Privacy legislation
There are many laws, decrees and regulations that govern the processing of personal data. The most important general privacy law in the Netherlands is the General Data Protection Regulation (GDPR). The Dutch Data Protection Authority (Dutch DPA) monitors compliance by organisations with the GDPR. And with other legislation and regulations for the use of personal data.
On this page
Supervision by the Dutch DPA
Important laws that are subject to supervision by the Dutch DPA are:
- General Data Protection Regulation (GDPR);
- General Data Protection Regulation (GDPR) Implementation Act;
- Directive on data protection in the law enforcement sector, implemented in the Police Data Act (Wpg) and the Judicial Data and Criminal Records Act (Wjsg);
- Elections Act (insofar as it concerns processing of personal data for elections in the European part of the Netherlands);
- Act on the Key Register of Persons (Wet BRP).
GDPR, GDPR Implementation Act and Directive on data protection in the law enforcement sector (Dutch RGR)
The most important rules for processing personal data in the Netherlands have been set out in the Algemene verordening gegevensbescherming (AVG) and the Richtlijn gegevensbescherming bij rechtshandhaving (RGR).
More about the Directive on data protection in the law enforcement sector
The GDPR and the RGR do not only apply in the Netherlands, but throughout the EEA. Each EEA country must:
- On a number of points in the GDPR, EU Member States are allowed or obliged to make their own choices on how they arrange this. In the Netherlands, the major part of those national choices have been laid down in the GDPR Implementation Act.
- Convert the RGR into own national legislation. In the Netherlands, the RGR has been implemented in the Police data Act (Wpol), the Judicial Data and Criminal Records Act (Wjsg), the Code of Criminal Procedure and the Police Act, among others. Read more about the RGR.
- The GDPR and the RGR arrange the taken en bevoegdheden van de AP as the supervisory authority for these laws. The tasks and powers of the Dutch DPA under the GDPR and the RGR have been worked out in more detail in the GDPR Implementation Act, the Wpol and the Wjsg.
Directive on data protection in the law enforcement sector
In addition to the GDPR, there is a separate European directive for data protection by the police and judicial authorities. This is the Directive on data protection in the law enforcement sector (Directive 2016/680). This directive provides rules for processing of personal data by competent authorities for the prevention, investigation, detection and prosecution of criminal offences and the implementation of penalties.
In the Netherlands, the Directive on data protection in the law enforcement sector was implemented in the Police Data Act (Wpg) and the Judicial Data and Criminal Records Act (Wjsg) as of 1 January 2019.
Similarities and differences GDPR and directive on data protection Differences between the GDPR and the Directive
The official name of the RGR is: ‘Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data’.
In the Netherlands, the RGR has been implemented in, among others:
- the Police Data Act (Wpol);
- the Judicial Data and Criminal Records Act (Wjsg);
- the Code of Criminal Procedure;
- the Police Act.
Police Data Act (Wpg)
The police use all kinds of personal data for the proper performance of police tasks. For example, for detecting perpetrators of criminal offences. The protection of personal data with the police has been arranged in the Wet politiegegevens (Wpg), the Code of Criminal Procedure and the Police Act, among others.
The Wpg regulates the processing of police data by the Dutch National Police, the special investigation services, the Royal Netherlands Marechaussee, and the National Police Internal Investigations Department (Rijksrecherche). The Wpg also applies to tasks that the police perform for the judicial authorities. The Dutch DPA monitors the processing of police data based on these laws.
Use of personal data by the police
Judicial Data and Criminal Records Act (Wjsg)
The judicial authorities collect all kinds of personal data for the detection, persecution, and settlement of criminal offences. The judicial authorities also process personal data for issuing a Certificate of Conduct (Dutch VOG).
The Judicial Data and Criminal Records Act (Wjsg) regulates the processing of judicial data (in suspect dossiers) and for the VOG. The Act also regulates the processing of data for prosecution purposes. The Dutch DPA monitors the processing of judicial data that is based on this Act.
Use of personal data by the judicial authorities
Act on the Key Register of Persons (Wet BRP)
Personal data of the residents of the Netherlands have been included in the Personal Records Database (Dutch abbreviation: BRP). The Act on the Key Register of Persons (Wet BRP) regulates the correct use of these data. This concerns, among other things, how municipalities record and amend personal data in the BRP and provide personal data from the BRP.
The GDPR contains a number of additional rules for personal data processing at the BRP. It concerns situations for which the Wet BRP does not provide.
International privacy legislation
Not everywhere in the world has the protection of personal data been arranged in the same way as in the Netherlands. In principle, the same regime applies within the EU. Various countries outside the EU also have privacy laws, but these are not always comparable to those of the EU. For this reason, the level of protection varies from country to country.
Within the EU
The GDPR is part of a package of European regulations for the protection of personal data. In addition to the GDPR, various other European regulations contribute to the protection of personal data:
- Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR)
- Article 8 of the Charter of Fundamental Rights of the EU
- the Data Protection Convention of the Council of Europe
The Data Protection Convention from 1981 has laid the foundation for the European privacy protection. The convention is an elaboration of the right to respect for privacy, as laid down in Article 8 of the ECHR (1950). The Data Protection Convention is also called the Strasbourg Convention or Convention 108.
The Data Protection Convention has a worldwide scope. States that are not a member of the Council of Europe can also sign the convention. Article 18 of the convention provides for an advisory committee, in which the Dutch DPA participates on behalf of the Netherlands.
Read more about the history of privacy legislation and the AP (in Dutch)
Outside the EU
Several countries outside the EEA also have privacy laws. However, due to historical, cultural and legal differences, these laws are not always comparable to the laws and regulations applicable in the EEA.
Transferring personal data from the Netherlands to a country outside the EEA is allowed only if that country offers sufficient protection.
Submit a tip or complaint
Do you suspect that a person or organization is not complying with privacy legislation? Then you can submit a tip-off or complaint to the AP.
Also view
Where can I find it?
- Official legislative text of the GDPR
- Consolidated legislative text of the GDPR (including later rectifications). Note: this is not the official, legally binding legislative text.
- Official legislative text of the GDPR Implementation Act
- Official legislative text of the Directive on data protection in the law enforcement sector