Data protection and privacy in Netherlands

Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

As of 25 May 2018, the EU General Data Protection Regulation (GDPR) is applicable. As the GDPR is a regulation, the various rights and obligations as described in the GDPR are immediately enforceable in the Netherlands. The GDPR allows member states to implement rules regarding specific topics, for example the designation of the Dutch Data Protection Authority (the Dutch DPA). This means the Netherlands has, besides the GDPR, a national data protection law as well (Dutch implementing law of the GDPR).

Further, a new ePrivacy Regulation will soon enter into force which will repeal Directive 2002/58/EC, also called the Cookie Law. In January 2017, the first proposal text of the regulation was published.

Other relevant laws are the Dutch Constitution, the Dutch Telecommunication Act, which imposes various obligations to service providers providing e-services, the Voting law, Police Data Act, the Judicial and Prosecution Data Act, Basis registration of persons act, the ECHR, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the Organisation for Economic Co-operation and Development guidelines form part of the legal framework.

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

In the Netherlands, the Dutch DPA oversees the data protection law. The Dutch DPA supervises processing of personal data in order to ensure compliance with laws that regulate the use of personal data. The task of the Dutch DPA can be roughly divided into the following sections: supervision, advice, awareness, information and accountability and international assignments.

The Dutch DPA has investigative powers. All investigative powers are laid down in article 58 of the GDPR. In short, the Dutch DPA has the possibility:

• to order controller and processor to provide information it requires for the performance of its tasks;
• to carry out investigations in the form of data protection audits;
• to notify the controller or processor of an alleged infringement of the GDPR;
• to obtain access from the controller and the processor to all personal data and to all information necessary for the performance of its tasks; and
• to obtain access to any premises of the controller and the processor

Legal obligations of data protection authority

Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?

The GDPR explicitly arranges the cooperation with various data protection authorities. We refer to articles 60-62 of the GDPR.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

The Dutch DPA can sanction administrative fines pursuant to article 83 of the GDPR. Further, every quarter the Dutch DPA publishes an overview of all data breaches that have been notified to the Dutch DPA. In the period October-December 2017, 2,787 data breaches were notified to the Dutch DPA. In this fourth quarter, the Dutch DPA initiated investigations in 132 cases concerning security and possible data breaches that were not notified to the Dutch DPA.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

Some areas of activity are excluded from the GDPR. Article 2 of the GDPR provides that the GDPR does not apply to the processing of personal data when:

• an activity falls outside the scope of EU law (such as national security);
• a natural person processes personal data in the course of a personal or household activity;
• competent authorities process personal data for the purposes of, among others, prevention and investigation of criminal offences or the execution of criminal penalties; or
• Chapter 2 of title V of the Treaty on the European Union applies.

The Dutch implementing law further provides exemptions. For instance, articles 12-21 and 34 of the GDPR do not apply in case processing of personal data is necessary and appropriate to guarantee the national security, public safety, the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties. Also other exemptions apply, such as the protection of the independence of the judge and legal proceedings and the prevention, investigation, detection and prosecution of violations of professional codes for regulated professions. Further, certain exemptions apply for, among others, archiving, scientific research or expressions and journalism.

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

Electronic marketing is covered by the Dutch Telecommunication Act and the Directive 2002/58/EC, which will be replaced by a new e-privacy Regulation to sit alongside the GDPR. The new ePrivacy Regulation will also provide rules regarding the interception of communication.

The monitoring and surveillance of individuals is covered by the GDPR if and insofar this leads to the processing of personal data.

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

Data protection rules for many employee related monitoring areas follow from case law from the ECHR. There are no specific laws or regulations that specifically govern employee data protection rights.

For the healthcare sector, a new law has recently been adopted called the Patients’ Rights in electronic data processing Act. This law introduces safeguards for patients in case of electronic data processing.

PII formats

What forms of PII are covered by the law?

The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data that form part of a filing system or are intended to form part of a filing system.

Personal data that has undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be personal data under the GDPR. For the question of whether or not a natural person is identifiable, all means reasonably likely to be used - such as singling out, either by the controller or by another person to identify the natural person directly or indirectly - should be taken into account. To ascertain whether means are reasonably likely to be used to identify a natural person, account should be taken of all objective factors (such as costs and amount of time). We refer to the European Court of Justice ruling Breyer/Germany of 19 October 2016 (ECLI:EU:C:2016:779, C-582/14).

