-
Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered by them; what sectors, activities or data do they regulate; and who enforces the relevant laws).
The legal and regulatory framework governing data protection,privacy and cybersecurity in the Netherlands is constituted by the following laws:
European Union law
Charter of Fundamental Rights of the European Union
Declaration that lists and synthesizes the most important personal freedoms and rights of EU-citizens, into one legally binding document. Amongst others, it contains legislation on the right to privacy (Article 8). It has direct effect for Dutch citizens.Cybersecurity Act 881/2019 (‘CSA’)
The CSA is a European regulation aimed at improving protection against cybersecurity threats in the EU. The act introduces a harmonised European system for the certification of ICT-products, services and processes, which allows manufacturers and service providers to use a single mutually recognised certificate throughout the EU.General Data Protection Regulation 2016/679 (‘GDPR’)
The GDPR is the general EU-regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and has direct effect in the Netherlands. The Dutch Data Protection Authority (‘Autoriteit Persoonsgegevens’, ‘Dutch DPA’) is the relevant authority.EIDAS Regulation 910/2014 (‘eIDAS Regulation)
The eIDAS Regulation provides a predictable regulatory environment to enable secure and seamless electronic interactions between businesses, citizens and public authorities. It establishes a regulatory framework to ensure secure and seamless electronic transactions between businesses, citizens and governments.E-Privacy directive 2002/58/EC (‘E-Privacy Directive’)
The E-Privacy Directive concerns the processing of personal data and the protection of privacy in the electronic communications sector. It is transposed in the Dutch Telecommunications Act (see below).NIS Directive 2016/1148 (‘NIS’)
The NIS Directive concerns a minimum level of information security for network and information systems across the EU for operators of essential services. It is transposed in the Dutch Network and Information Systems Security Act (see below) and the NIS Directive implemented in the Network and Information System Security Act will be replaced by the NIS2 Directive (question 43).Police Data Directive 2016/680 (‘Police Data Directive’)
This Directive governs the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. It is transposed in the Dutch Police Data Act (see below).Council of Europe law (not to be confused with the EU Council, it is not a European Union body)
European Convention on Human Rights (‘ECHR’)
International convention on the protection of human rights and political freedoms in Europe, containing legislation on the right to respect for private and family life, home and correspondence (Article 8). It has direct effect for Dutch citizens.Convention 108
Convention 108 is an elaboration of the right to respect for private life enshrined in Article 8 of the ECHR. It formed the basis for the European Union Privacy Directive, which has been replaced by the GDPR.National law
General Data Protection Regulation Implementation Act (‘GDPR Implementation Act’) (‘Uitvoeringswet Algemene verordening gegevensbescherming’)
The GDPR Implementation Act implements the GDPR in the Netherlands and elaborates national choices provided by the GDPR. The Dutch DPA is the relevant authority.The Constitution of the Kingdom of The Netherlands (‘De Grondwet voor het Koninkrijk der Nederlanden’)
The Constitution of the Kingdom of The Netherlands includes fundamental rights of Dutch citizens. Article 10 stipulates a right to privacy which can be invoked by Dutch citizens against others and the government.Telecommunications Act (‘Telecommunicatiewet’)
This Act provides rules concerning electronic communications for both the telecom sector as for other parties using electronic communications. It regulates privacy related issues, such as spam and cookies. For such privacy matters, the Dutch DPA is the responsible regulator.Police Data Act (‘Wet Politiegegevens’)
This Act provides rules concerning the processing of police data by the Dutch police. The Dutch DPA is the responsible regulator.Judicial and Criminal Records Act (‘Wet justitiële en strafvorderlijke gegevens’)
This Act governs the processing of judicial data and criminal records by the Dutch Public Prosecution (‘Openbaar Ministerie’) and the Ministry of Justice and Security (‘Ministerie van Justitie en Veiligheid’). The Dutch DPA is the responsible regulator.Intelligence and Security Services Act (‘Wet op inlichtingen en veiligheidsdiensten’)
This Act regulates the powers of the General and Military Intelligence and Security Services (‘Algemene en militaire inlichtingen- en veiligheidsdiensten’).Medical Treatment Contracts Act (‘Wet op de geneeskundige behandelingsovereenkomst’)
This Act imposes rules regarding security requirements and retention periods for patient data in medical records of health practitioners. For that part, the Dutch DPA is the regulator.Additional Provisions for the Processing of Personal Data in Healthcare Act (‘Wet aanvullende bepalingen verwerkingen persoonsgegevens zorg’)
This Act governs the processing of personal data by healthcare providers and healthcare insurance companies. For the electronic processing of personal data – such as in an Electronic Patient Record (‘Elektronisch Patiëntendossier’ or ‘EPD’) – the Act stipulates additional requirements relating to the rights of the individual, as well as that such processing requires the consent of the individual.Basic Registration of Persons Act (‘Wet basisregistratie personen’)
Administrators and users of registered personal data must meet the requirements set forth in this Act. The Dutch DPA is the supervising authority regarding these rules. The Dutch DPA is the regulator.Network and Information Systems Security Act (‘Wet beveiliging network- en informatiesystemen’)
This act is the implementation of the NIS Directive and elaborates national choices provided by the NIS Directive. The Act requires operators of essential services and digital service providers (question 30) to have appropriate and proportionate technical and organisational measures to secure their ICT resources. Furthermore, these parties need to take appropriate measures to prevent incidents and mitigate the impact of any incidents that do occur to the extent possible. The corresponding Network and Information Systems Security Decree addresses the relevant authorities and the designation of vital operators. -
Are there any expected changes in the data protection, privacy and cybersecurity landscape in 2023-2024 (e.g., new laws or regulations coming into effect, enforcement of any new laws or regulations, expected regulations or amendments)?
For expected upcoming changes to these laws, we refer to question 43.
-
Are there any registration or licensing requirements for entities covered by these laws, and, if so, what are the requirements? Are there any exemptions?
A license from the Dutch DPA is required when processing criminal personal data on behalf of third parties (Article 33(4) GDPR Implementation Act). Additionally, when a Data Protection Officer (‘DPO’) is appointed, this DPO must be registered with the Dutch DPA (see also question 15).
Apart from that, no data protection related registration or licensing requirements for entities exist under the abovementioned laws.
-
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
The key definitions are all provided by the GDPR. The GDPR distinguishes two types of data: ‘personal data’ and ‘special categories of personal data’. Other key definitions set forth in the GDPR are ‘data subject’, ‘processing’, ‘controller’, ‘processor’, ‘personal data breach’, and ‘pseudonymization’.
Personal data and data subject
Personal data and data subject are defined in Article 4(1) GDPR: ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person‘.Note: In this document we use the term ‘individual’ instead of ‘data subject’.
Special categories of personal data
Personal data is defined in Article 9 GDPR as a ‘special category of personal data’ when it reveals ‘racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership’ or when it regards ‘genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’. Data related to criminal offences and convictions is not included in this definition, but Article 10 GDPR defines a regime for this kind of data similar to special categories.Processing
Processing is defined in Article 4(2) GDPR as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction‘.Controller
Controller is defined in Article 4(7) GDPR as ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or specific criteria for its nomination may be provided for by Union or Member State law’.Processor
Processor is defined in Article 4(8) GDPR as ‘a natural or legal person, public authority, agency or other body which processes on behalf of the controller’.Personal data breach
Personal data breach is defined in Article 4(12) GDPR as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed’.Pseudonymization
Pseudonymization is defined in Article 4(5) GDPR as ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’. Pseudonymized data is not anonymous data. Pseudonymized data is still personal data and thus the GDPR applies. This is not the case for anonymized data.In line with the GDPR, the Dutch DPA takes a strict approach towards anonymization. For instance, trimming a hashed number or the last three digits of an IP address without further considerations, are not anonymization efforts according to the Dutch DPA.
Note: these guidelines of the European Data Protection Board (‘EDPB’) provide further information on the concepts of controller and processor.
-
What are the principles related to the general processing of personal data or PII. For example, must a covered entity establish a legal basis for processing personal data or PII in your jurisdiction, or must personal data or PII only be kept for a certain period? Please outline any such principles or “fair information practice principles” in detail.
