A long-awaited bill to amend the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens) ("PDPA") has recently been submitted to the lower chamber of the Dutch parliament (the Tweede Kamer). The aim of the bill is to reduce the costs and administrative burden of compliance with the PDPA and to rectify a number of technical legislative errors. In addition, a few other changes are proposed. Although this bill represents an improvement in a number of respects, it is nevertheless something of a disappointment. This is because it does not solve all of the practical problems in the PDPA and, in fact, appears to give rise to an increased burden with regard to some points.

Amendments to the Exemption Decree (Vrijstellingsbesluit) under the PDPA are expected soon. This decree – which specifies the cases in which there is an exemption to the requirement to notify the processing of personal data to the Dutch Data Protection Authority (College Bescherming Persoonsgegevens) – will be expanded and clarified. In addition, a new Code of Conduct on the Processing of Personal data by Financial Institutions (Gedragscode Verwerking Persoonsgegevens Financiële Instellingen) is expected in the short.

Below you will find an overview of a number of important changes under the bill to amend the Personal Data Protection Act ("PDPA"). These are in addition to, among other things, the proposed increase of the fine that can be imposed in the event of non-compliance with certain requirements under the PDPA, such as the requirement to notify the processing of personal data.

Special personal data

  1. In principle the processing of special personal data, including personal data concerning a person's criminal behaviour, is prohibited. The PDPA (Articles 16 et seq.) specifies the cases in which the processing of such data is permitted.
  2. Under the bill, the processing of personal data concerning a person's criminal behaviour will also be permitted by, or for the account of, forms of cooperation governed by public law between data controllers or groups of data controllers, if the processing is necessary for the performance of the relevant duty and sufficient guarantees are provided to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent.
  3. In addition, the bill contains a new ground for the processing of all types of special personal data specified in the PDPA. The processing of such data by the Data Protection Authority or by an ombudsman will be permitted if the processing is necessary with a view to an important public interest, for the performance of a duty imposed by law and sufficient guarantees are provided to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent.  

The original intention was to lay down a general exception for the processing of personal data by an ombudsman, supervisory authorities and accounting firms (accountantsorganisaties). However, it was subsequently decided that there were too many differences between these bodies to allow them to be encompassed by one simple criterion. According to the explanatory memorandum to the bill, it is possible that more specific exceptions for certain particular tasks will be laid down in sector-specific legislation for these categories in due course.

  1. Another situation in which the processing of special personal data will be permitted is where this is necessary for the defence of the vital interests of the data subject or a third party and it appears to be impossible to obtain express consent (one of the current general exceptions). This exception will only rarely arise. In the explanatory memorandum to the bill, it is pointed out that, under the PDPA as it currently stands, it is already unlikely that a party will not provide personal data in cases in which there is an acute danger to someone's life or health. In the interests of certainty, however, the above amendment is proposed.  
  2. Unfortunately, no further exceptions to the prohibition against the processing of, for example, personal data concerning a person's health, have been laid down in the bill. Apparently, there was already ample scope to do so under the current statute.

Prior investigation

  1. Pursuant to Article 22 of the PDPA, one of the situations in which the processing of personal data concerning criminal behaviour is permitted is where such data are processed for the account of a third party and (i) the third party is a legal entity forming part of the same group, as referred to in Article 2:24b of the Dutch Civil Code; (ii) a licence has been issued under the Private Security Organisations and Investigation Bureaus Act; or (iii) the Data Protection Authority has been requested to initiate a prior investigation. The PDPA also specifies the cases in which a prior investigation should be requested: one of these is when a data controller plans to process personal data concerning criminal behaviour for the account of a third party other than in accordance with a licence issued under the Private Security Organisations and Investigation Bureaus Act (Article 31). The text of the statute is therefore inconsistent, because Article 31 does not refer to the group companies exception. Under the bill, this omission will be rectified.
  2. Article 31 also provides that a prior investigation must be requested if a data controller plans to record personal data on the basis of his/its own observations without informing the data subject. This wording was found to be unclear. For this reason, under the bill, the phrase "on the basis of his/its own observations" will be replaced with "on the basis of the targeted collection of information through his/its own investigations".

Direct marketing

Article 41 of the PDPA contains more detailed rules on direct marketing. The current provision states as follows:  

"Article 41  

  1. Where data are being processed in connection with the creation or maintenance of a direct relationship between the data controller or a third party and the data subject with a view to solicitation for commercial or charitable purposes, the data subject may register an objection to such processing with the data controller at any time and free of charge.
  2. In the event of an objection, the data controller shall take the steps required to stop this form of processing with immediate effect.
  3. Data controllers who are planning to provide personal data to third parties or to use such data for the account of third parties for the purposes referred to under 1. shall take appropriate steps to notify the data subjects of the possibility of registering an objection. This notification shall be made via one or more newspapers or free-sheet publications, or in some other suitable way. In the event of regular provision to, or use for the account of, third parties, the notification shall take place at least once a year.
  4. Data controllers processing personal data for the purposes referred to under 1. shall make sure that, whenever a direct message is sent for the said purposes to the data subjects, the latter are notified of the possibility of registering an objection."

The new article as laid down in the bill provides as follows:  

"Article 41  

  1. Where data are being processed in connection with the creation or maintenance of a direct relationship between the data controller or a third party and the data subject with a view to solicitation for commercial or charitable purposes, the data subject may register an objection to such processing with the data controller at any time and free of charge.
  2. In the event of an objection, the data controller shall take the steps required to stop this form of processing with immediate effect. The data controller shall, upon request, notify the data subject of the steps taken within a period of four weeks. If such notification cannot be given within a period of four weeks, the data controller shall inform the data subject, no later than four weeks following the date of receipt of the request, of the period within which the notification can be given.
  3. Data controllers processing personal data for the purposes referred to under 1. shall take appropriate steps to notify the data subjects of the possibility of registering an objection."

The proposed addition to paragraph 2 of Article 41 seems likely to lead to a greater administrative burden. Furthermore, the proposed elimination of the requirement currently laid down in paragraph 4 is unlikely to lead to a reduction of this burden, given that it is often the practice in commercial communications to include standard text about the right to register an objection. In addition, the content of paragraph 4 is completely in line with requirements laid down in the Telecommunications Act (Article 11.7), about which we sent out an earlier newsletter. The Data Protection Authority has also expressed objections to this effect, but these did not result in a change to the text of the bill.  

International transfer of data  

  1. If personal data are to be transferred to a country outside the EU and - in brief - it has not been determined by the European Commission that the relevant country offers an adequate level of protection, transfer of the data is only permitted in a few exceptional situations set out in the PPDA (Article 77). These include, but are not limited to:  

(i) where the data subject has unambiguously given his/her consent;  

(ii) where the transfer is necessary for the performance of a contract;  

(iii) where the transfer is necessary for the establishment, the exercise or the defence in law of any right; or  

(iv) where a permit for the transfer has been obtained from the Minister of Justice.

  1. In order to obtain a permit for the transfer the EU-approved standard contractual clauses are often used. Under the bill, a permit will no longer be required if the abovementioned standard clauses are used (without any changes). The Data Protection Authority requested that the bill explicitly refer to use of such standard contractual clauses in unchanged form. No such reference has been included in the bill, but it has been included in the explanatory memorandum to the bill.