The Dutch GDPR Implementation Act, Privacy in Europe
The Dutch GDPR Implementation Act is a data privacy law that was recently passed in the Netherlands in 2018. Although the Netherlands is a part of the EU and falls under the jurisdiction of the General Data Protection Regulation or GDPR, provisions in the EU’s GDPR law allow for members states to also enact national legislation pertaining to certain aspects of data protection and personal privacy. As such, the Dutch GDPR Implementation Act and the General Data Protection Regulation act in accordance with one another for the purposes of regulating the collection, processing, and use of personal data with the Netherlands, as well the penalties that data controllers and processors stand to face should they fail to comply with these laws.
What are the primary differences between the Dutch GDPR Implementation Act and the GDPR?
While many aspects of the Dutch GDPR Implementation Act and the EU’s GDPR law largely overlap, such as the scope and application of the law and the requirements of data controllers and processors under the law, the provisions of the Dutch GDPR Implementation Act does establish certain provisions and regulations that are only applicable within the Netherlands. For example, while many data privacy laws provide data subjects with the right to be informed about the collection and processing of their personal data, as well as request to access any personal data that has been collected or subsequently processed, the exemptions to such rights will vary from country to country.
As such, under the Dutch GDPR Implementation Act, data controllers operating within the country are not required to inform data subjects about the processing of their personal data in instances where the “processing personal data by institutions or services for scientific research or statistics, where the required safeguards are put in place to ensure that the personal data can only be used for such purposes”, or in instances where the processing of personal data is used for “archiving in the public interest as regards governmental archives in the context of the Dutch Public Records Act 1995, provided that a data subject has a right of access in archive records, unless a request is not specified sufficiently.”
Moreover, the Dutch GDPR Implementation Act also differs from the EU’s GDPR law as it pertains to the exemptions of data controllers and processors with respect to the right to access. Under the Dutch GDPR Implementation Act, data controllers and processors operating within the Netherlands are not required to provide data subjects with the right to access their personal data, permitting such processing activities are conducted in the context of “statutorily established public registers, in case applicable law provides for a special procedure for rectifying, complementing, deleting, or shielding personal data.” Additionally, the Dutch GDPR Implementation Act allows for similar exemptions regarding the right to rectification.
How do punishments under the Dutch GDPR vary from the GDPR?
While the punishments that data controllers and processors stand to face under the EU’s General Data Protection Regulation are also applicable under the Dutch GDPR Implementation Act, the latter does establish a different set of rules as it pertains to how fines as imposed on a national level. To this point, the Dutch GDPR Implementation Act also established the Fining Policy Rules, also known as the Policy for short, for the purposes of determining monetary penalties in regards to violation of the law, more specifically, “the AP has established a certain penalty amount which can be increased or decreased depending on various factors. Examples of such factors are the nature of the breach, the severity of the breach, the duration of the breach, the number of data subjects involved, the intentional or negligent nature of the breach, and the measures taken to limit damages suffered by the data subjects.”
Furthermore, the Dutch data protection authority, or AP for short also has the authority to impose a variety of administrative fines against data controllers and processors who fail to adhere to the provisions set forth in the Dutch GDPR Implementation Act and General Data Protection Regulation respectively. Such administrative fines include:
- An “administrative fine for orthodontic practice due to an unsecured patient website” – €12,000 ($13,530)
- An “administrative fine for CP&A for violation of the privacy of sick employees” – €15,000 ($16,913)
- An “administrative fine for LocateFamily.com fine for missing representative in EU” – €525,000 ($591,853)
- An “administrative fine for political party PVV Overijssel for failing to report data breach” – €7,500 ($8,455)
- An “administrative fine for the municipality of Enschede for WiFi tracking” – €600,000 ($676,404)
- An “administrative fine for Booking.com for late reporting of a data breach” – €475,000 ($535,477)
Through the passing of the Dutch GDPR Implementation Act, data subjects within the Netherlands are provided with a level of data protection and personal privacy that few other nations around the world can replicate. As the provisions of the EU’s GDPR law allow for nation-states to enact their own legislation pertaining to data protection, laws such as the Dutch GDPR Implementation Act allow for countries within the EU to provide their respective citizens with the most comprehensive level of data protection possible. As such, data subjects residing within the Netherlands have multiple avenues for recourse should they feel as though their rights are infringed upon.