Companies that process personal data (for example on employees or customers) risk a higher monetary fine under criminal law as from 9 February 2012, if they (deliberately) fail to comply with requirements including the notification obligation. This is one of the consequences of the amendments to the Dutch Personal Data Protection Act [Wet Bescherming Persoonsgegevens, WBP]. The act provides how companies must deal with personal data so as not to infringe the privacy of those involved.
Requirements under the amended Personal Data Protection Act?
The WBP includes the following administrative obligations:
- Companies that process personal data by means of computer or that record such data in a database, are basically obliged to notify the Dutch Data Protection Authority [College Bescherming Persoonsgegevens] that they are doing so.
The amended act maintains this obligation but means that companies that fail to comply with the notification obligation risk a higher criminal law penalty, up to a fine of the fourth category (EUR 19,000) in the case of deliberate contravention.
- Previously, companies that transferred data to countries without an appropriate level of data protection (which includes the United States) were only permitted to do so if they held a permit from the Ministry of Security and Justice.
The amendment means that it is no longer necessary to apply for a permit from the Ministry before transferring data to such countries; the condition is, however, that an unaltered model contract is used that has been approved by the European Commission.
Changes have also been made regarding the obligation to carry out a prior investigation, reporting by the data protection officer, processing of special (sensitive) personal data, and the right of objection in the case of direct marketing.
What steps does your company need to take?
To prevent liability, your company needs to analyse its data administration procedures to determine the extent to which it processes personal data – whether or not by means of computer – and whether proper notification of these procedures and processes has already been made to the Dutch Data Protection Authority. This includes such things as your company's staff and salary records, customer records, debtors and creditors, access records, CCTV, arrangements regarding whistle-blowers, etc.
This amendment would seem to be the first of many changes that we can expect in the next few years in the law regarding privacy. An amendment to the WBP is currently under discussion, for example, to introduce a notification obligation for companies in the event of the loss, theft, or improper use of personal data (data leaks).
On 25 January 2012, the European Commission also published a proposal for a new EU regulation on the processing of personal data. Besides general, directly applicable rules for the protection of personal data, the draft regulation also introduces substantial penalties of up to EUR 1 million or 2% of the company's (global) annual turnover!
Click here for more information regarding the proposal for the new EU regulation on the processing of personal data.
Both the legislative amendment and the draft EU regulation still have a long way to go, but tightening up of the rules and penalties is now a fact of life. Given the enormous impact of the impending amendments (including financially), we advise that you get started as as soon as possible on analysing the personal data processed by your company, because experience shows that this is a time-consuming and complex process.