The GDPR is a principle-based law. The principles are set out in Article 5 GDPR:
Lawfulness (Article 5(1)(a) GDPR)
The processing of personal data must be lawful; hence all personal data processing requires a so-called lawful basis. Article 6(1) GDPR provides a limitative list of lawful bases, namely when the individual has given consent for the processing or the processing is necessary for one of the following:- The performance of a contract.
- Compliance with a legal obligation.
- The protection of the vital interests of the individual or another person.
- The performance of a task carried out in the public interest.
- Purposes of legitimate interests pursued by the controller.
Fairness (Article 5(1)(a) GDPR)
The processing of personal data must be fair. This means that processing must be done in a way an individual or a group of individuals would reasonably expect and not in a way that has unjustified adverse effects on them. Assessing whether the processing is fair depends in part on the method employed to obtain the data and how the processing affects an individual or a group of individuals. If a person is deceived or misled about the processing of their personal data, then this is unlikely to be fair.Transparency (Article 5(1)(a) GDPR)
The GDPR requires organizations to be transparent about the processing of personal data. This means that individuals must be informed with clear, open, and honest information about by who, in what way, by what means and why, their personal data is processed.The principle of transparency and fairness also means that individuals have certain rights to be able to control their personal data (see more at question 32).
Purpose limitation (Article 5(1)(b) GDPR)
The purpose limitation principle requires that personal data is only processed for specified, explicit, and legitimate purposes and not for other purposes incompatible with the original purpose. Before a controller starts collecting and processing personal data the purpose needs to be established and documented.To test compatibility of a secondary purpose, factors to be taken into account are:
- The link between the original and secondary purpose.
- The context of the processing.
- The consequences to the individual.
Data minimization (Article 5(1)(c) GDPR)
The principle of data minimization means that only the minimal amount of data necessary for the (specific and explicit) purpose may be collected. Mere collection of personal data because it is technically possible – or may come in handy in the future – is not allowed.
Accuracy (Article 5(1)(d) GDPR)
The principle of accuracy requires personal data to be correct in relation to the purpose for which the data is required. Where necessary, the data needs to be kept up to date. All reasonable steps must be taken to ensure the personal data complies with this accuracy principle. What these reasonable steps are, varies depending on the way the personal data is collected and used, and on the consequences for the individual. It may vary between none (e.g., for sending newsletters) to multiple (e.g., where automated predictions are made about an individual’s financial credibility).
Storage limitation (Article 5(1)(e) GDPR)
The principle of storage limitation requires that data is deleted or anonymized if it is no longer required for the purpose of use. The period during which the data is needed for processing is called the ‘retention period’. Permitted secondary use, such as archiving, scientific research or for legal claims, may allow longer storage periods. The controller must lay down an internal policy regarding the retention of all data used, otherwise known as a data retention policy (read more at question 12).
Integrity and confidentiality (security) (Article 5(1)(f) GDPR)
Personal data must be protected against unauthorized or unlawful processing, loss, destruction or damage. This principle involves that the processing of personal data is secured by means of ‘appropriate technical and organizational measures’. The minimal required security measures may vary depending on the personal data processing activity, its (potential) impact on an individual, the state of the art, and the cost involved in the security measures (read more at question 26).
Accountability (Article 5(2) GDPR)
The accountability requirement implies that a controller is responsible for and needs to ensure and always be able to demonstrate compliance with the GDPR. This must inter alia be done by implementing appropriate data protection policies and procedures, establishing a supervision and governance framework, as well as training staff. The Dutch DPA can request a controller to demonstrate compliance/show compliance with this accountability principle.
-
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII?
Circumstances in which consent is required or typically used are the following:
- Special categories of personal data – explicit consent required (see question 6).
- Certain forms of profiling – discussed under question 20.
- “Cold” direct marketing – discussed under question 23.
-
What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?
As defined in Article 4(11) GDPR, consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The GDPR emphasizes the importance of the voluntary nature of the consent. As written in Recital 42, “consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment“.
In addition to the requirement of voluntariness, specific rules for obtaining a valid consent are outlined in Article 7 GDPR:
- Demonstration – as required under the accountability principle, where processing is based on consent, the controller must be able to demonstrate that the individual has consented to the processing of personal data. For example, by logging such consent.
- Unambiguous – the request for consent must be presented in a manner clearly distinguishable from other matters, in an intelligible and easily accessible form and using clear and plain language. Pre-checked boxes, non-refusal, bundling and inactivity are for instance not allowed and invalidate the consent.
- Revokable – the individual must have the right to withdraw consent any time and with similar ease with which consent was obtained. The withdrawal of consent does not affect the lawfulness of processing based on consent before such withdrawal.
- Informed – the individual must be informed about the details of the processing for which consent is given. This involves at least detailed information on the controller’s identity, what data processing activities will take place, for what purpose(s), and the option to withdraw consent at any time.
- Specific – for different types of processing, separate acts of consent are needed. This means that processing activity A, requires consent A. Processing activities relevant for activity B, will require a separate consent request.
Note: The European Data Protection Working Party (the EDPB’s predecessor) provides extensive guidelines on consent.
In some cases, the GDPR requires explicit consent. Examples are detailed in question 7. The term ‘explicit’ refers to the manner in which the consent is expressly confirmed in words by the individual and should therefore clearly refer to the processing activities that require the explicit consent. This can be achieved by a separate written statement by the individual or on a website by a separate checkbox that clearly states for what processing the consent is given.
Note: The GDPR specifically discusses consent requested with the use of electronic means in Recital 32: “When the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
-
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection or disclosure?
The ground rule is a prohibition to process special categories of personal data, which includes collection and disclosure. In order to process special categories of personal data without infringing the fundamental rights and freedoms of the individual, it is necessary to meet the requirements of a limitative exception listed in Article 9 GDPR. Put briefly, the exceptions are:
- The explicit consent of the individual.
- The processing is necessary for purposes of employment-, social security- or social protection law.
- The processing is necessary to protect the vital interests of the individual or of another natural person, when this person is not able to do so.
- The processing is necessary during legitimate activities with appropriate safeguards by a foundation, association or any other non-profit body with a political, philosophical, religious or trade union aim.
- The processing relates to personal data which are manifestly made public by the individual.
- The processing is necessary for legal claims or whenever a public court is acting in its judicial capacity.
- The processing is necessary for reasons of substantial public interest.
- The processing is necessary for the purposes of social health care and the provision of health care.
- The processing is necessary for public interest in the area of public health, such as protecting against serious cross-border threats.
- The processing is necessary for purposes related to science, history or research.
Additionally, Dutch law specifically addresses data that consist of information regarding criminal offences. Articles 31-33 of the Dutch GDPR Implementation Act stipulate that the abovementioned rules similarly apply to the processing of personal data on criminal offences and convictions. Next to these ‘general’ rules, the Implementation Act introduces other situations wherein such crime-related data may be collected (e.g., on behalf of a relevant public authority empowered with criminal enforcement).
Furthermore, the Implementation Act also specifies other exceptions for the prohibition of processing of special categories of personal data, such as for schools (e.g., health data of students) and employers (e.g., ethnic data for promoting diversity), see question 9.
National Identification Numbers
Another special regime applies to national identification numbers. In the Netherlands, the processing of such national identification number (Burger Service Nummer, BSN) is prohibited, unless this is specifically prescribed by law (Article 87 GDPR in conjunction with 46 GDPR Implementation Act).Examples of Dutch laws regulating the use of the BSN are the General Provisions Citizen Service Number Act (for government institutions), the Act on the Use of Citizen Service Numbers in Healthcare (for healthcare institutions) and the Act on Personal Identification Numbers in Education (for educational institutions).
-
How do the laws in your jurisdiction address children’s personal data?
The protection of children under the GDPR is twofold:
High-risk processing activity
Firstly, the processing of children’s personal data is usually considered a high-risk processing activity. As stated in Recital 38: “Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.” This means that an additional layer of responsibilities, and therefore obligations, apply to the controller and/or processor of children’s personal data. This may for instance involve that the controller is required to conduct a data protection impact assessment (see question 14), meet shorter retention periods and/or use appropriate child-focused language in its privacy notice.In July 2021, the Dutch DPA imposed a EUR 750.000 fine on TikTok for using an English privacy notice which by default could not be understood by Dutch children. TikTok has appealed the fine.
