If you think complying with the GDPR makes you automatically compliant with all privacy laws in the Netherlands, then think again. The GDPR sought to harmonize an EU legal framework that applies to all EU countries. Still, individual EU countries retain some discretion to legislate on certain aspects of their data privacy.
The Dutch Implementation Act (Uitvoeringswet AVG, the Implementation Act), which locally implements the GDPR in the Netherlands, exercises this prerogative. It adopts a policy-neutral approach, meaning the spirit and letters of the previous legislation — The Personal Data Protection Act — were maintained as much as possible as with the GDPR provision, which allowed wiggle room for national derogations.
The Dutch Implementation Act evolved through a series of landmark moments on its way to becoming the grundnorm for data privacy in the Netherlands. But how does it stack up to the GDPR in terms of regulatory scrutiny and enforcement? What implications does it portend for data subjects and processors? How can companies successfully navigate data privacy compliance in light of this regulation?
Get your peepers at the ready as we discuss the data protection regime in the Netherlands and outline steps to put your company on the path to compliance:
What are the laws and regulations businesses must comply with?
History of data privacy in The Netherlands
Data privacy law in the Netherlands rests on a rich backdrop of legal precedent. Historically, data protection was addressed by various sectoral laws, such as the Telecommunications Act and the Electronic Communications Act.
The Personal Data Protection Act (Wet Bescherming Persoonsgegevens) (“Wbp”) was introduced, combining all existing legislation concerning data privacy into one unified act and bringing it up to date with current EU regulations.
The introduction of the act put an emphasis on individuals’ rights over their personal data, thus strengthening the overall framework for privacy protection in the country. The Personal Data Protection Act also gave greater powers to the Dutch Data Protection Authority (DPA), allowing them to investigate complaints and impose sanctions if necessary.
In addition to these sectoral laws, numerous other laws, regulations, and codes of conduct have been developed over the years to further protect personal data in the Netherlands.
All in all, these developments demonstrate willpower to protect individual privacy rights, which are adequately provided for in Article 10 of the Dutch constitution and enjoy similar protection in Article 8 of the European Convention on Human Rights and Articles 7 & 8 of the European Charter of Fundamental Rights of the European Union.
State of data protection in The Netherlands
The recent spate of events has tipped the scales of data autonomy in favor of data subjects not only in principle but in practice. One such watershed moment was the Dutch Tax Administration’s discrimination against dual citizens based on personal data.
This grave violation of data privacy was met with punitive measures per a heavy fine meted out by the Dutch DPA on two grounds:
- The administration's unlawful and discriminatory automated algorithmic decision-making on childcare benefit applications; and
- Unlawful fraud blacklists.
The data privacy implication of this case rippled through the Netherlands as the Dutch DPA, upon investigation, brought the attention of the administration to the dangers of algorithmic decision-making, and further pushed for appropriate safeguards to protect data subjects.
The uproar that ensued led the Dutch House of Representatives to adopt a motion that required compulsory human rights impact assessment, gauging the use of algorithms used to evaluate citizens.
Following these incidents, there has been a renewed focus on better transparency for data subjects and more stringent measures regulating data brokering and the use of artificial intelligence and algorithms.
And while some legislative intervention is still needed for the Dutch data protection regime to be reminiscent of a Vincent Van Gough painting, progress is on the horizon. The Dutch Data Protection Authority reported a sharp 25% decline in the number of complaints in 2021 as against 2020.
What are the laws and regulations businesses must comply with?
Taking effect in the European Union (EU) on 25 May 2018, the GDPR replaced the EU Data Protection Directive (Directive 95/46/EC), as well as the former Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens).
As a regulation that enjoys force of law with EU member states, and as such, is directly applicable, the GDPR is immediately binding on Dutch soil — even without the need for implementation on a national level. However, the GDPR gives room for discretion to member states to legislate on domestic issues that may be specific to them.
This allowance was well received in the form of the Dutch GDPR Implementation Act, otherwise known as the Dutch Implementation Act (Uitvoeringswet AVG), which establishes the administrative enforcement order imposed by a body called the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP) (“DPA”).
Think of the AP as the national regulatory authority on all things data protection. They majorly carry out the enforcement of obligations spelled out in the Implementation Act.
Scope of application
The scope of application of the GDPR is best analyzed from three viewpoints: The personal scope, the territorial Scope, and the material Scope.
The GDPR bears direct applicability in member states of the EU, thereby shaping the contours of the Implementation Act to apply to the same object of the GDPR.