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

The GDPR is applicable to the processing of personal data done by an establishment of a controller or a processor in the European Union. This means that when a controller or processor is located in the European Union, the GDPR applies, regardless of whether the processing takes place in the European Union or not.

Further, and more importantly, the GDPR applies to the processing of personal data of indivuduals who are located in the European Union by a controller or processor not established in the European Union when this processing relates to the offering of products or services or the monitoring of behaviour in the European Union of the individuals.

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

Under the GDPR, various obligations have been described for both the controllers and processors of personal data. Not only the controller therefore has obligations under the GDPR, also the processor has to comply with the obligations under the GDPR. For instance, both the controller and the processor shall maintain a record of processing.

Article 28 of the GDPR provides all necessary information that has to be described in the (written) processor agreement to be concluded between a controller and a processor. This agreement has to contain certain obligations processors must agree to (see question 32).

Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

Article 6 of the GDPR provides that processing shall be lawful only if and to the extent that at least one of the following applies:

• consent by the individual;
• necessary for the performance of a contract;
• necessary for compliance with a legal obligation to which the controller is subject;
• necessary in order to protect the vital interests of the individual or natural person;
• necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• necessary for the purposes of the legitimate interests pursued by the controller or a third party.

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Article 9 of the GDPR provides specific rules regarding processing of special categories of personal data. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited, unless one of the exemptions as laid down in, among others, article 9 of the GDPR as well as in Dutch implementing law of the GDPR applies, such as when explicit consent has been given by the individual (member state or EU law can provide that an individual cannot lift the prohibition).

Further, the GDPR provides more guidance for when the processing is based on consent. If that is the case, the controller needs to demonstrate that the individual has consented to processing of the personal data (article 7 of the GDPR) and consent can be withdrawn at any time.

Also, more specific rules exist concerning consent by a child (article 8 of the GDPR). Dutch implementing law of the GDPR further provides that in case article 8 of the GDPR is not applicable (ie, in situations other than in relation to the offer of information society services), an individual that has not yet reached the age of 16, consent of his or her legal guardian is necessary. Last, article 10 of the GDPR provides specific rules regarding criminal convictions and offences.

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

Any processing of personal data should be lawful and fair. The GDPR therefore provides that it should be transparent to individuals that his or her personal data is processed and to what extent. This principle of transparency is further described in articles 13 and 14 of the GDPR explaining which information has to be given to the individual. This information needs to be easily accessible and easy to understand and has to be provided at the time when personal data are obtained.

The information can be laid down in a privacy statement. The following information has to be provided (in case the personal data are collected from the individual):

• contact details of the controller and if applicable, the controller’s representative and data protection officer (DPO);
• the purposes of processing;
• the recipients or categories of recipients of the personal data, if any;
• if applicable, that the controller intends to transfer personal data to a third country or international organisation;
• the period of storage;
• that the individual can request access and rectification or erasure of personal data or restriction of processing or to object to processing as well as the right to data portability;
• if the individual gave its consent, that the individual can withdraw its consent at any time;
• the right to lodge a complaint with a supervisory authority;
• where the processing is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal data and of the possible consequences of failure to provide such data; and
• the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual.

If personal data is not collected from the individual, the list with information as described above has to be provided, as well as the categories of personal data and the source of information.

Exemption from notification

When is notice not required?

Notice is not required where and insofar the individual already has the information. If the personal data are not collected from the individual, notice is not required in case notice proves impossible or would involve a disproportionate effort. However, the controller shall take appropriate measures to protect the individual’s rights and freedoms and legitimate interests, including making the information publicly available. Also, notice is not required if the personal data are not collected from the individual insofar obtaining or disclosure is expressly laid down by EU or member state law, which provides appropriate measures to protect the individual’s legitimate interests, or where the personal data must remain confidential subject to an obligation of professional secrecy regulated by EU or member state law.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

The individual has a certain degree of control over the use of his or her information. See question 38.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Article 5 of the GDPR provides various principles as to how personal data should be treated: lawful, fair and transparent. Personal data shall further be

• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation);
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
• accurate and, where necessary, kept up to date (accuracy);
• kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the personal data are processed (storage limitation); and
• processed in a manner that ensures appropriate security of personal data (integrity and confidentiality).