Rules on online consent
Secondly, specific rules apply to children’s consent in terms of Article 6(1) GDPR. Article 8(1) GDPR imposes special protection on the consent for the processing of children’s personal data online. As a ground rule, the Article states: “Where point (a) of Article 6(1) applies [the individual has given consent] in relation to the offer of information society services directly to a child, the processing of the personal data shall be lawful where the child is at least 16 years old”.Moreover, “where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child”.
Article 8(2) confirms the accountability of the controller in assessing this consent: “The controller shall make reasonable efforts to verify in such cases that consent is given or authorized by the holder of parental responsibility over the child, taking into consideration available technology”. The controller thus is obliged to verify, by means of a reasonable effort, whether lawful consent is given.
Note: Member States are allowed to lower this age limit by national law, yet the absolute minimum set by the GDPR is an age of 13. The possibility of lowering the minimum age is not enacted under Dutch law.
Moreover, the soon-to-be implemented Digital Services Act will also contribute to the protection of children in relation to information society services. The Act puts a higher standard on transparency requirements for digital service providers. Among other things, the current legal framework of rules on advertising will be thoroughly reformed. As a result of this reformation, children will enjoy greater protection since targeted advertising to minors is banned.
-
How do the laws in your jurisdiction address health data?
Health data is considered a special category of personal data under the GDPR (question 8). Furthermore, the Dutch GDPR Implementation Act includes a number of provisions related to health data:
Article 30 (1) Dutch GDPR Implementation Act provides that processing personal data based on the exception given in Article 9 (2)(b) GDPR is allowed if such processing is required by public bodies, pension funds, and employers when the processing of health data is necessary for either:
- Their legal obligations which depend on the state of health of the employee.
- The reintegration or support of an employee in case of illness or incapacity for work.
Under this article 30 (1), other organizations like schools, insurance companies and social work are also granted specific exemptions to the prohibition to process health data.
For the processing of health data in scope of scientific research or statistical purposes (article 9 (2)(j) GDPR), explicit consent is required under article 24 of the Dutch GDPR Implementation Act, unless this proves impossible or a disproportionate effort.
-
Do the laws include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
The Dutch GDPR Implementation Act includes a number of provisions that expand, or provide stricter rules for, the ability to process special categories of personal data. The most important exceptions are:
General
Article 23 provides that the prohibition to process special categories of personal data is lifted for any of the following reasons:- This is necessary for an obligation under international law.
- Such processing takes place by the Dutch DPA or the ombudsman, given that such processing is necessary to perform their tasks.
- Such processing is necessary in addition to the processing of criminal data and for the purposes for which the latter is processed.
Scientific and historical research or statistical purposes
Article 24 provides that processing personal data based on the exception given in Article 9(2)(j) GDPR is only allowed if such processing meets the following criteria:- It is necessary for the purpose.
- A public interest is served in case of research.
- An explicit consent is obtained, unless this is impossible or requires a disproportionate effort.
- It is reasonably safeguarded to limit the impact on the individual.
Through this provision, the Dutch GDPR Implementation Act made explicit consent almost a pre-requisite for scientific and historical research with special categories of data, while this does not follow directly from the GDPR. In for instance clinical trials this leads to the discussion whether the explicit consent as required is really freely given.
Race or ethnic origin
Article 25 provides that processing personal data based on the exception given in Article 9(2)(g) GDPR is only allowed if such processing is either:- Necessary and unavoidable for the purpose of identifying the individual.
- Necessary in order to provide the individual a preferential position, criteria for the processing are clearly set, and the individual has not objected to the processing.
-
Does your jurisdiction impose requirements of ‘data protection by design’ or ‘data protection by default’ or similar? If so, please describe the requirement and how businesses typically meet the requirement.
The concepts of data protection by design and data protection by default follow from article 25 GDPR and can be defined as the following:
Data protection by design – imposes, at the earliest stage, an obligation to embed privacy-enhancing features and technologies into the initial design of the services and products by means of which data is collected. E.g., pseudonymization.
Data protection by default – further requires that the means by which data is collected, are provided with privacy friendly default settings. E.g., opt-in user settings.
Recital 78 GDPR discusses a broad interpretation of these requirements and even encourages parties which do not necessarily fall under the GDPR (e.g., producers of electronic services) to take data protection by design and default into account:
“The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organizational measures be taken to ensure that the requirements of this Regulation are met. (…) the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. (…) When developing, designing, selecting and using applications, services and products that are based on the processing of personal data (…) producers of the products, services and applications should be encouraged to take into account the right to data protection.”
Note: The EDPB provides extensive guidelines on Data Protection by Design and by Default.
-
Are owners/controllers or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
The internal record obligation to track and keep a record of processing activities is included in Article 30 GDPR.
Controllers must maintain a record of all processing activities. That record shall contain at least the following information:
- Name and contact details of the controller.
- Purpose of processing.
- Description of the categories of the personal data and individuals.
- (Categories of) recipients of the data.
- In case of transfers, identification of a third country or international organization.
- Retention periods.
- Description of technical and organizational security measures.
Processors must maintain a more limited record of processing activities. That record shall contain at least the following information:
- Name and contact details of the controller.
- Categories of processing.
- In case of transfers, identification of a third country or international organization.
- Description of technical and organizational security measures.
The Dutch DPA is at all times allowed to request access to the record, which is often a starting point of an investigation. Just after the start of the GDPR (mid 2018), the Dutch DPA has requested a number of companies to show their records. This resulted in five recommendations for such mandatory records, emphasizing the need for a concrete and detailed record per purpose/processing activity.
Other compliance measures
In addition, although not specifically mentioned in the GDPR, in practice controllers (and partly processors) cannot comply with the GDPR without a GDPR program. Through such a program, organizations can take appropriate measures to adjust their business processes to take GDPR compliance into account. This includes establishing privacy controls and roles and responsibilities. Awareness and training programs, risk assessments, policies and procedures, including a privacy policy, are also an inevitable part of such program.
In April 2019, again after requesting examples of a number of (high-risk) companies, the Dutch DPA published recommendations on privacy policies, emphasizing the use of a concrete policy, based on expertise and made known to the people who deal with personal data.
Note: Article 30(5) GDPR excludes organizations with fewer than 250 employees (i.e., micro, small and medium-sized enterprises) from the obligation to record. This exception does not apply if the organization collects sensitive data, creates a high risk for infringing data subject’s rights, or if the data processing is not occasional. The Data Protection Working Party provides further guidance.
-
Do the laws in your jurisdiction require or recommend having defined data retention and data disposal policies and procedures? If so, please describe these data retention and disposal requirements.
The concepts of data retention and disposal policies are covered by the storage limitation principle of the GDPR. As defined under question 4, the storage limitation principle requires that personal data should be stored no longer than is necessary for the intended purposes. The period during which the data is needed for processing is called the retention period. The GDPR as such does not provide concrete retention periods. Under the accountability principle, a data retention policy is expected from controllers, consisting of legal obligation retention periods and best practice retention periods (see below).
After the retention period, the data should be deleted or anonymized so it no longer qualifies as personal data.
Dutch law contains some specific retention periods, for example, in tax and immigration law. Employers are, after termination of the employment contract, obliged to store data on income tax and a copy of the employee’s passport for five years. With regards to health care health care institutions must store medical files for a minimum duration of twenty years after the treatment.
The Dutch DPA has also provided guidance on reasonable retention periods for personal data where no legal retention period applies, e.g.:
- Personal data in personnel files should be kept two years after termination of the employment agreement.
- CCTV images can be kept for a maximum of four weeks, unless criminal activity occurred or is suspected.
- Schools can keep files on a student for two years after the student left the school.
-
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
If an organization intends to start a new data protection operation that is likely to result in high risks to the individual’s rights and freedoms, it is mandatory to carry out a data protection impact assessment (further explained under question 14). Article 36 GDPR adds a formal requirement to this assessment. The controller must consult the Dutch DPA prior to processing if such DPIA indicates that the processing activity causes a high risk and there are no measures to limit these risks to an appropriate level. The Dutch DPA assesses and responds to the request by means of a written advice to the controller, and where applicable to the processor, and may use any of its enforcement powers referred to in Article 58 GDPR – up until prohibiting the data processing operation.
This article 36 procedure was used for the Dutch corona app, resulting in the Dutch DPA recommending further privacy enhancing measures towards back-end providers Google and Apple.
