Privacy legislation

Supervision by the Dutch DPA

Important laws that are subject to supervision by the Dutch DPA are:

1. General Data Protection Regulation (GDPR);
2. General Data Protection Regulation (GDPR) Implementation Act;
3. Directive on data protection in the law enforcement sector, implemented in the Police Data Act (Wpol) and the Judicial Data and Criminal Records Act (Wjsg);
4. Elections Act (insofar as it concerns processing of personal data for elections in the European part of the Netherlands);
5. Act on the Key Register of Persons (Wet BRP).

GDPR and GDPR Implementation Act

The most important rules for the handling of personal data in the Netherlands have been laid down in the General Data Protection Regulation (GDPR). On 25 May 2018, the GDPR entered into effect in the European Union (EU). The GDPR therefore applies not only in the Netherlands, but throughout the EU.

On a number of points in the GDPR, EU Member States are allowed or obliged to make their own choices on how they arrange this. In the Netherlands, the major part of those national choices have been laid down in the GDPR Implementation Act.

The GDPR and the GDPR Implementation Act also arrange the tasks and powers of the Dutch DPA as supervisory authority for these laws and other laws and regulations for the processing of personal data.

The GDPR in short  More about the GDPR Implementation Act

Directive on data protection in the law enforcement sector
 

In addition to the GDPR, there is a separate European directive for data protection by the police and judicial authorities. This is the Directive on data protection in the law enforcement sector (Directive 2016/680). This directive provides rules for processing of personal data by competent authorities for the prevention, investigation, detection and prosecution of criminal offences and the implementation of penalties.

In the Netherlands, the Directive on data protection in the law enforcement sector was implemented in the Police Data Act (Wpol) and the Judicial Data and Criminal Records Act (Wjsg) as of 1 January 2019.

Similarities GDPR and directive on data protection  Differences between the GDPR and the Directive

Police Data Act (Wpol)

The police use all kinds of personal data for the proper performance of police tasks. For example, for detecting perpetrators of criminal offences. The protection of personal data at the police has been arranged in the Police Data Act (Wpol).

The Wpol regulates the processing of police data by the Dutch National Police, the special investigation services, the Royal Netherlands Marechaussee, and the National Police Internal Investigations Department (Rijksrecherche). The Wpol also applies to tasks that the police perform for the judicial authorities.

Also see: Police, special investigation services and judicial authorities.

Judicial Data and Criminal Records Act (Wjsg)

The judicial authorities collect all kinds of personal data for the detection, persecution, and settlement of criminal offences. The judicial authorities also process personal data for issuing a Certificate of Conduct (Dutch VOG).

The Judicial Data and Criminal Records Act (Wjsg) regulates the processing of judicial data (in suspect dossiers) and for the VOG. The Act also regulates the processing of data for prosecution purposes. The Dutch DPA monitors the processing of judicial data that is based on this Act.

Also see: Police, special investigation services and judicial authorities.

Act on the Key Register of Persons (Wet BRP)

Personal data of the residents of the Netherlands have been included in the Key Register of Persons (Dutch BRP). The Act on the Key Register of Persons (Wet BRP) regulates the correct use of these data. This concerns, among other things, how municipalities record and amend personal data in the BRP and provide personal data from the BRP.

The GDPR contains a number of additional rules for personal data processing at the BRP. It concerns situations for which the Wet BRP does not provide.

International privacy legislation

Not everywhere in the world has the protection of personal data been arranged in the same way as in the Netherlands. In principle, the same regime applies within the EU. Various countries outside the EU also have privacy laws, but these are not always comparable to those of the EU. For this reason, the level of protection varies from country to country.

Within the EU

The GDPR is part of a package of European regulations for the protection of personal data. In addition to the GDPR, various other European regulations contribute to the protection of personal data:

• Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR)
• Article 8 of the Charter of Fundamental Rights of the EU
• the Data Protection Convention of the Council of Europe

The Data Protection Convention from 1981 has laid the foundation for the European privacy protection. The convention is an elaboration of the right to respect for privacy, as laid down in Article 8 of the ECHR (1950). The Data Protection Convention is also called the Strasbourg Convention or Convention 108.

The Data Protection Convention has a worldwide scope. States that are not a member of the Council of Europe can also sign the convention. Article 18 of the convention provides for an advisory committee, in which the Dutch DPA participates on behalf of the Netherlands.

Outside the EU

Verschillende landen buiten de EER kennen ook privacywetgeving. Maar door historische, culturele en juridische verschillen zijn deze wetten niet altijd vergelijkbaar met de in de EER geldende wet- en regelgeving.

Persoonsgegevens doorgeven vanuit Nederland naar een land buiten de EER mag alleen als dit land voldoende bescherming biedt.

Submit a tip or complaint

Do you suspect that a person or organization is not complying with privacy legislation? Then you can submit a tip or complaint to the AP.