b. a probation institution, a special probation officer, the Raad
voor de Kinderbescherming (Dutch council for child
protection), the certified agency referred to in Article!1.1 of the
Jeugdwet (Dutch youth act) or the legal entity referred to in
Article!256(1) orArticle!302(2) of Book!2 of the Burgerlijk
Wetboek (Dutch civil code), insofar as the processing is
necessary for the performance of the legal duties for which
they are responsible; or
c. Our Minister and Our Minister of Justice and Security, insofar
as the processing is necessary for the implementation of
measures entailing the deprivation of liberty.
3. In view of Article 9(2)(h) of the Regulation, the prohibition on
processing health data does not apply if the processing is carried
out by:
a. professionals, agencies or facilities for health care or social
services, insofar as the processing is necessary for the data
subject's proper treatment or care or the management of the
agency or professional practice; or
b. insurers as referred to in Article!1:1 of the Wet op het financieel
toezicht (Dutch financial supervision act) or financial service
providers who act as insurance agents as referred to in
Article!1:1 of said act, insofar as the processing is necessary
for:
1.!the evaluation of the risk to be insured by the insurer
and the data subject has no objections; or
2.!the implementation of the insurance contract or
assistance with the management and implementation of
the insurance.
4. If Paragraphs!1, 2 or 3 are applied, the data is to be processed
solely by persons required to observe confidentiality by virtue of
their office, profession or a statutory regulation or pursuant to an
agreement. If the controller processes personal data and is not
already bound to observe confidentiality by virtue of office,
profession or a statutory regulation, the controller is required to
observe confidentiality in respect of the data, except insofar as
the law requires the controller to disclose the data or the task
entails the need to disclose the data to others who are authorized
to process the data pursuant to Paragraphs!1, 2 or 3.
5. The prohibition on processing other special categories of
personal data does not apply if the processing is necessary in
addition to the processing of data regarding health as referred to
in Paragraph!3, opening words and point (a), for the data
subject's proper treatment or care.
6. Further rules regarding the application of Paragraph!1 and
Paragraph!3, opening words and point (b), may be made by an
order in council.
Subsection!3.2. Personal Data Relating to Matters of Criminal Law
Article!31. Exceptions to the Obligation to Observe Government-
Supervised Processing
Without prejudice to Article!10 of the Regulation, personal data relating to
matters of criminal law may only be processed insofar as such processing is
permitted pursuant to Articles!32 and 33.
Article!32. General Grounds for Exception Concerning Data Relating to
Matters of Criminal Law
Personal data relating to matters of criminal law may be processed if:
a. the data subject has given explicit consent for the personal data
in question to be processed for one or more clearly defined
care.
2. Personal data relating to matters of criminal law may be processed
by a controller who is processing the data for personal benefit:
a. in order to evaluate a request by the data subject for a
decision regarding the data subject or to provide the data
subject with a service; or
b. in order to protect the controller's own interests, insofar as the
data concerns criminal offenses that have been committed or
are expected, based on facts and circumstances, to be
committed against the controller or against individuals in the
controller's employ.
3. Personal data relating to matters of criminal law regarding staff in the
employ of the controller may only be processed if such processing
occurs in accordance with rules that have been set in accordance
with the procedure referred to in the Wet op de ondernemingsraden
(Dutch works councils act).
4. Personal data relating to matters of criminal law may be processed
on behalf of third parties:
a. by controllers who are acting by virtue of a permit under the
Wet particuliere beveiligingsorganisaties en recherchebureaus
(Dutch private security organizations and detective agencies
act);
b. if said third party is a legal entity connected to the same group
referred to in Article!24b of Book 2 of the Dutch civil code; or
c. if the Data Protection Authority has granted a permit for the
processing with due observance of Paragraph!5.
5. A permit as referred to in Paragraph!4(c) may only be granted if the
processing is necessary with a view to the compelling interests of
third parties and adequate safeguards are provided to prevent
disproportionate infringement of the data subject's privacy.
Conditions may be attached to the permit.