-
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
The GDPR, Police Data Act, and the Judicial and Criminal Records Act require conducting a risk assessment regarding data processing activities in a variety of circumstances. If an organization intends to start a data processing operation that is likely to result in a high risk to individual’s interests, it is mandatory to carry out a thorough data protection impact assessment, or ‘DPIA’. Under the GDPR, processing activities which in any case are considered to involve high risk are either:
- The systematic and extensive profiling with significant effects for individuals.
- The processing of special category or criminal offence data on a large scale.
- Systematically monitoring of publicly accessible places on a large scale.
For detailed information on the concept of ‘large scale’ see question 15.
According to Article 35(7) GDPR, a DPIA contains at least:
- A systematic description of the envisaged processing operations and the purposes of processing, including, where applicable, the legitimate interest pursued by the controller.
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes.
- An assessment of the risks to the rights and freedoms of individuals referred to in paragraph 1.
- The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of individuals and other persons concerned.
The Dutch DPA has released a list of processing activities that in and of itself require a DPIA. Amongst others, the list includes covert investigation, anti-fraud activities, assessing credit scores, behavioral observation, profiling, and to the use of biometrics.
In practice, a DPIA is an effort of multiple stakeholders, including for example people from the business, legal experts, data analysts, and IT and security experts. A typical DPIA takes between 40-200 hours.
Note: The European Data Protection Working Party provides extensive guidelines on the DPIA.
-
Do the laws in your jurisdiction require appointment of a data protection officer or a chief information security officer (or other person to be in charge of privacy or data protection at the organization), and what are their legal responsibilities?
Necessity of DPO (Article 37 GDPR)
There are three types of circumstances that require designating a DPO and registering this person with the Dutch DPA:
- The processing is carried out by a public authority or body.
- The core activities of the controller or the processor consist of processing operations which inherently require monitoring of individuals on a large scale.
- The core activities of the controller or processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
Examples of core activities which require a DPO are listed by the Dutch DPA, and include: telecommunication, search engines, public transport activities, insurance and banking. Note that an organization is also free to appoint a DPO without meeting the requirements above. Both controllers and processors fall under the DPO requirement.
As regards the threshold of ‘large scale’ data processing, the Dutch DPA has defined 10.000 individuals as the minimum in order to be considered ‘large scale processing’ in relation to healthcare instances such as general practitioners and pharmacies, which need to appoint a DPO if they have 10.000 or more patients.
Other DPO requirements
Under the GDPR, the DPO must be designated on the basis of professional qualities, including in-depth understanding of the GDPR and expertise in national and European data protection laws and practices. Personal qualities of the DPO should also include integrity and high professional ethics.The controller/processor should support the DPO with the resources needed for the DPO to perform its tasks and to maintain expert knowledge (e.g., financial resources, infrastructure, staff, access to other services such as HR, legal, IT, security).
At the earliest state possible, the DPO should be involved in all matters relating to the protection of personal data in a risk-based manner. The DPO should be seen as a discussion partner within its organisation. The opinion of the DPO should always be given due weight and reasons for not following the advice should be documented. The DPO should also be promptly consulted once a personal data breach or another data protection related incident has occurred.
The DPO should have an independent position and should not receive any instructions on how to exercise tasks. The DPO should not be dismissed or penalized for performing its DPO tasks. There may not be a conflict of interests when the DPO also fulfils other tasks and duties. Senior management positions, such as chief executive, head of marketing, head of HR, or head of IT are likely to be conflicting.
In the scope of the DPO tasks, the DPO should be able to directly report to the board.
The DPO tasks include monitoring compliance with the GDPR, advising on awareness-raising and training of staff, advising on DPIA’s, cooperating with the data protection authorities where required and acting as the contact point for these authorities.
There is no legal obligation for private companies to have a chief information security officer under Dutch law. However, a Chief Information Security Officer for specific public bodies, such as municipalities.
Note: The European Data Protection Working Party provides extensive guidelines on the role of the DPO.
-
Do the laws in your jurisdiction require or recommend employee training? If so, please describe these training requirements.
The GDPR does not provide specific provisions on employee training. However, as already detailed in question 4, a training requirement can be derived from the principle of accountability. As covered by Article 24 GDPR which elaborates the accountability principle: “the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation”.
This notion of ‘organizational measures’ implies that the controller may be obliged to educate or train the employees who will carry out data processing operations in their day-to-day activities. For many organizations, training of employees is therefore required to ensure GDPR compliance and limit operational risk in the daily operations.
For further compliance measures see question 11 on the implementation of a GDPR program.
-
Do the laws in your jurisdiction require businesses to provide notice to data subjects of their processing activities? If so, please describe these notice requirements (e.g., posting an online privacy notice).
Information obligation
As a rule, individuals have the right to be informed about the processing of their personal data. It follows directly from the principles of fair and transparent processing, further elaborated upon in question 4. In practice, the individual must be informed by means of a so-called privacy notice, that communicates the identity of the controller, existence and scope of data processing operations, its purposes, and other details.
Timing of information
The privacy notice should be provided at the time of collection of the personal data from the individual. If the data is obtained from another source, the time of information must be within a reasonable period, depending on amongst others on the purpose of use.
Content of information
Articles 13 and 14 GDPR impose a general obligation on the controller to provide information on the processing activities. Summarized, the required information includes:
- The identity and the contact details of the controller (and representative, if any).
- The contact details of the DPO (if any).
- The purposes and legal basis of processing.
- If based on legitimate interest, a description of the balancing of interests.
- The recipients of the personal data.
- Any transfer of data to a third country or international organization, and reference to the safeguards for protecting the transferred personal data.
- The storage period or criteria for establishing storage period.
- The existence of right to access, rectification and/or erasure.
- If applicable, the right to withdraw consent.
- The right to lodge complaint.
- Whether the provision of data is the result of a statutory or contractual requirement and in that case, any consequences of a failure to provide data.
- The existence of automated decision-making.
Exceptions on the obligation to provide information
There are cases in which a controller is exempted from the obligation to provide information, namely if:
- The individual already possesses the information.
- The recording or disclosure of the personal data is expressly laid down by law.
- The provision of information to the individual proves to be impossible or would involve a disproportionate effort (e.g., processing for archiving, scientific, historical purposes).
- The personal data must remain confidential subject to an obligation of professional secrecy.
Note: these guidelines of the European Data Protection Working Party provide further information on the principle of transparency, including best practices for transparency for controllers.
-
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data, and, if so, what are they? (For example, are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
In general, most GDPR requirements apply to the controller. This includes complying with the GDPR principles as described in question 4. Those obligations which are directly aimed at processors mostly relate to security (including notifying a personal data breach to a controller). Accountability-style obligations directly aimed at processors under the GDPR are the record-keeping obligations (see question 11) and DPO obligation (see question 15).
In addition, through the mandatory data processing agreement of Article 28(3) GDPR, certain requirements are pushed down to processors. See question 19 for more information.
Note that the concept of ‘ownership’ over personal data does not exist in our jurisdiction.
-
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII, or are there any other restrictions relating to the appointment of processors (e.g., due diligence or privacy and security assessments)?
The core requirement is that a controller can only instruct processors which provide sufficient guarantees to ensure the processing will meet the GDPR requirements (Article 28(1) GDPR). Depending on the risks of the processing activity that is ‘out-sourced’ to a processor, a vendor due diligence may be required.
As discussed under question 18, Article 28(3) GDPR imposes an obligation to conclude a processing agreement between the controller and the processor. It covers the minimal terms such processing agreements must contain, including the obligation for the processor to:
- Process the personal data only on documented instructions from the controller.
- Ensure confidentiality; of itself and others with a need-to-know basis.
- Take all measures pursuant to Article 32 GDPR on security.
- Assist the controller insofar as possible in fulfilling its obligations in relation to personal data breaches and DPIAs.
- At the choice of the controller, delete or return all personal data to the controller after processing.
- Make available all information necessary to demonstrate compliance.
In addition, the contract should at least:
- Legally bind the processor to the controller.
- Set out the subject-matter and duration of the processing operation, the type of personal data and categories of individuals, considering the specific tasks and responsibilities of the processor.
With regards to the position of the processor vis-à-vis the controller, Article 29 GDPR enshrines that the processor may not process personal data except on instructions from the controller, unless the processor is required to do so by EU or national law. A processor doing so becomes controller.
-
Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including the use of tracking technologies such as cookies. How are these terms defined, and what restrictions are imposed, if any?