The personal scope of the law applies to all the processing of personalized data traceable to directly or indirectly identified natural persons (and including online identifiers such as cookies), whether wholly or in part through automation, and by private or public organizations.
The Dutch Implementation Act is defined by the same territorial and extraterritorial bounds of the GDPR.
In simple terms, this means that the Act will apply when data is processed by a data controller or a data processor in the Netherlands. This is regardless of whether the processing of such data takes place in the EU or not;
The act applies to data subjects within the Netherlands whose data is being processed by a data controller or processor that is not established in the EU. More specifically, the Implementation Act will apply where such processing activities verge on:
- The offering of goods or services
- Monitoring of behavior of the data subject, so long as such behavior happens on Dutch soil.
As with the other scope of the law, the material scope of the implementation Act is similar to the scope of the GDPR, save for some national derogations.
National Derogations: The Dutch Implementation Act includes some deviations from the GDPR. As a matter of national security and policy, the GDPR rules do not extend to the processing of:
- Personal data relating to criminal investigations, or
Data processing with an exclusively journalistic motive, artistic, or academic purposes.
The Implementation Act also goes on to make some general derogations which we’ve run through below:
Broadens the scope of GDPR definitions to cover foreign organizations and other entities not otherwise covered by GDPR, such as public bodies and legal persons with a public law function.
It adds new notification requirements for data processors, such as a requirement to notify the Dutch Data Protection Authority (AP) of any changes in the processing activities they are carrying out and to keep records of their activities.
Lays down specific rules on how organizations must respond to data subject requests, such as time limits on responding and conditions for refusing certain requests.
Provides an additional list of obligations for organizations processing personal data in a way that is deemed ‘high-risk’ and requires prior consultation with the AP before engaging in such activities.
Finally, it specifies rules and conditions for processing special categories of personal data (i.e., sensitive data). This includes a general prohibition on such processing, except in certain circumstances specified by national law and subject to specific requirements. Examples of such data may include biometric data, data relating to health and criminal records, and genetic data.
In addition to these general examples, The Implentation Act contains a number of more specific derogations from the GDPR, including:
- Introducing additional requirements for organizations transferring personal data to countries or international organizations not deemed ‘adequate’ under EU law.
- A designated data protection officer must be registered with the Dutch Data Protection Authority and must have sufficient knowledge and expertise in order to advise organizations on GDPR compliance properly.
- Companies are required to undertake a data protection impact assessment for activities that are subject to sector-specific laws.
- Specific rules on automated decision-making, including a requirement for organizations to provide relevant information about the logic used in any automated processing activities and the significance and envisaged consequences of such processing on the data subject.
These are just some examples of how the Dutch Implementation Act derogates from the GDPR in certain areas. These provisions should be read and interpreted alongside the core GDPR regulations to ensure full compliance with data protection law.
So, organizations operating in the Netherlands should ensure that they are familiar with the provisions of both the GDPR and the Dutch Implementation Act to ensure full compliance. Failure to do so may result in significant financial or other penalties imposed by the Dutch Data Protection Authority.
On the legal bases for processing personal data, the Dutch Implementation Act doesn’t include any supplementary list of legal bases, thereby restricting data controllers and processors to Article 6 of the GDPR.
According to the Act, processing of personal data must have at least one of the below-listed legal bases — that such processing is:
- Carried out with the consent of the data subject.
- Necessary for the performance of a contract that involves the data subject
- Necessary to protect the vital interests of the data subject
- Necessary for public interest or in the exercise of official authority.
- Necessary for the controller’s legitimate interest or that of a third party, except in cases where the fundamental right, interest, or freedom of the data subject overrides such interest.
Fines and penalties
As of today, the Implementation Act authorizes the supervisory bodies to sanction erring organizations and companies with fines and penalties of up to 4% of the annual worldwide turnover, or alternatively, 20 million Euros — whichever is the greater sum of both.
Fines are broadly split into two tiers:
- The higher tier, comprising fines of up to 20 million Euros or 4% of total turnover — whichever is the greater sum of both.
- The lower tier, which comprises fines of up to 10 million or 2% of total turnover — whichever is greater.
The higher tier, according to Article 83 (5) — for the infringement on data processing is reserved for more serious infractions of data privacy namely:
- Failure to comply with all of the 6 general data quality principles.
- Failure to provide a legal basis or justification for data processing.
The lower category of fines [Article 83(4)] covers the infringement of:
- Duties to be carried out by data controllers and processors. For instance, an absence of a data processing contract with a processor.
