THE NETHERLANDS

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Wet van 16 mei 2018, houdende regels ter uitvoering van Verordening (EU) 2016/679 van het Europees Parlement en de Raad van 27 april 2016 betreffende de bescherming van natuurlijke personen in verband met de verwerking van persoonsgegevens en betreffende het vrije verkeer van die gegevens en tot intrekking van Richtlijn 95/46/EG (algemene verordening gegevensbescherming) (PbEU 2016, L 119) (Uitvoeringswet Algemene verordening gegevensbescherming)

Status: Adopted

SME EXCEPTION

No Deviation

LAWFULNESS OF PROCESSING (ART 6)

No Deviation

CHILD’S CONSENT (ART 8)

SPECIFYING REQUIREMENT:

  1. Age: A user must be at least 16 years old to consent to information society services directed at children (Art 5(1) Dutch Act).

  2. Individual Rights: The person holding parental responsibility shall exercise individual rights on behalf of someone less than 16 years old (Art 5(4) Dutch Act).

  3. Curator or Legal Guardianship: When the data processing relates to an issue for which the individual is legally incapable or incompetent (when under curator or legal guardianship), consent must be provided by the legal representative, who can also withdraw this consent at any time (Art 5(2) Dutch Act).

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

DEVIATING REQUIREMENT:

  1. Genetic Data: The prohibition to process genetic data does not apply when the data were obtained directly from the data subject. In addition, the prohibition does not apply when a prevailing medical interest takes precedence or the processing is necessary for scientific research (Art 28 Dutch Act).

  2. Biometric Data: The prohibition to process biometric data does not apply when this occurs for security or authentication purposes (Art 29 Dutch Act).

  3. Health Data: The prohibition to process health data does not apply to (Art 30 Dutch Act):
    1. Administrative bodies, pension funds, employers, or institutions acting on their behalf, provided processing is carried out to comply with a legal obligation (e.g., pension laws) or for the reintegration or assistance of employees or (unemployed) beneficiaries connected to sickness or disability.
    2. Schools, to the extent processing is necessary for assistance of scholars or to take special measures with regard to their health condition.
    3. Specific institutions (rehabilitation institutions, the Justice Department in the context of a prison sentence, institutions in the context of certain social security matters).
    4. Care providers, to the extent necessary to ensure treatment of the data subject, or the administration/management of an institution or medical practice. Also note that any other additional sensitive data can be processed by this category if necessary for adequate medical treatment of the data subject.
    5. Insurance companies, to the extent necessary to assess the risk that must be insured or for the execution of the insurance agreement.

Note that all of the above categories of processors of health data must be bound to or respect confidentiality.

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

DEVIATING REQUIREMENT:

Criminal Data Processing: Except for what is set forth in Article 10 GDPR, criminal convictions and related security measure data may be processed in the following specific cases: (1) the individual provided explicit consent; (2) processing is necessary to protect vital interests of the individual or another person (in case the individual is not able to provide consent); (3) the individual rendered the data public himself; (4) processing is necessary in light of litigation; (5) processing is necessary for reasons of predominant public interest; (6) processing is necessary in light of scientific research or statistical purposes; (7) processing is carried out by competent bodies appointed by criminal law or public partnerships or is necessary in light of health data processing; (8) processing is conducted upon request of the individual to make a decision about him; and (9) processing is carried out by controllers operating under a specific license (Art 31–33 Dutch Act). When these legislative provisions or Article 10 GDPR is violated, the authority is competent to impose the maximum fine of 4% of worldwide turnover or €20 million, whichever is higher (Art 17 Dutch Act).

INFORMATION OBLIGATION (ART 13 & 14)

No Deviation

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

DEVIATING REQUIREMENT: The prohibition on automated individual decision making does not apply when that decision making, other than profiling, is necessary to comply with a legal obligation imposed to the controller or for the performance of a task in the public interest (Art 40 Dutch Act).