Profiling and automated decision-making (art. 22 GDPR)
‘Profiling’ under the GDPR is the automated processing of personal data to evaluate aspects relating to a person. In practice, the GDPR considers profiling as a more high-risk processing activity, especially if decisions on an individual are made or their personal preferences, behavior or attitude are predicted. This is not specifically prohibited by the GDPR but requires extra measures such as transparent descriptions in the privacy notice.
Through Article 22 GDPR, ‘automated decision-making‘ is defined as the process of making decisions by technological means without human involvement.
Automated decision-making is prohibited if it is the sole basis for either:
- A legal consequence for the individual.
- Another consequence that has a similarly significant effect on the individual.
Unless the processing operation is either:
- Necessary for entering into, or performance of, a contract between the individual and controller.
- Authorised by applicable EU or Member State law that the controller is subject to, and which provides suitable measures to safeguard the individual’s rights, freedoms, and interests.
- Based on explicit consent of the individual.
Points a) and c) require suitable safeguarding measures, including the fact that the individual has the right to human intervention.
In case the controller utilizes automated decision-making or profiling, the controller must also provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual.
Note: The European Data Protection Working Party provides extensive guidelines on automated decision making and profiling.
Cookies
In general, the GDPR applies to cookies involving the processing of personal data. In addition, the Dutch Telecommunications Act (as transposed from the E-Privacy Directive), contains some lex specialis rules for cookies.Under the Dutch Telecommunications Act, a website owner should ask website users for consent before cookies are placed on the user’s device unless an exemption applies. More specifically:
- Functional cookies (i.e., cookies that are technically necessary for the website to work properly) do not require consent.
- Analytical cookies generally require consent, unless the cookies have no or only minor impact on the privacy of the user.
- Tracking cookies always require the prior consent of the user.
If the cookies process any personal data, the user should be informed about i.e., the processed data, the use of cookies, retention period and any recipients (such as the third-party cookie provider) via a cookie statement. Where consent is required, this can be obtained via a cookie banner.
The Dutch DPA published guidelines on the privacy friendly use of Google Analytics. Note however that several European privacy regulators have banned the use of Google Analytics, therefore there may come an EU-wide ban in the near future. The Dutch DPA specifically prohibits a so-called cookie wall.
Note: this consent must be treated as consent given under the GDPR, for which we refer to question 6.
-
Please describe any restrictions on targeted advertising and cross-contextual behavioral advertising. How are these terms or related terms defined?
“Cross-contextual behavioral advertising” will by default involve the processing of personal data, including profiling. As such, all requirements as described in this Chapter apply. In the current practice of online behavioral advertising, these requirements are not always met, e.g., in scope of fair or transparent processing. In the Netherlands we may expect more enforcement in this field, as data trade in the form of online behavioral advertising is a focus point of the Dutch DPA for 2020-2023.
’Targeted advertising‘ is not expressly defined.
Additionally, the soon-to-be implemented Digital Services Act will regulate all forms of online advertising, including cross-contextual behavioral advertising. The full extent of these prohibitions under this Act is will take effect in February 2024.
-
Please describe any laws in your jurisdiction addressing the sale of personal data. How is “sale” or related terms defined, and what restrictions are imposed, if any?
Under the broad definition of processing under the GDPR, sale of personal data is a form of processing under the GDPR. Therefore, all rules relating to the processing of personal data apply.
Note that the Dutch DPA has given guidelines for the processing of personal data under the insolvency of a corporation in which the DPA stipulates explicitly that personal data cannot be sold without the consent of the individual. Also, see our comment in question 21 on the Dutch DPA focus point on data trade.
-
Please describe any laws in your jurisdiction addressing telephone calls, text messaging, email communication or direct marketing. How are these terms defined, and what restrictions are imposed, if any?
Direct marketing
Article 11:7 of the Dutch Telecommunications Act (transposed from the E-Privacy Directive) imposes a ban on the automated and unsolicited contacting of individuals (including work contact details) by telephone, email or other direct marketing actions for commercial, charitable or ideological goals, unless consent (opt-in) is given by the individual. Each communication must also include a notification of the right to object to further communication. The definition of direct marketing is broad and intended to be technology neutral: it covers all automated directed digital communication.
Exemption
The ban is replaced by an opt-out mechanism when contact details are collected from customers. These customers may be contacted for the promotion of goods and services similar to those already sold by the seller earlier. Secondly, charitable and ideological organizations can utilize contact details under the opt-out regime if they receive the information in the following cases:
- Donations
- Voluntary work.
- Attendance of protests/manifestations.
The possibility to opt-out of the communication must be provided at the moment that the contact details are collected.
Note: the E-Privacy Directive is less strict for the use of telephone numbers for direct marketing than the Dutch implementation of that Directive, the Telecommunications Act.
-
Please describe any laws in your jurisdiction addressing biometrics such as facial recognition. How are these terms defined, and what restrictions are imposed, if any?
The concept of biometrics is defined in Article 4(14) GDPR in the term “biometric data” as personal data resulting from specific technical processing operations relating to the characteristics of a person, which allow for the unique identification of that person. Biometric data is considered a special category of personal data (see for the specifics our answers to question 3 and 7).
The Dutch GDPR Implementation Act specifies in Article 29 that the prohibition of processing biometrical personal data of the GDPR does not apply when the processing is necessary for the authentication of a person’s identity or for security reasons.
-
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism? Does a cross-border transfer of personal data or PII require notification to or authorization from a regulator?)
Personal data may be transferred to locations outside the EEA only if such transfer does not undermine the level of data protection ensured by the GDPR (Chapter V GDPR). For certain so-called ‘adequate third countries’, the European Commission has assessed the protection framework of that country and concluded that the laws of this country provide an adequate level of protection (Article 45 GDPR). The United Kingdom, Canada, Switzerland, Argentina and the Republic of Korea have received such an adequacy decision, among others. The full list of countries that received an adequacy decision can be found here.
Personal data transfers to other non-EEA countries require data protection measures, usually in the form of:
- Binding corporate rules (‘BCR’) (Article 47 GDPR) – BCRs are data protection policies adhered to by multinational companies for transfers of personal data outside the EEA within a group. Such rules must include general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. They must be legally binding for and implemented by every member of the group.
- Standard Contractual Clauses (‘SCC’) (Article 46(2)(c) GDPR) – SCCs are legally binding model contract clauses – adopted by the European Commission – that contractually ensure appropriate data protection safeguards when an EEA data exporter transfers personal data to a data importer outside the EEA.
Less common measures are SCCs published by local supervisory authorities, SCCs drafted by parties and approved by supervisory authority, and codes of conduct or certification mechanisms.
The GDPR also contains a number of derogations for specific cases (Article 49 GDPR, all interpreted narrowly) of which a few are listed below:
- The individual has explicitly consented to the transfer (for requirements of explicit consent, see question 6).
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the controller and another (legal) person.
- The transfer is necessary for the establishment, exercise or defence of legal claims.
Schrems II developments
After July 2020, the invalidation of the EU-US Privacy Shield and subsequent European Data Protection Board Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data had direct effect in the Netherlands. Since these developments, the use of the data protection measures described above require an additional data transfer risk assessment and supplementary measures to address any additional risks, especially in the field of access to the transferred personal data by governmental authorities.Three of the 101 cases initiated by Max Schrems’ non-governmental organization NOYB after July 2020 are brought against Dutch companies through the Dutch DPA. The Dutch DPA has not yet published any decisions in these cases or other enforcement actions in relation to international data transfers. Since April 2022, the Dutch DPA has supplemented its Google Analytics guidance with the note that the use of Google Analytics may soon not be allowed, which statement refers to the EU/non-EU personal data transfer restrictions.
Last year, the US President signed an order to ensure better protection of EU data processed in the United States. This order may mend the deficiencies mentioned in the Schrems II case and may allow for easier transfer of personal data to the US. The European Commission has released a draft adequacy decision in response to the order. The EDPB has responded cautiously optimistic to the proposed changes.
-
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
The GDPR requires controllers and processors to take appropriate security measures for the protection of personal data (Article 32 GDPR). The extent of the security measures taken is related to the sensitivity of the personal data processed, the related risks for the individuals and the prevention of personal data breaches (see question 27).