For instance,TikTok was recently fined €750,000 for breaching the GDPR’s transparency requirements, as well as for a series of children’s privacy violations.
It also bears noting that the punitive measures of the DPA are not limited to fines, but also extend to sanctions deemed to be proportionate and effective. Hence, where a violation of data privacy causes material and non-material damage, data subjects are legally entitled to compensation.
Notable examples of enforcement
Perhaps the most notable recent imposition of fine published by the Dutch DPA was in April 2022, where the Dutch Tax Authority was slapped with a €3.7m fine for the illegal processing of personal data within their fraud signaling facility. This facility housed a blacklist containing a list of people who the Dutch Tax Authority kept track of indications of fraud without a legal basis for processing the data.
A €525,000 fine was also meted out to DPG media in February 2022 for mandating individuals looking to review or remove their data to present their ID without meeting any of the stipulated legal conditions or basis for processing such data.
The Dutch Tax Authority was also fined the sum of €525,000 in December 2021 for inappropriately processing personal data. It processed data evidencing the dual-nationality of applicants for childcare allowance and used this data to feed algorithms to deny applicants in a discriminatory, unlawful, and improper way.
Lastly, social media darling, TikTok was fined €750,000 in July 2021 for breaching young children’s privacy. The information Dutch users received during the installation and use of the app was alien to them as it was in English, thereby discriminatory in nature as these young users could not understand the language.
How to be compliant with The Netherlands data privacy law
Here’s a quick compliance checklist you can adopt to ensure compliance with data privacy law in the Netherlands:
Obtain consent from individuals whose data is collected and used. Individuals must be informed of exactly how their data will be used, and they must give explicit permission for its use. Maintain records of your processing activities.
Importantly, consent is required for the processing of cookies, with the exception of analytical cookies (cookies to help measure the performance of a service provided) and functional cookies (vital to providing certain services).
When asking for consent through cookie banners, there can be no pre-ticked boxes and inactivity, as well as variations of “by continuing you accept”, cannot be interpreted as a form of consent. Regardless of the user’s choice over consenting to cookies, the website must be accessible even if cookies have been rejected.
Another important consideration is the prohibition of Cookie Walls outlawed by the new guidance issued by the Dutch DPA in 2019.
A Data Protection Officer:
Assign a Data Protection Officer (DPO) registered with the Dutch DPA to monitor your company’s compliance with applicable laws and regulations.
This person should have expertise in relevant data protection matters and be responsible for assessing any risks related to the processing of personal data and keeping you updated about the GDPR and the Implementation Act.
Data privacy notices:
Develop policies and procedures that clearly outline which types of personal data can be processed, what purpose it can be used for, how it is stored securely, who has access to it, and how long it can be retained for.
P.S. There is no legal obligation requiring that privacy notices be in Dutch, thereby giving companies the more flexible or convenient option of providing it in English.
Nonetheless, it would be safer to have the Privacy notice in Dutch too, as it will be easier to argue that it can be understood by everyone.
Ensure that any third-party partners with whom you share data are compliant with the applicable laws and regulations. Make sure all contracts with such parties have clear language regarding data protection requirements and liabilities.
Encourage employees to stay up-to-date on relevant laws and regulations in order to remain compliant. Relevant news should be disseminated regularly, so everyone is aware of their obligations when handling personal data.
Following these steps, you can help ensure your business complies with data privacy law in the Netherlands.
Implement a Consent Management Platform today
The Dutch Implementation Act raises the roof on the corporate obligation to protect personal data. With more accountability through measures such as privacy impact assessments and data protection officers, data subjects are also given right over their personal information, including the right to be forgotten, over how their data is shared, and the ability to take legal action against those who fail to comply with the GDPR.
For companies, satisfying the conditions to comply with the data privacy laws in the Netherlands is not only a matter of regulatory requirement. There’s clear reputational, ethical (and commercial) incentive. But the task of safeguarding user privacy while legally obtaining cookie consents can be back-breaking.
This is where the Didomi consent management platform (CMP) comes in to help you keep your ducks in a row. Besides one less headache for your IT Team to deal with in terms of compliance, your marketing team scores a win — a chance to upscale user experience using consent banners while bagging a high consent rate.
Your marketing department also gains first-hand user data that provides game-changing insight to enhance advertisement performance. It also remains a smart way to reduce the legal risk for your legal department or avoid dealing with the blowback of a PR crisis for your public relations department.
Got any queries on Dutch Cookie Law or need more information on how we can get you on the path to compliance with our solutions? Contact us.