For the government: legislative test

This obligation follows from Article 36, paragraph 4 of the General Data Protection Regulation (GDPR). The AP can also test legislation at its own initiative. The aim of a legislative test is to have the intended legislation meet the requirements of the GDPR and to limit the privacy risks for the data subjects.

Do you want to know if you have to ask the AP for a legislative test? And how the process works? On this page you can find all the information you need.

In which case do you ask the AP for a legislative test?

You assess for yourself whether you have to ask the AP for a legislative test. You do this by testing your case against Article 36, paragraph 4 GDPR. Here it says:

"Member States shall consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing."

Police and judicial authorities
A legislative test of the processing of police data and judicial data does not usually fall under the GDPR, but under the Law Enforcement Directive (2016/680).

In that case, a legislative test is provided on the basis of Article 35b, paragraph 1, point b of the Police Data Act or, as the case may be, in conjunction with Article 27, paragraph 3 of the Judicial Data and Criminal Records Act. This does not make any difference for the legislative testing process.

For legislative proposals as well as subordinate legislation

It follows from the GDPR that you have to ask the AP for a legislative test not only for legislative proposals, but also for orders in council and ministerial regulations.

Broad criterion

The criterion 'relating to processing' is fairly broad. You have to ask for a legislative test for intended laws or regulations if they legally change, affect or influence the personal data processing in any way.

This will always be the case for legislation that makes use of the leeway offered by the GDPR to the national legislator. Such as in Article 6 of the GDPR: legislation that aims to offer a new legal basis for data processing (within the meaning of Article 6, paragraph 1, point c or e) or that aims to amend legislation pertaining to this.

It goes without saying that you also have to ask for a legislative test for legislation that, for example, means an exception to the prohibition of processing special categories of personal data (Article 9 GDPR) or criminal data (Article 10 GDPR).

When asking for a legislative test is not necessary

The intended legislation or regulations must pertain to, or be related to, personal data processing operations. It therefore does not concern legislation that does not offer a specific basis for processing operations and does not stipulate anything about processing operations.

Not even if in practice, the legislation could actually lead to new or additional processing operations. For example, if the intended legislation does not stipulate anything about personal data in an application, but will lead to more applications and therefore more processing operations.

A legislative test is also not necessary if the legislation or regulations do not change anything in the regime that already applies for the processing operations concerned (in terms of scope, type of processing, legal regime, impact, purposes or otherwise). For example, if incorporating existing provisions unaltered into a different or more comprehensive law is the only aim.

Legislation and regulations in the Caribbean Netherlands
Note: Does it concern intended legislation or regulations that (also) cause changes in legislation and regulations in the Caribbean Netherlands? Then the BES Personal Data Protection Supervisory Committee is competent to provide a legislative test.

At what time do you ask the AP for a legislative test?

At what time you ask the AP for a legislative test depends on the question of whether the draft has already been worked out in sufficient detail and – in the case of intended secondary regulations – whether the delegation basis has been established sufficiently.

Legislative proposal

You can ask the AP for a legislative test on the draft as soon as the considerations and the provisions relating to personal data processing have been worked out in sufficient detail in this draft. That means in practice that you have to meet the following requirements:

• you have completed the DPIA, if you have to carry out one;
• the considerations and the choices regarding the necessary processing operations have been made;
• a justification of them is available in an explanation.

If necessary for your planning, you may already ask for a legislative test in the period in which an Internet consultation also takes place. Provided that the relevant provisions and considerations have already been worked out in sufficient detail by that time.

Note: A statutorily required legislative test is, by its nature, different from a response to an Internet consultation.

Secondary regulations without existing delegation basis

• In the case of an order in council or a regulation, you can make your request for a legislative test as soon as the legislative proposal with the delegation basis has been adopted by the Second Chamber.
• Does it concern a ministerial regulation based on a delegation provision in an order in council? Then you can make your request for a legislative test as soon as this delegation basis has been submitted for advice to the Advisory Department of the Council of State.

Prior to the legislative testing process (informal preliminary stage)

Do the intended laws or regulations constitute a special breach of the privacy? For example because of:

• the large scale;
• the new or innovative nature;
• the nature of the personal data;
• the nature of the data subjects?

Then it may be useful to explain your intentions to the AP at a meeting prior to the legislative testing process. We call this the preliminary stage. The purpose of this meeting is not to reach agreement, but to exchange information in an informal setting, about the:

• problems to be addressed;
• policy-related context of these problems;
• relevant aspects of the privacy legislation.

This is in the (mutual) interest of the best possible insight into the problems.

Note: The informal preliminary stage is only possible if you have not yet asked the AP for a legislative test.

Treaties leading to transfers

Transfers of personal data to a country outside the EEA are only permitted if that country offers an appropriate level of protection, comparable to that offered by the GDPR. If a country cannot offer this, measures are necessary for ensuring adequate protection of personal data. To this end, the GDPR contains a specific regime in which treaties can also play a part.

In that case, it concerns treaties to which the Kingdom is a party, that aim to apply to the European Netherlands (as well), and that are deemed to offer 'appropriate safeguards' for personal data transfers to countries for which no adequacy decision applies (as yet).

Ask the AP for a legislative test of a draft treaty as early as possible, preferably in a stage in which the text of the treaty is still being prepared and/or negotiated. This prevents bottlenecks at the stage of signing and/or parliamentary approval.

It is likely that standard contractual clauses play an important part in the treaty practice, possibly including the protection of personal data. The AP can inform you about this and see if a legislative test of standard contractual clauses only is sufficient. The legislative test may be a mere formality in that case, provided that the draft treaty does not deviate from an acceptable standard.