The GDPR defines two types of security measures, technical and organizational. Technical measures are related to cyber security, whereas organizational measures focus on policies and procedures. An example of an organizational measure is for example an instruction to employees to only store personal data on devices provided and controlled by the company. Installing a VPN-secured connection is an example of a technical measure.
Article 32(1) of the GDPR contains a list of possible security measures, such as:
- Pseudonymization
- Improving the resilience of systems and services.
- The ability to restore systems in case of an incident.
- Regular testing of the security measures taken.
A number of fines of the Dutch DPA under the GDPR have been imposed due to the lack of (adequate) security measures to protect personal data, including the absence of logging or the absence of monitoring such logging.
Note: there are also sector-specific regulations, which are detailed in question 28.
-
Do the data protection, privacy and cybersecurity laws in your jurisdiction address security breaches, and, if so, how does the law define “security breach”?
A personal data breach was already defined in question 4: it concerns any circumstance which results in the unauthorized access, modification or loss of personal data, including accidental modification or loss. For example, the temporary loss of access to a server due to a power outage in the server room is considered a personal data breach. Breaches must sometimes be reported, which is detailed in question 29. Any irreparable harm to the integrity of the personal data is also considered a personal data breach.
The EDPB has published two guidelines on this subject. The first guideline details the EDPB’s stance on the interpretation of this concept and a very elaborate second guideline which uses fictional cases to explain what actions should be taken if a personal data breach occurs.
The Network and Information Systems Security Act addresses ‘incidents’ instead of ‘security breaches’. These incidents concern any incident with a significant impact on the continuity of the essential services, or which may have a damaging effect on the confidentiality, integrity, availability or authenticity of network and information systems.
Note: a commonly used term in Dutch for a personal data breach, is a “personal data leak”. This term incorrectly implies that only the unauthorized access or disclosure of data is covered by a personal data breach.
-
Does your jurisdiction impose specific security requirements on certain sectors, industries or technologies (e.g., telecoms, infrastructure, artificial intelligence)?
Various laws set additional requirements to specific sectors, industries or technologies. A number of the relevant ones are:
Network and Information System Security Act (‘Wet beveiliging netwerk- en informatiesystemen’)
This Act implements the European NIS Directive and covers cyber security requirements for operators of essential services designated by the government and certain digital service providers. Essential services are services which are vital to the operation of a country and are designated by the relevant authorities. For example, with regards to the banking sector, the Dutch National Bank (‘De Nederlandsche Bank’) designated the operators of essential services.
With regards to digital service providers, only online marketplaces, search engines, and cloud storage providers with more than 50 employees or 10 million euros yearly revenue are covered. These providers and operators have the obligation to take sufficient security measures and to report security incidents to a response team and the relevant authority. The Radiocommunications Agency (‘Agentschap Telecom’) is the authority in the Netherlands responsible for the enforcement of the Act. Furthermore, the National Center for Cyber Security (‘Nationale Centrum Digitale Veiligheid’) provides information about cybersecurity threats to the aforementioned organizations. Other organizations can voluntarily apply to be notified of any threats.
Electricity Act 1998 (‘Elektriciteitswet 1998’)
This Act lays down security measures for energy network operators. They must operate a security and quality assurance system, as well as implement necessary security measures. The Authority for Consumers and Markets (‘Autoriteit voor Consument en Markt’) may impose additional security measures for the network operators.
Gas Act (‘Gaswet’)
Similar rules apply to gas network operators as under the Electricity Act 1998.
Telecommunications Act (‘Telecommunicatiewet’)
The Act stipulates cybersecurity measures for operators of public communication networks and services. They are responsible for implementing necessary security measures (also specifically for the security of personal data), specifically for network and power outages. The Authority for Consumers and Markets (‘Autoriteit Consument en Markt’) and Ministry of Economic Affairs (‘Ministerie van Economische Zaken en Klimaat’) are tasked with the enforcement of the Act.
Financial Supervision Act (‘Wet op het financieel toezicht’)
The Financial Supervision Act stipulates security measures for financial institutions, financial service providers, insurance companies, and banks. For example, the Act states that investment firms must have an adequate risk management system to ensure the security of their processes. The Dutch National Bank (‘De Nederlandsche Bank’) and Financial Markets Authority (‘Autoriteit Financiële Markten’) are responsible for the enforcement of the Act.
Quality, complaints, and disputes in Healthcare Act (‘Wet kwaliteit, klachten en geschillen zorg’)
This Act is aimed at healthcare providers. They are responsible for taking adequate security measures, as well as notify the enforcement authority of any calamity. The Healthcare and Youth Inspectorate (‘Inspectie Gezondheidszorg en Jeugd’) is responsible for the enforcement of the Act.
-
Under what circumstances must a business report security breaches to regulators, to individuals or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator, and what is the typical custom or practice in your jurisdiction?
Other than the security related notification requirements as included in question 28, for personal data Article 33 GDPR requires a controller to notify personal data breaches to:
- the Dutch DPA unless a risk to rights and freedoms of the individuals involved in the personal data breach is unlikely.
- the individual involved in the personal data breach if it is likely to result in a high risk to their rights and freedoms.
The EDPB guidelines on personal data breaches state that the risk of a personal data breach and the probability of that risk occurring should be examined by considering several factors, such as:
- The type of breach.
- The nature, sensitivity, and volume of personal data (subjects).
- Ease of identification of individuals.
- Severity of consequences for individuals.
- Special characteristics of the data controller.
Note that the severity and probability of a personal data breach should be examined in a worst-case scenario. If, for example, it is not possible to obtain the confirmation that compromised data has not been viewed or not copied, a controller must examine the risk as if the data was viewed/copied.
A notification to the DPA must be made within 72 hours after the controller has become aware of the breach and the individuals should be notified without undue delay. Processors should notify the relevant controller also without undue delay.
For incidents under the Network and Information System Security Act, it depends for the reporting obligations whether the incident has taken place at a provider of essential services or a digital service provider (question 30). The act lays down lays down an obligation to notify the NCSC of serious cybersecurity incidents could cause social disruption.
Parties that have been designated by the responsible ministry for their sector as a vital operator with a duty to report (meaning providers of essential services or other designated critical infrastructure providers) must share a report with NCSC as soon as possible. More information about when, why and how to submit this report to NCSC, can be found in this factsheet.
Digital service providers must report the incident to the CSIRT-DSP (Computer Security Incident Response Team Digital Service Providers) of the Ministry of Economic Affairs and Climate Policy.
-
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cybercrime, such as the payment of ransoms in ransomware attacks?
There is no legal requirement with regards to payments of ransom, however the government strongly condemns the practice. The Dutch Parliament even discussed a legislative proposal making a ransom refund by insurers illegal.
Furthermore, there are no specific legal requirements or guides related to the handling of cyber-crime. Guidance related to personal data breaches through cybercrime is given by, for example, the Dutch DPA and the National Center for Cyber Security (NCCS). The NCCS monitors the overall cyber security in the Netherlands, and can inform both governments and critical organizations in case of a security breach based on the Dutch Network and Information Systems Security Act.
-
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
There is no central cybersecurity regulator. The National Cyber Security Center provides information on general cyber security threats. The Network and Information System Security Act and the corresponding Decree indicate for each of the different essential service providers the competent and supervisory authority. For example: for essential service providers in the energy sector, the competent authority is the Minister of Economic Affairs and Climate and the supervisory authority is the National Digital Infrastructure Inspectorate (‘Rijksinspectie Digitale Infrastructuur’). For banking and and financial infrastructure, the competent and supervisory authority is the Dutch National Bank (‘De Nederlandsche Bank’). For essential service providers in the transport sector, the Minister for Infrastructure and Water Management is the competent authority and the Environment & Transport Inspectorate (‘Inspectie Leefomgeving & Transport’) is the supervisory authority (question 38).
-
Do the laws in your jurisdiction provide individual data privacy rights such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
The GDPR provides the individual with a number of rights which will be detailed in the following sections. General rules regarding the exercise of these rights and the responsibilities of the controller with regards to these rights are covered by Article 12 GDPR. For example, the controller must answer the request within one month. This can be extended up to two months based on the complexity of the request and the number of the requests the controller must handle, provided that the individual has been informed about the extension within the first 30 days. The actions may be exercised through a request by the individual and can be enforced through a competent court as described under question 33. Apart from the right of withdrawal of consent and the right to object to processing personal data for direct marketing, the rights are not absolute and may in specific cases be refused by the controller.