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

DEVIATING REQUIREMENT:

Restrictions: If there is a data breach, the controller may restrict the data subject’s rights and the obligation to notify the data subject to the extent necessary for:

(1) national security; (2) national defense; (3) public security; (4) the prevention, investigation, and prosecution of punishable acts or execution of a sentence; (5) other important interests of the Netherlands and the EU (such as monetary and economic interests); (6) the protection and independence of a judge and judicial proceedings; (7) the protection and investigation of violations of professional codes of conduct; (8) the protection of the individual or the rights and freedoms of others; and (9) the collection of civil monetary claims. When relying on restrictions, the controller still takes account of certain principles, such as the categories of data involved and the measures taken to ensure safe data transfers (Art 41Dutch Act).

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

No Deviation

SECURITY OF PROCESSING (ART 32)

No Deviation

DATA BREACH (ART 33 & 34)

VARYING REQUIREMENT:

1. Restrictions to Data Subject’s Rights: If there is a data breach, the controller may restrict the data subject’s rights and the obligation to notify the data subject to the extent necessary for: (1) national security; (2) national defense; (3) public security; (4) the prevention, investigation, and prosecution of punishable acts or execution of a sentence; (5) other important interests of the Netherlands and the EU (such as monetary and economic interests); (6) the protection and independence of a judge and judicial proceedings; (7) the protection and investigation of violations of professional codes of conduct; (8) the protection of the individual or the rights and freedoms of others; and (9) the collection of civil monetary claims. When relying on restrictions, the controller still takes account of certain principles, such as the categories of data involved and the measures taken to ensure safe data transfers.

2. Individual Notification Exemption: Undertakings offering financial services (as defined by the Act on Financial Supervision (Wet op Financieel Toezicht)) are not under the obligation to notify the data subject of a data breach (Art 42 Dutch Act).

DATA PROTECTION IMPACT ASSESSMENT (ART 35)

No Deviation

DATA PROTECTION OFFICER (ART 37(4))

No Deviation

CERTIFICATION (ART 42)

No Deviation

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

DEVIATING REQUIREMENT:

  1. “Last onder Bestuursdwang”: The supervisory authority is competent to impose a last onder bestuursdwang for any violation of the GDPR or the Dutch Act. The last onder bestuursdwang involves remedial action to undo the damage caused by the violation (Art 16 Dutch Act).

  2. Act Against EU Decision on Transfers: In the context of an investigation of data transfers initiated by an interested party, the Dutch supervisory authority is competent to act against an adequacy decision or a decision establishing standard contractual clauses taken by the European Commission by filing a request with the Council of State.

  3. Dispute Resolution by the Dutch SA: After initiation of court proceedings, the data subject can request the Dutch supervisory authority to assist in mediation of the dispute with the data controller (Art 36 Dutch Act).

CLASS ACTIONS (ART 80 (2))

DEVIATING REQUIREMENT:

Objection Right of Defendant: Class actions in civil and administrative proceedings are only allowed if the defendant does not object (Art 37 Dutch Act).

ADMINISTRATIVE SANCTIONS (ART 83)

SPECIFYING REQUIREMENT:

  1. Suspensive Effect of Appeal: An administrative fine is only executable after the appeal or objection term has passed, or if an appeal or objection was filed, after an appeal or objection decision is issued (Art 38 Dutch Act).

  2. Administrative Fine on Administrative Official Authorities: The Dutch supervisory authority may impose administrative fines on Dutch administrative official authorities in the same way as it would be imposed on private companies (Art 18 Dutch Act).

PENALTIES (ART 84)

No Deviation

FREEDOM OF EXPRESSION AND INFORMATION (ART 85)

No Deviation

HR PROCESSING (ART 88)

No Deviation

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

DEVIATING REQUIREMENT:

Sensitive Data Processing for Research: The prohibition to process sensitive data does not apply when it is necessary for scientific, research, or statistical purposes and the research is in the public interest; requesting consent places an unreasonable burden or effort; and the data subject’s right to privacy is sufficiently safeguarded.

OBLIGATIONS OF SECRECY (ART 90)

DEVIATING REQUIREMENT:

Obligation of Secrecy: The obligation of secrecy or confidentiality imposed on the data protection officer under the GDPR can be lifted by the data subject (Art 39 GDPR).