Data Protection in the Netherlands

From GDPRhub
Revision as of 07:50, 6 May 2024 by Sfl (talk | contribs) (Purely visual alterations)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Data Protection in the Netherlands
Nl.png
Data Protection Authority: Autoriteit Persoonsgegevens (AP) (The Netherlands)
National Implementation Law (Original): Uitvoeringswet Algemene verordening gegevensbescherming
English Translation of National Implementation Law: n/a
Official Language(s): Dutch
National Legislation Database(s): Link
English Legislation Database(s): n/a
National Decision Database(s): Link

Legislation

History

Before a unified law on data protection was introduced, several sector specific regulations, such the Electronic Communications Act and the Telecommunications Act, included data protection rules.

Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data was transposed in Dutch law in 1988 in the form of the Wet persoonsregistraties. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data was transposed in the form of the Wet bescherming persoonsgegevens.

Wet bescherming persoonsgegevens established a stronger data protection by emphasizing individuals' rights over their personal data and giving the Dutch Data Protection Authority (DPA) a broader power.

As the GDPR took effect in the European Union (EU) on May 25, 2018, it replaced both the Data Protection Directive (95/46/EC) and the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens).

National constitutional protections

The right to privacy is protected by articles 10 (general right to privacy), 11 (inviolability of one's body), and 13 (secrecy of correspondence) of the constitution.

Provisions of treaties which "by nature and content" may bound, will do so automatically once published (article 93 of the constitution). Because of this, treaties such as the ECHR and ratified protocols have the status of law.

National GDPR implementation law

In Netherlands the GDPR is implemented by the Uitvoeringswet Algemene verordening gegevensbescherming[1] (“Dutch GDPR Implementation Act”).

Age of consent

In relation to information society services the age of consent is 16 years following Article 8(1) GDPR. There is no specific age of consent for other support and advisory services offered directly and for free to a minor, following Article 5(5) UAVG. In all other situations, the age of consent is 16 years, following Article 5(1) UAVG.

Freedom of Speech

Pursuant to Article 43 of the Dutch GDPR Implementation Act, if personal data is processed exclusively for journalistic purposes or academic, artistic, or literary forms of expression, then the regulations pertaining to data subject rights do not apply.

Employment context

The details on processing of personal data in an employment context are regulated in the privacy booklet published by the Dutch Data Protection Authority. The booklet contains matters such as how to exercise the right of consent with regard to processing and protection of employee personal data and digital employee tracking systems. The Dutch Data Protection Authority also published further explanations on its website.

Research

As per the Article 44 of the Dutch GDPR Implementation Act, and Articles 15, 16, and 18 of the GDPR do not apply in case personal data is processed by institutions or services for scientific research or statistics, and the required safeguards are implemented to ensure that the personal data can only be used for such purposes.

Other relevant national provisions and laws

National ePrivacy Law

The Telecommunications Act is the primary legislation governing the telecommunications sector in the Netherlands, including a chapter on privacy and telecommunications transposing the Directive on Privacy and Electronic Communications (2002/58/EC).

Data Protection Authority

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is the national data protection authority for the Netherlands.

→ Details see AP (The Netherlands)

Judicial protection

Civil Courts

Under Art. 79 GDPR, civil (and other) proceedings can be brought directly against a data controller. The rules of civil procedure are laid down in the Dutch Code of Civil Procedure.

Administrative Courts

Appeals from the Dutch DPA can be brought before one of the District Courts of First Instance (Rechtbank - Rb.) and further to the Administrative Jurisdiction Division of the Council of State (Afdeling Bestuursrechtspraak van de Raad van State - ABRvS).

Constitutional Court

There is no constitutional court in the Netherlands. Courts are explicitly prohibited by article 120 of the constitution to judge the constitutionality of national laws or treaties.

Supreme Court

Hoge Raad

As the highest court in the fields of civil, criminal and tax law in the Netherlands, the Supreme Court ('Hoge Raad') is responsible for hearing appeals in cassation and for a number of specific tasks with which it is charged by law.

Het Parket bij de Hoge Raad

The main task of the Procurator General of the Supreme Court is to provide the members of the Supreme Court with independent advice – known as an ‘advisory opinion’ (conclusion)- on how to rule in the cassation proceedings before them.

References