Article 5 of the GDPR further provides that the controller shall be responsible for, and be able to demonstrate compliance with, these principles (accountability).

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

No clear-cut periods have been described in the GDPR as to how long personal data can be held. However, personal data can only be processed during a restricted period. Therefore, time limits should be established by the controller for erasure or for a periodic review.

In some cases, Dutch law provides the retention periods to keep certain personal data, such as fiscal obligations. Under the former Dutch Act on Personal Data, the Dutch supervisory authority provided further guidelines regarding possible retention periods. For now, it is not clear whether or not these guidelines are still relevant and can be used under the GDPR.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Personal data should be processed on the basis of one or more legitimate purposes as described in the GDPR (see question 11) and shall not be further processed in a manner that is incompatible with those purposes. Personal data may not be used incompatibly with those purposes (see article 5(1) of the GDPR). See question 16.

Further processing, or processing for another purpose than for which the personal data were collected, needs to be justified separately. When further processing cannot be processed on the basis of consent (or on an EU or member state law), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

• any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
• the context in which the personal data have been collected, in particular regarding the relationship between individuals and the controller;
• the nature of the personal data, in particular whether special categories of personal data are processed, or whether personal data related to criminal convictions and offences are processed;
• the possible consequences of the intended further processing for individuals; and
• the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

See question 18.

Where the controller intends to further process the personal data for another purpose, the controller shall provide the individual prior to that further processing with information on that purpose and with any relevant further information as described in question 13.

Security

Security obligations

What security obligations are imposed on PII owners and service providers that process PII on their behalf?

Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data. Appropriate technical and organisational measures therefore have to be implemented by the processor and the controller. The controller and processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Further, the controller and the processor shall have to take into account the ability to ensure the ongoing confidentiality and availability and to restore such availability after an incident, a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (article 32 of the GDPR).

Notification of data breach

Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?

The GDPR explicitly states that in case of a personal data breach, the controller shall without undue delay (and where feasible, not later than 72 hours), after having become aware of it, notify the breach to the supervisory authority (article 33 of the GDPR). Notification is not needed when the breach is unlikely to result in a risk to the rights and freedoms of natural persons. In case the notification is not made within 72 hours, the notification shall provide reasons for the delay.

If the breach is within the processor’s sphere, the processor shall notify the controller without undue delay after becoming aware of a personal data breach.

The European Data Protection Board (EDPB - initially called the Article 29 Working Party) published guidelines on personal data breach notification (wp250rev.01), which can be found on the website, http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052.

Internal controls

Data protection officer

Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?

The appointment of a DPO is mandatory where:

• the processing is carried out by a public authority or body (except courts);
• the core activities of the controller or processor require regular and systematic monitoring of data on a large scale; or
• the core activities relate to processing special categories of personal data.

According to article 39 of the GDPR, the DPO has (at least) the following tasks:

• to inform and advise the controller or processor and employees who carry out the processing activities, of their obligations pursuant to the GDPR and other EU or member state law concerning data protection;
• to monitor compliance with the GDPR and other EU or member state law concerning data protection and with the internal policies in relation to the protection of personal data. The latter includes training, awareness-raising and related audits;
• to provide advice where requested regarding the data protection impact assessment and monitor its performance;
• to cooperate with the supervisory authority; and
• to act as the contact point for the supervisory authority.

Last, the Dutch implementing law of the GDPR provides that the DPO is obliged to keep secret information the DPO becomes aware of after a request or complaint of an individual, unless the individual provides its consent to use the information.

Record keeping

Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?

Yes, in order to demonstrate compliance with the GDPR, the controller and processor should maintain records of processing that contains various information, such as details of the controller, the purposes of processing, a description of the categories of individuals, the time limits for erasure and the categories of recipients and of the categories of personal data to whom the personal data will be disclosed.

New processing regulations

Are there any obligations in relation to new processing operations?