Subsection!3.3 Legal Protection
Article!34. Applicability of the Dutch General Administrative Law Actto
Decisions by Administrative Bodies
A written decision on a request as referred to in Articles!15 through 22 of the
Regulation is to be made within the time limit stated in Article!12(3) of the
Regulation and, insofar as made by an administrative body, qualifies as a
decision within the meaning of the Dutch general administrative law act.
Article!35. Applicability of Civil Law to Decisions by Non-Administrative
Bodies
1. If a party other than an administrative body makes the decision on a
request as referred to in Article!34, the interested party may file a
written request to the court to order the controller to grant or reject
the request as referred to in Articles!15 through 22 of the Regulation.
2. The request must be submitted within six weeks of receipt of the
controller's answer. If the controller has not answered within the time
limits stated in Article!12(3) of the Regulation, the submission of the
request is not subject to a time limit.
3. The district court will grant the request if it deems there are grounds
to do so. Prior to making a decision, the district court will give the
interested parties the opportunity to put forward their point of view if
necessary.
4. The request does not need to be submitted by a lawyer.
5. Section Three of Title Five of Book Two of the Wetboek van
Burgerlijke Rechtsvordering (Dutch code of civil procedure) applies
mutatis mutandis.
6. The district court may request that parties and others provide written
information and submit documents in their possession within a time
limit to be determined by the court. The controller and the interested
party must comply with said request. Articles!8:45(2) and (3) and
8:29 of the Dutch general administrative law act apply mutatis
mutandis.
Article!36. Dispute Resolution by the Data Protection Authority or
through a Code of Conduct
1. The interested party may also submit a request to the Data Protection
Authority for mediation or advice regarding a dispute with the
controller, or utilize a dispute-resolution procedure as referred to in
Article!40(2)(k) of the Regulation on the basis of an approved code
of conduct as referred to in Article!40(5) of the regulation, and must
do so within the time limit specified for filing an objection on the
basis of the Dutch general administrative law act or within the time
limit referred to in Article!35(2). In such a case, the objection may
still be filed, in derogation of Article!6:7 of the Dutch general
administrative law act, or the procedure referred to in Article!35 may
still be initiated after the interested party has received notice from
the Data Protection Authority that the handling of the case has
ended or after the interested party has received notice pursuant to
the dispute-resolution procedure that the handling of the case has
ended, but not more than six weeks after that time.
2. During the handling of the appeal and the procedure referred to in
Paragraph!1, the agencies responsible for handling the dispute may
seek advice from the Data Protection Authority.
Article!37. Representation of Data Subjects
Processing may not form the basis for a claim as referred to in Article!305a of
Book!3 of the Dutch civil code or an appeal filed by the interested party in
proceedings under administrative law within the meaning of Article!1:2(3) of
the Dutch general administrative law act insofar as the person who is affected
by said processing objects to the claim.
Article!38. Suspensive Effect of Objections and Appeals
The effect of the order to impose the administrative fine is to be suspended
until the time limit for objections or appeals has expired or, if an objection or
appeal has been filed, until a decision is made on the objection or appeal.
Subsection!3.4. The Data Protection Officer
Article!39. Obligation to Observe Confidentiality
The data protection officer referred to in Articles!37 through 39 of the
Regulation is required to observe confidentiality regarding anything revealed
to said data protection officer on the basis of a complaint or request by the
data subject unless the data subject consents to disclosure.
Chapter!4. Exceptions and Restrictions
Article!40. Exceptions to the Prohibition on Automated Individual
Decision-Making
1. Article 22(1) of the Regulation does not apply if the automated
individual decision-making referred to in that clause, other than that
based on profiling, is necessary for the satisfaction of a statutory
obligation to which the controller is subject or is necessary for the
performance of a duty in the public interest.
2. The controller is to take suitable measures to protect the rights,
freedoms and justified interests of the data subject during
automated individual decision-making as referred to in Paragraph!1.
3. If the controller is not an administrative body, the suitable measures
as referred to in Paragraph!2 will in any event have been provided if
the right to obtain human intervention, the data subject's right to
state an opinion and the right to contest the decision have been
guaranteed.
