Like all other countries, the Netherlands is not without rules when it comes to data processing. De Algemene Verordening Gegevensbescherming – or the GDPR – is just one example. This article will dive deep into the state of Dutch data privacy to tell you everything you need to know about this law, as well as the countless other provisions and enforcement measures that exist to protect the citizens of the Netherlands.
What Laws Do the Netherlands Have for Data Privacy?
In the Netherlands, data privacy is governed by a share of several laws, the two most consequential being the European Union General Data Protection Regulation (EU GDPR) and the Dutch GDPR Implementation Act. Read below for more information about each.
What Is the European Union General Data Protection Regulation (GDPR)?
The EU General Data Protection Regulation is a set of laws adopted by all 27 member countries of the European Union.
Listed out, this includes:
– Austria
– Belgium
– Bulgaria
– Croatia
– Cyprus
– Czech Republic
– Denmark
– Estonia
– Finland
– France
– Germany
– Greece
– Hungary
– Ireland
– Italy
– Latvia
– Lithuania
– Luxembourg
– Malta
– The Netherlands
– Poland
– Portugal
– Romania
– Slovakia
– Slovenia
– Spain
– Sweden
The United Kingdom was also once part of the EU GDPR but pulled out following the Brexit decision in 2016. It now has its own set of policies very similar to the European Union – the UK GDPR. But remaining member nations, including the Netherlands, still cohesively use the original framework.
The EU’s GDPR was implemented in 2016 as a replacement for the Bloc’s aging 1995 Data Protection Directive. This long-called-for update brought laws up to speed with the novel risks of twenty-first-century technology.
At its core, the GDPR maintains the goal of protecting citizens’ privacy online. It lays out concepts that were among the first of their kind when first introduced and is considered one of the most stringent privacy protection regulations in the world. Through its directives, this law essentially mandates that companies and large organizations have a legal basis to collect people’s data; they can’t simply harvest all of the personal information they want – instead, it must be acquired through properly-informed and direct consent.
The GDPR follows a staunchly ‘opt-in’ framework, meaning the consent that businesses receive from users must be requested and accepted, rather than assumed. Official documents further define it as “freely given, specific, informed, and unambiguous”. It also needs to be provided through a “clear affirmative action”, like clicking an ‘Accept’ button. Pre-ticked boxes and pressure tactics are not allowed.
While adopted in the spring of 2016, the GDPR didn’t become fully enforceable until May 25th, 2018. It’s after this point that regulators received the power to impose fines on non-compliant parties. These can soar to 10 million euros or up to two percent of a company’s annual revenue, with the highest option always being applied. Changes are constantly being considered for the law, especially as the online landscape it regulates continues to evolve over time.
The GDPR’s Scope In the Netherlands
Aside from a few added provisions under the Dutch GDPR Implementation Act – which we’ll get to later – the Netherlands’ application of the General Data Protection Regulation is very similar to that of other member countries.
Broken down into key principles, it imposes requirements that data…
● be processed lawfully, fairly, and transparently.
● be collected for specific, explicit, and legitimate reasons.
● is adequate, relevant, and limited to what is only necessary for processing.
● is accurate and kept up-to-date.
● be kept no longer than necessary for the purposes for which it is processed.
● be processed in a way that ensures protection against unauthorized access, accidental loss, destruction, or damage.
Key Rights Under the GDPR
As mentioned earlier, the Netherlands’ GDPR provides any and all citizens within its national borders with fundamental rights over their personal data. Here’s a look at those rights in closer detail:
The Right to be Informed
Individuals have the right to be informed about the collection and use of their personal data by organizations. They must understand how their information will be used and what rights they have regarding it.
The Right of Access
Right of Access gives people the entitlement of being able to obtain a copy of their personal data, as well as other supplementary information related to its processing.
The Right to Rectification
Those within the Netherlands have the right to request and obtain rectification of their personal data that is inaccurate or incomplete. They can also request that any incorrect information is updated or deleted.
The Right to Erasure
The Netherlands’ GDPR also grants people the right to request that any personal data held about them be erased from an organization’s database when it is no longer necessary or applicable.
The Right to Object/Opt-Out
Opt-in consent is a major tenet of the GDPR. In addition to requiring it, the law also gives citizens the ability to revoke consent at any time. Businesses are expected to make this process as easy and simple as providing consent.
The Right to Data Portability
Data portability refers to the act of moving data from one place to another. The GDPR outlines rules regarding portability, specifically requiring businesses to store the information they collect in an easily accessible format. This way, the data subject can easily move their data from one service provider to another. The EU also requires that any company providing services must allow its customers to download all of the personal information they have stored in a structured and machine-readable format.
Data portability is considered critical in ensuring individuals have full control over their personal information and can choose which services they want to use with ease.
The Right Not to be Subject to Automated Decision-Making
This last principle is kind of technical, but still a core part of GDPR rules. It provides individuals with the inherent right not to be subject to a decision based solely on automated processing, including profiling. This means that if an organization wants to use automated decision-making (like algorithms), they have to take into consideration the impacts and results of these decisions before implementing them. They also need to provide an opt-out option for any automated processing activities and ensure the accuracy of the data used in such decisions.
Exceptions to the Netherlands’ GDPR Rules
The Netherlands has established several grounds upon which it allows the above terms of the GDPR to be disregarded.