Right of access (Article 15 GDPR)
Individuals have a right to know whether a controller processes their personal data, as well as to receive a copy of the personal data that is processed. The EDPB has released a guideline that provides more information on their interpretation of the right of access and includes an annex with flowchart diagrams to assist controllers and individuals.
The personal data must be provided free of charge, unless the individual requests more than one physical copy thereof. Alongside the personal data itself, the controller must provide additional information, some of which overlaps with the right to information (see question 17). The most important information that must be provided is:
- The purposes of the processing.
- The (categories of) recipients to whom the personal data have been or will be disclosed.
- The period for which the personal data will be stored or criteria to establish such period.
- The other rights the individual has under the GDPR.
- The existence of automated decision-making, including profiling.
- If the personal data is transferred outside the EEA, what safeguards are used to ensure the data protection rights of the individual.
In case the controller utilizes automated decision-making or profiling, the controller must also provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual.
The right to access is limited by the rights and freedoms of others, including the controller. This restricts the access to information as far as providing the information would – for example – breach confidentiality (of private correspondence) or expose trade secrets. These other interests must be balanced against the interests of the individual requesting the information. An example of a measure to reconcile the conflicting interests is to redact certain details in the information provided.
Furthermore, if the controller processes a large amount of personal data, it may ask the individual to further specify the request. This is specifically indicated by the Dutch DPA.
Note: the individual only has right to a copy of the personal data. This means that they are not entitled to copies of all documents in which their personal data is contained.
Right to rectification (Article 16 GDPR)
The individual has the right to have any inaccuracies in the personal data rectified as well as to have any incomplete personal data completed. Note that the individual may not rectify any opinions or impressions of others, as long as these are clearly presented as opinions or impressions of others.
Right to erasure (Article 17 GDPR)
The individual may request erasure of personal data under any of the following circumstances:
- The processing is no longer necessary in relation to any of the purposes of processing.
- If (explicit) consent is the basis for processing, from the moment the consent is withdrawn.
- The individual objects to the processing of personal data (covered below).
- The processing of personal data has occurred unlawfully.
- The erasure is required by a legal obligation on the controller.
- The personal data has been collected in relation to the offer of information society services referred to in Article 8(1) on children.
Note that the controller also has the obligation to erase the personal data on the grounds listed above, even without a request, as the retention period has lapsed. Therefore, this article only gives the individual the right to enforce such obligation.
In cases where the data is made public, the controller must also take reasonable (technical) measures to inform other parties processing the data that a request has been made to erase copies of and links to the personal data.
The right to erasure is not applicable when either:
- The processing concerns an exercise of the freedom of expression or information.
- The data must be processed to comply with a legal obligation or a task carried out in the public interest to which the controller is subject.
- The personal data is processed for archiving purposes in the public interest, for scientific/historical research purposes, or statistical purposes.
- The personal data is processed for the establishment, exercise or defense of legal claims.
Point c) is only applicable if the erasure of the data would be likely to seriously impair the objectives of the processing.
Right to restriction of processing (Article 18 GDPR)
The individual may request that the processing of personal data is restricted. This is a measure that requires the controller to end the relevant processing operations aside from storing the personal data in the following cases:
- When the individual contests the accuracy of the data, while the controller verifies the accuracy. For example, in the context of a request of rectification.
- When the processing is unlawful, and the individual chooses to request the restriction instead of its erasure.
- When the individual needs the data for the establishment, exercise or defense of legal claims, but the controller no longer needs the personal data for the purposes of the processing.
- When the individual has objected to the processing of personal data, while the controller verifies whether the legitimate grounds of the controller override those of the individual.
The restricted personal data can still be used if:
- the individual (re-)consents to processing activities.
- the processing is needed for the establishment, exercise or defense of legal claims.
- the processing is needed to protect the rights of others.
- the processing is needed for reasons of important public interest;
The controller must notify the individual before the restriction is lifted.
Duty to notify of rectification, erasure, and restriction (Article 19 GDPR)
A controller must notify each individual recipient of the personal data of any rectification, completion, and erasure of personal data carried out by the controller as well as any restriction of processing operations. This allows recipients of personal data to modify the personal data and their processing activities accordingly, but this action is not formulated as a direct obligation towards these recipients. The controller does not have to notify recipients if such notification entails effort disproportionate to the effects of the data processing operation.
Right to data portability (Article 20 GDPR)
The individual may request the controller to receive personal data concerning him/her that he/she has provided to the controller. The personal data must be provided in a structured and commonly used format and must be machine readable.
Furthermore, the individual can request to have such data transmitted to another controller without hindrance if both:
- The processing is based on the consent of the individual or performance of a contract.
- The processing is carried out by automated means.
As with the right of access, this right is similarly limited by the rights and freedoms of others, including the controller.
Right to object to processing (Article 21 GDPR)
If the legal basis for the processing of personal data is a public or a legitimate interest, the individual may object to such processing on grounds of a personal particular situation. Data processing operations should then cease, unless the controller can show a compelling legitimate ground continuing or if the processing is necessary for a legal claim. The compelling legitimate ground must be balanced with the interests of the individual.
If the purpose of processing is direct marketing, the individual can always successfully object to such processing.
Right not to be subject to automated decision-making and profiling (Article 22 GDPR)
Finally, the individual enjoys the right not to be subject to automated decision-making if the result of the processing results in a legal effect or has a similar significant effect on the individual. For more information, we refer to question 20.
General exceptions
General exceptions to the rights described above include:
- The controller cannot verify the identity of the individual making a request (Article 12 GDPR).
- The request is manifestly unfounded excessive, or repetitive (Article 12 GDPR).
- Circumstances related to national security and public interest (Article 41 GDPR Implementation Act).
- The personal data is processed exclusively for journalistic purposes or for academic, artistic, or literary forms of expression (Article 43 GDPR Implementation Act).
- The exercise of the right constitutes an abuse of right (Book 3 Article 13 Dutch Civil Code).
-
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
Through the judicial system: based on Article 34 and 35 of the GDPR Implementing Act, an individual can petition the courts to receive an order to be able to exercise the abovementioned rights against a controller. Furthermore, a collective redress procedure can be petitioned by a foundation or association representing a group of individuals (Book 3 Article 305a Dutch Civil Code).
The individual can also file a complaint with the Dutch DPA (Article 77 GDPR) which may impose enforcement measures (including an order or a fine). The choice of corrective measure is at the discretion of the Dutch DPA and therefore filing a complaint does not automatically make the right exercisable by the individual.
-
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
Yes, under the GDPR Implementation Act, individuals are enabled to exercise their rights under the GDPR in a private right of action/civil law claim as described in question 33.
Furthermore, individuals are able to claim monetary damages as described in question 35.
-
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection, privacy and/or cybersecurity laws? Is actual damage required, or is injury of feelings sufficient?
The GDPR stipulates in Article 82 that individuals are able to receive compensation if they are affected by a breach of the regulation. The compensation may be given for both actual damages and non-financial damages. Immaterial damage must be based on equity (Book 6 Article 106 Dutch Civil Code). It is currently subject of debate if this also covers all forms of immaterial damages, including unpleasant feelings. In this context, the European Court of Justice has received a request for a preliminary ruling from the Supreme Court of Austria.
The below list gives a flavor of awarded (immaterial) damages in the Netherlands:
- The Dutch Court of Gelderland ordered the Pieter Baan Centrum (a psychiatric observation clinic) to pay €300 (raised to €500 on appeal) in immaterial damages to an individual due to the breach of confidentiality of their sensitive files, which were sent to a disciplinary committee (a small group of professionals who are bound by professional secrecy themselves).
- The Dutch Court of Amsterdam ordered the UWV (Employee Insurance Agency) to pay €250 in immaterial damages to an individual for breaching the confidentiality of medical information of that individual and causing fear and stress to that individual.
- The Dutch Court of the North awarded €250 in immaterial damages to an individual whose Municipal Personal Record was shared with a third party via Facebook.
- The Court of Rotterdam awarded €2500 in immaterial damages to an individual whose health data was processed by the municipality of Rotterdam without a legal ground. Material damages (approx. €500) were not awarded.
- The Dutch Court of the North awarded €500 to an individual whose personal data, including social security number, were published on the internet.