Article!41. Exceptions to the Data Subject's Rights and the Controller's
Obligations
1. The controller may render the obligations and rights referred to in
Articles!12 through 21 and Article!34 of the Regulation inapplicable
if necessary and proportionate, for the purpose of:
a. national security;
b. national defense;
c. public safety;
d. prevention, investigation, detection and prosecution of criminal
offenses or enforcement of punishments, including protection
against and prevention of public safety hazards;
e. other significant objectives of public interest of the European
Union or of the Netherlands, in particular any significant
economic or financial interest of the European Union or the
Netherlands, including monetary, budgetary and fiscal
matters, public health and social security;
f. protection of the independence of the judiciary and judicial
proceedings;
g. prevention, investigation, detection and prosecution of
violations of the professional codes for regulated professions;
h. a monitoring, inspection or legislation duty that is associated,
even incidentally, with the exercise of public authority in the
cases referred to in points (a), (b), (c), (d), (e) and (g);
i. protection of the data subject or of the rights and freedoms of
others; or
j. enforcement of claims under civil law.
2. When applying Paragraph!1, the controller is to take at least the
following into consideration, insofar as applicable:
a. the objectives of the processing or of the categories of
processing;
b. the categories of personal data;
c. the scope of application of the implemented restrictions;
d. safeguards to prevent misuse or unlawful access or transfer;
e. the specification of the controller or of the categories of
controller;
f. the archiving periods and applicable safeguards, considering
the nature, scope and objectives of the processing or of the
categories of processing;
g. the risks to the data subject's rights and freedoms; and
h. the data subject's right to be notified of any restriction, unless
such notification could be prejudicial to the purpose of the
restriction.
Article!42. Exception to the Duty to Notify Data Subjects of Data
Breaches
Article!34 of the Regulation does not apply to financial enterprises as referred
to in the Dutch financial supervision act.
Article!43. Exceptions for Journalistic Purposes or for Academic, Artistic
or Literary Forms of Expression
1. With the exception of Articles!1 through 4 and 5(1) and (2), this Act
does not apply to the processing of personal data exclusively for
journalistic purposes or exclusively for the purposes of academic,
artistic or literary forms of expression.
2. The following chapters and articles of the Regulation do not apply to
the processing of personal data exclusively for journalistic purposes
or exclusively for academic, artistic or literary forms of expression:
a. Article!7(3) and Article!11(2);
b. Chapter!III;
c. Chapter!IV, with the exception of Articles!24, 25, 28, 29 and 32;
d. Chapter!V;
e. Chapter!VI; and
f. Chapter!VII.
3. Articles!9 and 10 of the Regulation do not apply if the processing of
the data referred to in those articles is necessary for journalistic
purposes or for academic, artistic or literary forms of expression.
Article!44. Exceptions for Scientific Research and Statistical Purposes
The controller may refrain from observing Articles!15, 16 and 18 of the
Regulation when processing is carried out by agencies or services for
scientific research or statistical purposes and the necessary measures have
been taken to ensure that personal data can only be used for statistical or
scientific purposes.
Article!45. Exceptions for Archiving in the Public Interest
Articles!15, 16, 18(1)(a) and 20 of the Regulation do not apply to the
processing of personal data comprising part of an archive of
documents as referred to in Article!1(c) of the Archiefwet 1995
(Dutch public records act of 1995) and kept in an archive repository
as referred to in Article!1(f) of that act.
2. The data subject is entitled to access the archived documents unless
requests for access are so broad that they cannot reasonably be
granted.
3. The data subject is entitled to annotate the relevant archived
documents if the personal data is incorrect.
Article!46. Processing of National Identification Number
1. A number required by law for the identification of a natural person is
to be used in the processing of personal data exclusively for the
implementation of the relevant law or for purposes stipulated in the
law.
2. Cases other than those referred to in Paragraph!1 may be
designated by an order in council, in which case a number as
referred to in Paragraph!1 may be used. Further rules may apply to
the use of such a number.
Article!47. Exceptions to Data Subjects' Rights Regarding Public
Registers
1. Articles!15, 16, 18 and 19 of the Regulation do not apply to public
registers established by law if a special procedure for the correction,
addition, removal or protection of data is stipulated under or
pursuant to such legislation.
2. Article!21 of the Regulation does not apply to public registers
established by law.