At the time of determination of the means for processing and at the time of the processing itself, the controller shall implement appropriate technical and organisational measures (for example, pseudoymisation), which are designed to implement data protection principles, such as data minimisation.

The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of processing are processed. According to article 25 of the GDPR, this applies to the amount of personal data collected, the extent of its processing, the period of its storage and its accessibility. In particular, such measures shall ensure that by default personal data is not made accessible without the individual’s intervention to an indefinite number of natural persons.

If a type of processing (in particular using new technologies) is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out an privacy impact assessment of the envisaged processing operations. This privacy impact assessment has to be carried out prior to the processing of personal data.

The EDPB published guidelines on the data protection impact assessment (last revised on 4 October 2017. You may find it via this link: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236.

Registration and notification

Registration

Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?

Under the GDPR, there is no requirement to register with the supervisory authority. Processors and controllers have their own responsibility: the record keeping (see question 23).

Formalities

What are the formalities for registration?

See question above.

Penalties

What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?

See questions above.

Refusal of registration

On what grounds may the supervisory authority refuse to allow an entry on the register?

See questions above.

Public access

Is the register publicly available? How can it be accessed?

See questions above.

Effect of registration

Does an entry on the register have any specific legal effect?

See questions above.

Other transparency duties

Are there any other public transparency duties?

See question 13.

Transfer and disclosure of PII

Transfer of PII

How does the law regulate the transfer of PII to entities that provide outsourced processing services?

Entities that provide outsourced processing services under the instruction of the controller, are considered to be data processors under the GDPR. In that case, a processor agreement has to be agreed upon between both the controller and the processor. In this agreement the subject matter, duration of processing, nature and purpose of processing, type of personal data and categories of individuals and the obligations and the rights of the controller have to be described (article 28 of the GDPR). Further, the agreement shall stipulate that:

• the processor shall only process the personal data on documented instructions from the controller (unless required to do so by EU or member state law to which the processor is subject);
• the processor ensures that persons that process personal data have committed themselves to confidentiality;
• the processor assists the controller to respond to requests for exercising the individual’s rights;
• the processor assists the controller in ensuring compliance with the obligations pursuant to articles 32 to 36 of the GDPR (security personal data, data breach, privacy impact assessment);
• the processor takes all measures required pursuant to article 32 of the GDPR (security personal data) and makes available to the controller all information necessary to demonstrate compliance with the obligations in article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller and shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR or other EU or member state law;
• the processor shall, at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies (unless EU or member state law requires storage of the personal data).

Article 28 of the GDPR further provides that the controller shall only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures and that the same data protection obligations as set out in the contract or other legal act between the controller and the processor shall be imposed on that other processor. Further, article 28 of the GDPR provides that the processor shall not engage another processor without prior written authorisation of the controller. A general written authorisation is possible, but then the processor has to inform the controller on any intended changes in order for the controller to object to such changes.

Restrictions on disclosure

Describe any specific restrictions on the disclosure of PII to other recipients.

There are no specific restrictions regarding the disclosure of personal data laid down in the GDPR, other than the restrictions mentioned in the answers above. Every processing has to have a legitimate processing ground (purpose limitation) and disclosure shall not be incompatible with the purposes for which the personal data were initially collected.

Cross-border transfer

Is the transfer of PII outside the jurisdiction restricted?

If personal data move across the EU borders to a third country (or an international organisation), a transfer may take place if the European Commission has decided that the receiving country or organisation ensures an adequate level of protection. Such a transfer shall not require any specific authorisation (article 45 of the GDPR). Provisions regarding transfers to third countries/international organisations can be found in articles 40-50 of the GDPR.

If no decision has been made by the European Commission, a controller or processor may transfer personal data to a third country or international organisation any way, but only if the processor or controller has provided appropriate safeguards and on the condition that individuals have rights and effective legal remedies. The appropriate safeguards can be provided by, for instance, binding corporate rules (article 47 of the GDPR) to be approved by the supervisory authority or the standard data protection clauses adopted by a supervisory authority and approved by the European Commission.

The EU standard contractual clauses currently provided by the European Commission covering the controller-processor data transfer, do not meet the GDPR requirements.

