On the first of July 2012, some important changes in the secondary privacy legislation have entered into force.

Article 27 of the Dutch Data Protection Act (DDPA) determines that the processing of personal data has to be notified with the Dutch Data Protection Authority (DPA). The Exemption Decree DDPA provides several exemptions to the obligation to notify the DPA. The Exemption Decree has added several new exemption possibilities and has extended some of the exemptions already in place. For example, an exemption for the notification duty is introduced for the processing of personal data on an intranet, a personal website or weblogs. Furthermore, a notification to the DPA is no longer necessary when the personal data are transferred outside of the EEA, based upon the Standard Contractual Clauses of the European Commission or when a company has Binding Corporate Rules in place.

The Costs Decree enables a data controller to pass on the costs incurred, arising from an access request follow-up based upon article 35 of the DDPA, to the data subject. The maximum compensation which a data controller may charge has been slightly raised (from EUR 4.50 to EUR 5.00) and a special compensation for the provision of x-rays is introduced.

The changes in the Notification Decree lead to a simplification of the notification duty for large companies. If the different entities of a large company can be considered as a group in accordance with article 2:24b of the Dutch Civil Code, one of the companies can notify a certain type of processing on behalf of the whole group. (FVDJ)