This includes:
● national security
● national defense
● public security
● the prevention, investigation, detection, and/or prosecution of criminal offenses
● the execution of criminal penalties
● the prevention of threats to public security
● the pursuit of objectives of public interest of the EU or the Netherlands, such as monetary, budgetary, taxation, public health, and social security matters
● the protection of judicial independence and judicial proceedings
● the prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions
● the protection of a data subject or the rights and freedoms of others
● the enforcement of civil law claims
What Is the Dutch GDPR Implementation Act?
The Dutch GDPR Implementation Act basically takes the principles outlined in the above section and puts them into practice. Most EU countries have some sort of similar law, designed to outline the specific terms of their participation in, and enforcement of, the GDPR.
The Netherlands in particular makes use of several “opening clauses” in the legislation. This refers to specific parts of the GDPR that are subject to interpretation by each country. In other words, these clauses provide room for national variation in how the GDPR is implemented and enforced.
Among the most noteworthy changes made by the Dutch include derogating provisions that adapt data subjects’ and public authorities’ rights in certain scenarios. The Dutch GDPR Implementation Act also specifies additional provisions covering sectors such as health and employment.
But like the rest of the European Union, key GDPR rules still apply. A business does not need to be located in the Netherlands to become subject to data protection requirements – simply a processor of its citizens’ data.
On that front, the Dutch government has an internal department tasked with the enforcement of the GDPR. It’s known as the Dutch data protection authority, or AP as an abbreviation of the Dutch translation ‘Autoriteit Persoonsgegevens’. This agency has the responsibility of both providing guidance and sanctioning organizations that fail to comply with the GDPR.
According to the GDPR and Dutch General Administrative Law Act, the AP can:
● Monitor compliance
● Exercise advisory powers
● Impose administrative fines for non-compliance
● Impose orders against non-complying organizations
● Take legal action against infringements of third-country data transfer rules
● Cooperate with other supervisory authorities
Experts note that, like other agencies of its kind, the Dutch data protection authority is becoming increasingly willing to take action against GDPR violations. The law has been around for long enough that companies are expected to know their obligations and follow them, although some continue to ignore the importance of doing so.
Just last year, the AP announced a major €3.7 million penalty against the Tax and Customs Administration for its violation of GDPR guidelines. This high-profile incident occurred after years of illegal data processing by the group’s Fraud Signaling Facility (FSV).
The €3.7 million fine accounts for not one or two, but six violations, including a lack of legal basis for processing personal data (€1 million); no predefined purpose for data processing (€750,000); the use of incorrect and non-updated data (€750,000); unnecessarily long possession of personal data (€250,000); inefficient security protocols (€500,000); and untimely involvement of a Data Protection Officer.
Operating Online in the Netherlands: What You Need to Know
With all of the long and arduous stuff out of the way, we can now nail down the fundamentals of what you need to know when engaging in online activity in the Netherlands.
Take a look at these condensed takeaways:
GDPR Qualifying Criteria
A business can be considered covered by the requirements of the GDPR if it works with or sells the personal data of European Union residents. Unlike some other data protection laws, there is no minimum threshold to meet here – meaning organizations of any size can qualify. Companies don’t need to be physically located in the EU, either. They must simply do business with their citizens.
Definition of ‘Personal Data’
The term ‘personal data’ is very subjective. But according to the Dutch, it’s defined as “any information relating to an identified or identifiable natural person”. What does that mean? Well, in practical terms, it refers to any information that is associated with an individual’s identity. This could include name, address, email address, IP address, etc.
Types of Data Processing That Qualify
It’s important to recognize that the Netherlands’ data protection policies apply to virtually all types of data processing, including the partly and fully automated kinds.
Notification Requirements
The requirement explained earlier about keeping individuals’ data secure from loss and damage comes with an added layer of responsibility. In the case that any kind of incident or breach does occur, organizations are obligated to report it to the Dutch DPA within 72 hours.
Data Protection Officer
Having a Data Protection Officer (DPO) is a smart move if you plan on doing business in the Netherlands, or any country with strong privacy protection laws for that matter. This individual is the go-to person for all things related to data processing and privacy. They are responsible for ensuring that organizations comply with the GDPR, as well as advising on any other legal requirements that apply.
Enforcement
Compliance with the Netherlands’ data protection laws is monitored and enforced by its national Data Protection Authority. It has the power to institute fines and other penalties for violations, and multiple ones at once. The highest single-infraction fine currently stands at one million Euros.
The Netherlands has set a high bar when it comes to data privacy and protection. But it’s nowhere near perfect. As technology ongoingly evolves, more laws and considerations will need to be made to fully face online privacy risks. Ensuring everyone’s safety ultimately comes down to vigilance across the board – whether you’re a company, large organization, or individual, we can all benefit from education about online security and privacy.
By leveraging advanced cybersecurity solutions, such as TeraDact’s products Tokenizer+, Redactor+, and Secrets+, entities in the Netherlands can enhance their data security measures and stay ahead of potential threats. Tokenizer+ helps protect sensitive data by securely tokenizing it, minimizing the risk of unauthorized access. Redactor+ enables the redaction of sensitive information from documents, mitigating inadvertent exposure. Additionally, Secrets+ provides robust encryption and secure storage solutions, ensuring that confidential data remains protected from malicious actors. By embracing these cutting-edge technologies and incorporating them into existing privacy frameworks, the Netherlands can further fortify its data privacy ecosystem. By maintaining vigilance, fostering education, and leveraging innovative solutions like TeraDact’s products, we can collectively work towards a safer and more secure digital landscape. Reach out today to get started.
