All questions

Data protection

i Requirements for registration

The General Data Protection Regulation (GDPR) was implemented in all European countries on 25 May 2018 to harmonise data privacy laws across Europe. The GDPR replaces the Dutch Personal Data Protection Act and is accompanied by the General Data Protection Regulation (Implementation) Act.

Under the GDPR, a data controller or joint data controllers must keep records of all processing activities. As a consequence, all organisations must have a privacy policy to provide the supervisory authorities with relevant information if required. This internal documentation obligation does not apply to companies or organisations of fewer than 250 people, unless 'the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data [. . .] or personal data relating to criminal convictions and offences'. The records must include the name and contact details of the data controller and the contact details of the data protection officer, a list of the various types of categories of data that are processed, whether the data will be sent to countries outside the European Union and what kind of security measures have been taken.

The data protection officer (if available) has the obligation to inform the data subjects, among other things, about the identity and contact details of the data controller, the contact details of the data protection officer, the purpose of processing data, the recipients of the data and the retention period.

The data controller must implement appropriate technical as well as organisational measures to secure personal data against loss or against any form of unlawful processing. These measures will guarantee the appropriate level of security given the risks associated with the processing and the nature of the data being protected. The measures must also aim to prevent unnecessary collection and further processing of personal data.

In principle, the data should be accessible to the data subjects. Consequently, data subjects may ask, at reasonable intervals, whether (and what) personal data relating to them is processed. Furthermore, data subjects can, under certain circumstances, request the employer to rectify, supplement or erase personal data, or can object to certain processing of personal data.

The Dutch Data Protection Authority supervises compliance with legislation on the use of personal data. This data may be processed in a personnel file if it is necessary in connection with the performance of the employment contract. The obligations arising from the Data Protection Authority include the following:

  1. Employers are responsible for ensuring that the data in their personnel records are correct and accurate.
  2. Data in personnel files must be sufficient, serve the purpose at hand and not be excessive, given the purpose for which they are processed.
  3. Employers must inform their employees about the purposes for which they are collecting the employees' data.
  4. Employers must take suitable technical and organisational measures to secure personal data against loss because of any form of unlawful processing.
  5. Personal data may not be stored any longer than is necessary to achieve the purposes for which they are collected and subsequently used.
  6. Employers must afford their employees the opportunity to inspect their personal data and to correct them. This right of inspection generally applies to the entire personnel file.

The Dutch Data Leaks (Reporting Obligation) Act took effect on 1 January 2016. This Act imposes an obligation on organisations (both businesses and government bodies) to immediately notify the Data Protection Authority in the event of a serious data breach.

ii Cross-border data transfers

Personal data may not be exported to countries outside the European Union, unless the receiving country guarantees an adequate level of protection. No exceptions apply to transmitting personal data to group companies. The party responsible must assess whether the receiving country provides an adequate level of protection. For example, such an assessment might be made by checking whether the European Commission (EC) or the Dutch Minister of Justice has issued an opinion about the level of protection in the third country. The EC has decided that the following countries provide adequate levels of protection: Jersey, Andorra, Argentina, Canada (the parts that fall under the Canadian Personal Information Protection and Electronic Documents Act), Faeroe Islands, Guernsey, Isle of Man, Switzerland and Uruguay. The countries belonging to the European Economic Area also are deemed to guarantee an adequate level of protection.

Given that no general federal legislation on the protection of personal data exists in the United States, it is difficult to assess whether an adequate level of protection exists. On 12 July 2016, the EC adopted the EU–US Privacy Shield adequacy decision. Every organisation in the United States that is certified by the privacy shield has an appropriate level of protection (for the duration of the certification).

iii Sensitive data

The processing of special personal data, such as data regarding race or ethnic origin, political opinions, religious or personal beliefs, membership of a union, genetic or biometric identification data, health, sexual preferences or criminal record is, in principle, prohibited. The GDPR provides circumstances where the processing of sensitive personal data is allowed, for example, if the data subject has given his or her explicit consent, or if he or she has manifestly made the data public.

iv Background checks

It is common for companies to conduct a background check when they intend to hire a new employee. This background check may include asking the job applicant for additional background information, researching public resources (the internet, social media) or checking references. From a privacy law perspective, it is important to tailor screening activities to the position and qualifications needed. In this respect, the interest of the future employer should be weighed against the applicant's privacy interest. Furthermore, discrimination on the grounds of age, race, gender, religion, belief, political conviction, nationality, sexual orientation, marital status, disability or chronic disease is prohibited.

Employers may only obtain information about credit records through the applicant or employee through a public source or with his or her permission. Applicants and employees are not obligated to answer questions about their credit record, unless it is relevant to the performance of the job. Whether processing these data is permitted will depend on the position. Information about criminal records of applicants and employees qualifies as sensitive personal data. Processing these data is prohibited unless a statutory exception applies. If, however, criminal records are relevant for the performance of a job, applicants and employees must inform the employer about them (e.g., an accountant who has been convicted of fraud or a primary school teacher who has been convicted of child abuse). The employer may ask an applicant or employee to provide a certificate of conduct issued by the Judicial Agency for Testing, Integrity and Screening of the Ministry of Security and Justice if the certificate is relevant for the position.

In addition to the above, it is generally prohibited to request medical tests, ask questions about the use of illegal narcotics (in spare time) and to process health data. Drug or alcohol tests are considered medical tests and the related data is health data.