Which requirements does your request have to meet?

Your request for a legislative test must consist of the following parts:

• The text of the draft.
• The explanatory notes to the draft. These must contain a separate paragraph with a justification concerning the processing of personal data in light of the GDPR (Implementation Act). Also see: Directions for the regulation 4.43, point d and Directions for the regulation 5.33.
  Is this paragraph missing? Then the AP recommends that you add it to the explanatory notes. And then submit the draft for a legislative test to the AP again.
• An accompanying letter with contact person (of the sender) and reference (of the sender).
• If available: a DPIA.

Note: Is your request for a legislative test not complete? Then the AP may decide not to process your request.

How you do you send your request to the AP?

Preferably send your request for a legislative test to the AP by email. You do this via wetgevingstoetsing@remove-this-text.autoriteitpersoonsgegevens.nl.

Send a letter with a reference, a date, and the concrete request for a legislative test in an attachment to your email. So that it is certain that you meet your statutory obligation to ask for a legislative test on behalf of the minister. And that you ask for a legislative test of the relevant version of the intended legislation or regulations.

By post

You can also send your request by post. You send it to:

Autoriteit Persoonsgegevens
Afdeling Wetgeving en Normuitleg
Postbus 93374
2509 AJ DEN HAAG.

Within which period will the AP provide a legislative test?

The AP aims to provide a legislative test within 8 weeks of receipt of the formal request for a legislative test. But due to capacity shortage, we are currently often unable to respond within this period. We are working on a solution for this. In the meantime, we make efforts to limit bottlenecks as far as possible, in consultation with you.

Tip: Make sure that the explanatory notes to your intended legislation or regulations contain a justification (in a separate paragraph) with regard to the personal data processing. If you do this with due care, our legislative test will usually be completed sooner.

Urgent request for a legislative test

You can make an urgent request. We will then assess if there is a sufficiently urgent interest. If so, we will prioritise your request for a legislative test as far as possible.

Note: Contact us as soon as possible if you have an urgent request.

What is in the legislative test from the AP?

The AP uses an assessment framework to assess the draft. In brief, this means that the AP assesses if the draft meets the requirements of the GDPR (Article 6, paragraph 3), and (with it) the principle of proportionality from the Charter of Fundamental Rights of the European Union (Article 52, paragraph 1).

In concrete terms, this means that the AP assesses whether the draft meets the following requirements:

1. Suitability: the draft is suitable for realising the pursued purpose of general interest or the protection of the rights and freedoms of others.
2. Subsidiarity: the purpose cannot reasonably be achieved as effectively in another way that affects the fundamental rights of the data subjects to a lesser extent.
3. Proportionality: the interference is not disproportionate to that purpose. This implies in particular a weighing of the interest of the purpose and the gravity of the interference.
4. Legal certainty: the draft is sufficiently clear and precise about the scope and is predictable in its application.
5. Substantive and procedural safeguards: the draft indicates sufficiently in which circumstances and on which conditions personal data may be processed. In this way, the draft ensures that the interference is limited to what is strictly necessary.
6. Binding nature under national law: the draft is binding under national law.

Does your draft not meet the assessment framework? Then the AP will indicate in the legislative test which points fail to meet the requirements. In that case, adjustment of the legislative text and/or explanatory notes is necessary. In exceptional cases, you can only follow the legislative test by withdrawing the draft.

Workload for the AP

In the legislative test, the AP also makes an estimate of whether the intended legislation or regulations will lead to a greater workload for the AP, because more intensive supervision is required. For example because of:

• the large number of data subjects;
• the high impact of the draft;
• the special complexity, as a result of which possibly many and/or complex complaints will be submitted to the AP;
• the necessity of intensive cooperation with other supervisory authorities.

Note: Is a significantly greater workload for the AP already foreseen during the preparation of the draft? Then the AP assumes that it will already be involved at that stage. Just like it is the case when the AP is given a new task based on the intended legislation or regulations.

When does the AP publish the legislative test?

The AP publishes the legislative test no later than within 2 weeks after the date of the legislative test. This is in line with the general standard as currently laid down in Article 3.3, paragraphs 1 and 2 of the Open Government Act (Dutch abbreviation: Woo). Publication is effected by publishing the legislative test on the website of the AP.

Exception in the case of negative effects

There is 1 exception to this rule. Would publication of the legislative test negatively affect the envisaged purpose of the intended legislation or regulations within 2 weeks, for example because persons to whom it is addressed will anticipate it? Then you can indicate this in your request for a legislative test. Also indicate why this would be the case. The AP may then decide to publish the advice earlier or later. This is also in accordance with the regime of the Woo.

Overview of legislative tests

View Legislative tests for an overview of all legislative test of the AP that has been published since 25 May 2018 (in Dutch).

What happens after the legislative test (follow-up phase)?

Did the AP in its legislative test express objections against the draft on major points? And did you adjust the draft to remove these objections, but does your government member attach great importance to the question of whether the AP thinks this sufficient? Then you can contact the AP. We will then see if we can help you and if so, in what manner.

Include the AP's legislative test in the explanatory notes

Do you derogate from the AP's legislative test on principal points? Then you have to state this in the explanatory notes to the draft, including the reason for your derogation. Do this by discussing the AP's legislative test in a separate paragraph and paying attention to each of the (principal) points of this legislative test.

Want to know more?

You can find the extended version of this information in the Circular letter from the AP about legislative testing (in Dutch). This is a letter sent by the AP to all ministries, with information about changes and developments in the area of legislative testing as of 1 September 2023.