Chapter!5. Transitional and Final Provisions
Article!48. Transitional Law
1. Any person appointed to the College bescherming
persoonsgegevens (former Dutch data protection authority) prior to
the entry into force of this Act will automatically be appointed as a
member of the Dutch Data Protection Authority.
2. Any person appointed Chair of the College bescherming
persoonsgegevens prior to the entry into force of this Act will
automatically be appointed Chair of the Dutch Data Protection
Authority.
3. When determining the term of the appointment referred to in
Article!7(5), the term served as Chair of the College bescherming
persoonsgegevens prior to the entry into force of this Act will be
considered a term served as Chair of the Dutch Data Protection
Authority.
4. Article!53(3), first, second and third sentence of the Wet
bescherming persoonsgegevens (Dutch personal data protection
act) remains applicable to members of the College bescherming
persoonsgegevens who were appointed or reappointed prior to
January!1,!2014, as the Act in question read prior to that time.
5. Any official appointed to the secretariat of the College bescherming
persoonsgegevens prior to the entry into force of this Act will
automatically be appointed as an official in the secretariat of the
Dutch Data Protection Authority.
6. Decisions taken by the College bescherming persoonsgegevens
prior to the entry into force of this Act will be automatically be
considered decisions taken by the Dutch Data Protection Authority.
7. The Dutch Data Protection Authority will automatically take the place
of the College bescherming persoonsgegevens in statutory
procedures and lawsuits in which the College bescherming
persoonsgegevens was involved prior to the entry into force of this
Act.
8. The law as it applied prior to the entry into force of this Act will apply
to statutory procedures and lawsuits in which the College
bescherming persoonsgegevens was involved prior to the entry into
force of this Act.
9. The Dutch Data Protection Authority will automatically take the place
of the College bescherming persoonsgegevens in any cooperation
protocols at the time of entry into force of this Act.
10.The law as it applied prior to the entry into force of this Act will apply
to written requests as referred to in Article!46 of the Dutch personal
data protection act, lawsuits based on Article!49 of the Dutch
personal data protection act and claims based on Article!50 of the
Dutch personal data protection act that were already pending before
the court at the time of entry into force of this Act.
11. Any declaration of the legality of data processing issued prior to the
entry into force of this Act on the basis of Article!32(5), in
conjunction with Article!22(4)(c) of the Dutch personal data
protection act will automatically be considered a permit within the
meaning of Article!33(4)(c) of this Act.
12. Insofar as this Act does not provide for them, rules or more-specific
rules may be designated by an order in council for the
implementation of the Regulation or this Act.
Article!48a. Transitional Law II
[Will enter into force at a time to be determined]
This part has not yet entered into force; see the list of amendments
Article!49. Concurrence
[Editor: Amends this Act.]
Article!50. Evaluation
Our Minister will send to the States General a report on the practical effects of
and practical implementation of this Act within three years of the entry into
force of this Act and every four years thereafter.
Article!51. Repeal of the Dutch personal data protection act
The Dutch personal data protection act is repealed.
Article!52. Short Title of the Regulation
Regulation!(EU)!2016/679 of the European Parliament and of the Council of
27!April!2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and
repealing Directive!95/46/EC (General Data Protection Regulation) (PbEU
2016, L!119) is cited in other legislation as: General Data Protection
Regulation
Article!53. Entry into Force
The articles of this Act will enter into force on a date to be determined by royal
decree, which date may vary for different articles or parts thereof.
Article!54. Short Title of the Act
This Act is cited as: General Data Protection Regulation Implementation Act
We order and command that this Act be published in the Bulletin of Acts and
Decrees, and that it be diligently implemented by all ministries, authorities,
bodies and officials it may concern.
Issued in
Wassenaar, May!16,!2018
Willem-Alexander
Minister for Legal Protection,
S. Dekker
Minister of the Interior and Kingdom Relations,
K.H. Ollongren
State Secretary for the Interior and Kingdom Relations,
R.W. Knops
Issued on the twenty-second of May,!2018
Minister of Justice and Security,
F.B.J. Grapperhaus
This translation is provided for reference purposes! only and without any warranty or
representation regarding its accuracy or completeness. Reliance on this translation is at
your own risk. If you would like to report a translation error or inaccuracy, we encourage you
to please!contact us.