Applying for a permit

Rules for processing criminal data

Under the General Data Protection Regulation (GDPR), processing criminal data is generally not permitted. It is only permitted:

• under supervision of the government;
• if the processing is permitted under provisions of EU law or national law, such as the GDPR (Implementation) Act.

When to apply for a permit

As an organisation, you have to apply to the Dutch DPA for a permit when you want to process criminal data and share these data with others. Unless you can rely on one of the exceptions from the GDPR Implementation Act.
Exceptions to the obligation to apply for a permit apply for, for example:

• governmental organisations;
• organisations with a permit based on the Dutch Private Security Organizations and Detective Agencies Act;
• organisations that, pursuant to the law, apply criminal law;
• organisations that have obtained criminal data under the Dutch Police Data Act (Wpol) or the Dutch Judicial Data and Criminal Records Act (Wjsg);
• organisations that only use the data internally for purposes as listed in the GDPR Implementation Act.
  You can find a complete overview of the exceptions to the permit requirement in Article 10 of the GDPR and Articles 32 and 33 of the GDPR Implementation Act.
  You have to assess for yourself whether you have to apply for a permit. You may come to the conclusion that you do not need a permit, but note:
• even then you still need a ground for exception to be permitted to process criminal data;
• you may have to carry out a data protection impact assessment (DPIA) and then maybe apply to the Dutch DPA for a prior consultation.
   

You can find a complete overview of the exceptions to the permit requirement in Article 10 of the GDPR and Articles 32 and 33 of the GDPR Implementation Act.
You have to assess for yourself whether you have to apply for a permit. You may come to the conclusion that you do not need a permit, but note:

• even then you still need a ground for exception to be permitted to process criminal data;
• you may have to carry out a data protection impact assessment (DPIA) and then maybe apply to the Dutch DPA for a prior consultation.

Applying to the Dutch DPA for a permit

Before you can submit an application to the Dutch DPA for a permit, you first have to:

• Carry out a DPIA: under the GDPR, is DPIA is mandatory in the case of large-scale processing of criminal data. Keeping and sharing black lists is also on the list of the Dutch DPA with processing operations for which a DPIA is mandatory.
• Draw up a protocol: in the protocol, you describe how you will process the criminal data and how this envisaged data processing meets the requirements from the GDPR.
  How you then apply to the Dutch DPA for a permit depends on the outcome of your DPIA:

Outcome: limited risk

Does your DPIA show that there is no high residual privacy risk for the data subjects? Or that you can mitigate the risk with measures? Then you can apply for a permit through the:

Application form for a permit without prior consultation

Outcome: high risk

Does your DPIA show that the intended processing entails a high privacy risk for the data subjects? And are you unable to find (enough) measures to mitigate this risk? Then you have to consult with the Dutch DPA first before you start processing. This is called a prior consultation. 
You apply for a prior consultation through the:
 

Double application form for a prior consultation and permit

Is the outcome of the prior consultation that the Dutch DPA does not object to the processing? Then you can subsequently apply for a permit through the:

Application form for a permit after prior consultation

Privacy statement for permit applications

When you apply for a permit, the Dutch DPA will process personal data of you. You can read in the privacy statement of the Dutch DPA how the Dutch DPA handles your data.

Note: You are only allowed to start processing the criminal data when you have obtained a permit from the Dutch DPA.

Assessment by the Dutch DPA of the permit application

The Dutch DPA verifies whether your intended processing meets the requirements from the GDPR and the GDPR Implementation Act. The Dutch DPA will only be able to issue a permit if you meet at least the following 3 conditions:
1. Necessity
The processing of the criminal data must be necessary. This means, among other things, that you cannot achieve your goal in any other way, that is less far-reaching for the privacy of the data subjects.
2. Important interest
The processing of the criminal must be necessary for the important interest of third parties.
3. Safeguards
You implement such safeguards that the privacy of the data subjects is not disproportionally affected by your processing operation.
These safeguards must give sufficient substance to the principles from Article 5 GDPR:

• lawfulness (including having a valid legal basis within the meaning of Article 6 GDPR), fairness and transparency;
• purpose limitation;
• data minimisation;
• accuracy;
• storage limitation;
• confidentiality and integrity;
• accountability.
   

You have to include the safeguards in the protocol. Make sure that the protocol is sufficiently clear, concrete and detailed. The protocol must clearly and exactly show what the data processing actually looks like and which safeguards apply. Keep in mind that the protocol should also be easy to read and understand for the data subjects. 

Model protocol
 

The Dutch DPA has already approved a model protocol for some processing operations. This applies for a number of black lists (hospitality areas and retail areas, Financial Institutions Incident Warning System Protocol (PIFI)).
If you want to apply for a permit for such processing operation, you can join the model protocol. You can contact your sector association or the Dutch DPA for more information.

Permit conditions

The Dutch DPA may attach conditions to the permit. For example that the permit is valid for 5 years. And that you submit any amendments you want to make to the protocol to the Dutch DPA first.

General Administrative Law Act

The Dutch DPA handles your application for a permit in accordance with the Dutch General Administrative Law Act and the time limits set out in this Act.
The Dutch DPA has 8 weeks to take a decision on your permit application. Is this period too short for the Dutch DPA to handle your application? Then the Dutch DPA will set a new, reasonable period for decision-making. The duration of that period may vary for each case.
Does the Dutch DPA grant the permit to you? Then the Dutch DPA will publish the decision and the protocol drawn up by you on the website of the Dutch DPA, unless an exception to the Dutch Open Government Act (Woo) applies.

Register of permits

The Register of permits contains all permits that were granted by the Dutch DPA. As well as the permit applications that were rejected by the Dutch DPA.