Also other possibilities are provided in the GDPR, such as an approved code of conduct (articles 46 and 40 of the GDPR), an approved certification mechanism or a legally binding and enforceable instrument between public authorities or bodies.

Notification of cross-border transfer

Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?

See question 34.

Further transfer

If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?

The conditions laid down in articles 44-50 of the GDPR (see question 34) are also applicable to onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.

Rights of individuals

Access

Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.

Individuals have the right to ask a controller whether or not his or her personal data are being processed, and, when that is the case, individuals have the right to access their personal data. The GDPR provides that an individual has access to its personal data and the following information:

• purposes of processing;
• categories of personal data;
• (categories of) recipients;
• if possible the retention period;
• the right to lodge a complaint with the Dutch DPA;
• in case the personal data were not collected from the individual, any available information as to their source; and
• the existence of automated decision-making, including profiling (article 15 of the GDPR).

Article 15(3) of the GDPR further provides that the controller shall provide a copy of the personal data undergoing processing. In the Netherlands, it is not clear as to whether a controller shall provide a copy and the information as provided above or that it is sufficient for the controller to provide only the information above without providing a copy.

Other rights

Do individuals have other substantive rights?

Individuals have the right to rectification (article 16 of the GDPR), right to erasure (article 17 of the GDPR), right to restriction of processing (article 18 of the GDPR), right to data portability (article 20 of the GDPR) and right to object (article 21 of the GDPR).

Compensation

Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?

The GDPR allows individuals to seek monetary damage in court from both controllers and processors who have violated their rights (79 and 82 of the GDPR). Article 82 of the GDPR provides that any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered.

A controller involved in processing shall be liable for the damage caused by processing of personal data that is in violation with the GDPR. In case the processor acted in violation with the GDPR, the controller can be held accountable for this. A processor shall be liable in case the processor and not the controller itself did not comply with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. Only when a controller or processor can prove that it is not in any way responsible for the event giving rise to the damage, shall the controller or processor be exempted from liability.

Enforcement

Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

Compensation should be asked via the judicial system. Proceedings shall be brought before the courts of the member state where the controller or processor has an establishment. Alternatively, proceedings may be brought before the courts of the member state where the individual has his or her habitual residence, unless the controller or processor is a public authority of a member state acting in the exercise of its public powers.

Exemptions, derogations and restrictions

Further exemptions and restrictions

Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.

No.

Supervision

Judicial review

Can PII owners appeal against orders of the supervisory authority to the courts?

Yes, the regular administrative-law possibilities to object and appeal to decisions from the Dutch DPA apply.

Specific data processing

Internet use

Describe any rules on the use of ‘cookies’ or equivalent technology.

The Dutch Telecommunications Act requires that (i) individuals are given clear and comprehensive information in accordance with the GDPR about the purposes for which information is to be accessed or stored on their terminal equipment; and (ii) individuals consent to the access to or storage of that information.

Electronic communications marketing

Describe any rules on marketing by email, fax or telephone.

As for any processing activity, first has to be assessed what the basis is (which lawful basis under article 6 of the GDPR) of the processing. Direct marketing could be assessed as a legitimate interest of the controller. For instance, a controller can send marketing information via post about a new product to existing customers based on a legitimate interest. An opt-out has to be provided at all times.

Further, the e-privacy directive (which will be replaced by the ePrivacy Regulation) is of importance here. The new ePrivacy Regulation (in which direct marketing is also described) is still a proposal.

The current ePrivacy Directive gives rules concerning consent requirements for e-marketing. According to the directive, consent is needed for e-marketing, unless the contact details were once collected in the context of a sale and the customer was given the ability to opt out at that time. Direct marketing via the phone can be via opt-out provided that the call list is first screened against the do-not-call registry.

Cloud services

Describe any rules or regulator guidance on the use of cloud computing services.

If a controller uses a cloud computing service, a processor agreement has to be in place (article 28 of the GDPR). Further, in the Netherlands, a guideline for patient data in the cloud has been published by the Dutch DPA to give guidance (in Dutch).

The information in this chapter was correct as at August 2018.

Update and trends

Key developments of the past year

Are there any emerging trends or hot topics in international data protection in your jurisdiction?

No updates at this time.