In the Netherlands, the Council of State (Raad van State) presented the GDPR Implementation Bill (Uitvoeringswet Algemene verordening gegevensbescherming,Bill) to the Parliament on 13 December 2017. The GDPR has been implemented in a policy-neutral manner, meaning that the existing Dutch Data Protection Act (Wet bescherming persoonsgegevens, DDPA) has been upheld, insofar as this is in coherence with the GDPR. For instance, the Bill reiterates the age of 16 for the applicability of Article 8, as is currently the case under the DDPA. Furthermore, all exceptions that allow specific types of special categories of data to be processed by a specific category of controllers (e.g. employers, insurers and hospitals), or for specific purposes (e.g. identification purposes or sick leave management) have been maintained in the Bill (under chapter 3). Additions to these exceptions are the exception for the processing of genetic data for prevailing substantial medical interests or for academic research with consent of the data subject and the exception for the processing of biometric data for authentication and security purposes. The Bill needs to be decided upon by the Second Chamber (Tweede Kamer), followed by the Upper Chamber (Eerste Kamer). We will of course keep you informed on the status of this Bill.

The full text, as well as the explanatory memorandum, can be read here (in Dutch only).