- The Court of Appeal of Arnhem awarded €000 in immaterial damages to a doctor of which negative reviews were published on a blacklist website for doctors. The operation of that website was indicated to be a criminal offence in criminal proceedings.
- The Court of Zeeland-West-Brabant ordered a hospital to pay €2.000 in immaterial damages to a woman whose medical records were repeatedly accessed by an employee over 10 years. The tort by the hospital was based on a strict liability for the employee’s behaviour, but also because the court found that the hospital had taken insufficient technical and organizational security measures in violation of Article 32 GDPR by neglecting to regularly check the access logs of medical records.
The amounts listed above are damages awarded to individuals. There are also a number of cases in which on behalf of a large group of individuals, a declaration of unlawfulness for a certain processing of personal data is requested. This declaration can than follow by a class action for (immaterial) damages. In some cases, these damages are already requested together with the declaration of unlawfulness, including:
- A total claim amount of EUR 9 billion in three separate class action cases against TikTok for violation of children’s privacy rights (individual claims between EUR 500-2000).
- A claim of EUR 5 billion against Salesforce and Oracle for unlawfully making and selling digital profiles of individual users (EUR 500 per user). The court of first instance has ruled that the claim is inadmissible, because the claimants had not collected enough personal data from their supporters. This made it impossible to verify whether the supporters are a member of the class the claimants are asserting to protect. The claimants have filed an appeal against this ruling.
-
How are data protection, privacy and cybersecurity laws enforced?
The Dutch DPA is charged with the regulatory enforcement of the GDPR in the Netherlands. The DPA has investigative, corrective, authorizing and advisory powers related to data protection and procedures detailed in Article 57-58 the GDPR. The most important powers and tasks are:
- Handling complaints lodged by individuals.
- Investigating organizations and order to provide any information related to their data protection obligations.
- Issuing warnings and/or administrative fines when an organization does not comply with the GDPR, as well as mandate corrective actions under administrative coercion or penalty payment.
The Dutch DPA must coordinate its activities with other European Data Protection authorities if the processing of the data involves individuals from other Member States. Furthermore, many actions taken by the Dutch DPA are subject to a consistency mechanism to ensure that the GDPR is applied consistently across the EU. This is detailed in chapter 7 of the GDPR.
With respect to the enforcement of the laws related to the use of cookies and similar technologies as detailed in question 23, the Authority for Consumers and Markets is the responsible authority, which works in conjunction with the DPA when personal data is processed in cookies.
The Dutch DPA also works with other authorities, for instance:
- For financial regulatory related personal data matters, the Dutch DPA works together with the Dutch National Bank (‘De Nederlandsche Bank’) for instance in relation to the Payment Services Directive.
- For digital activities in general, the Dutch DPA cooperates with the Dutch Authority Consumer and Market (‘De Autoriteit Consument en Markt’), the Dutch Authority Financial Markets (‘De Autoriteit Financiële Markten’) and the Dutch Media Authority (‘Commissariaat voor de Media’).
- A sub-division of the Dutch DPA in the form of an Algorithm Watchdog was established last year.
Cybersecurity
Each ‘essential service provider’ has its own competent and supervisory authority under the Network and Information System Security Act and the corresponding Decree. The complete list of regulators for the essential service providers is as follows:
- Essential service providers in the energy sector have the Minister of Economic Affairs and Climate as competent authority and the National Digital Infrastructure Inspectorate as the supervisory authority;
- Essential service providers in the digital infrastructure sector have the Minister of Economic Affairs and Climate as competent authority and the National Digital Infrastructure Inspectorate as the supervisory authority;
- The banking sector has the Dutch National Bank (‘De Nederlandsche Bank’) as competent and supervisory authority;
- Providers of infrastructure for the financial markets have the Dutch National Bank (‘De Nederlandsche Bank’) as competent and supervisory authority;
- Essential service providers in the transport sector have the Minister for Infrastructure and Water Management as competent authority and the Environment & Transport Inspectorate as supervisory authority;
- Essential service providers handeling the supply and distribution of drinking water have the Minister for Infrastructure and Water Management as competent authority and the Environment & Transport Inspectorate as supervisory authority;
The competent authorities can use the enforcement instruments provided for in the General Administrative Law Act (Awb). The competent authorities have audit powers to order investigations to assess compliancy with the security obligations by an independent expert. If there is a security issue, the competent authority may issue administrative enforcement action. If public awareness is necessary to prevent an incident or manage an ongoing incident the competent authority can inform the public about a reported incident. The competent authorities can impose administrative orders and administrative fines of up to €5 million.
-
What is the range of sanctions (including fines and penalties) for violation of data protection, privacy and cybersecurity laws?
According to Article 83 of the GDPR administrative fines under the regulation can reach:
- Up to €20.000.000, – in the case of a grave and systematic infringement, and for lesser infringements up to €10.000.000, -.
- Alternatively, fines may be calculated as 4% of the organization’s annual turnover for grave and systematic infringements and for lesser infringements 2% of the organization’s annual turnover.
Further guidance on the application of sanctions is given in our answer to question 38.
-
Are there any guidelines or rules published regarding the calculation of fines or thresholds for the imposition of sanctions?
The Dutch DPA has released a fining policy (Dutch only) with regard to infringements of the GDPR. It categorizes infringements into different brackets for which the Dutch DPA – under normal circumstances – will apply different fining bandwidths. It ranges from in-between €0, – and €20.000, – to in-between €450.000, – and €1.000.000, -.
The DPA’s highest fine to date was a fine of €3.7 million to the Dutch tax authority. The DPA imposed this fine for operating a discriminating and unfair fraud alert system which had huge consequences for the citizens involved.
Note: that the EDPB has released a guideline on the calculation of fines under the GDPR, which may cause the Dutch DPA to modify its fining policy in the future.
For incidents under the Network and Information System Security Act, the competent authorities can impose an administrative order and, in the extreme case, an administrative fine of up to €5 million.
-
Can personal data or PII owners/controllers appeal to the courts against orders of the regulators?
Fines imposed on controllers by the Dutch DPA are governed by Dutch administrative law. Before a fine is imposed, the Dutch DPA must ask the opinion of the addressee (5:53 Dutch General Administrative Law). The procedure to appeal a decision is as follows:
- After a fine has been imposed, the controller has six weeks to oppose the fine in an objection proceeding (Chapter 6 and 7 of the Dutch General Administrative Law). In these proceedings, the Dutch DPA will have to reconsider the fine it has given and must answer all objections submitted by the controller.
- After the objection proceedings, the controller may appeal to the court in first instance and must file its case within six weeks after the objection proceedings (Chapter 8 of the Dutch General Administrative Law).
- After that, the controller can appeal to the Administrative Law division of the Council of State (Raad van State) within 6 weeks after the ruling of the court of first instance (Title 8.5 of the Dutch General Administrative Law).
The courts will not perform a full evaluation of the fine of the Dutch DPA but will only consider if the Dutch DPA could reasonably have come to its decision. Furthermore, controllers can appeal to the courts to receive a preliminary injunction, including during the objection proceedings (Article 8:81 General Administrative Law).
Note: processors can also be fined by the Dutch DPA for obligations directly applicable to them, the same procedures will apply as for controllers.
-
Are there any identifiable trends in enforcement activity in your jurisdiction?
On the national level, the Dutch DPA has released a document outlining its focus area for 2020-2023. Its focus area for this period includes: the data trade, the digitized government, and Artificial Intelligence.
At a European level, the EDPB has detailed in its work programme what it will focus on in the coming year. The programme outlines how the EDPB will further harmonise the interpretation of the GDPR, guide cooperation between national data protection authorities, monitor the application of new technologies and review currently established international data transfer mechanisms. In this context, it is also important to point out that the EDPB has established a task force in response to ChatGPT and other Large Language Models.
-
Are there any proposals for reforming data protection, privacy and/or cybersecurity laws currently under review? Please provide an overview of any proposed changes and how far such proposals are through the legislative process.
The following proposals of laws related to personal data processing and cybersecurity are currently under review in the EU and the Dutch legislature. These EU laws will have a direct or indirect effect in the Netherlands. The EU Proposals are all part of EU Digital Strategy, “EU fit for a Digital Age”.
EU Artificial Intelligence Act
The Act is a product and services safety regulation and will lay down rules related to the use and training of Artificial Intelligence models. In the current proposal, the providers of the products and/or services that include AI for high-risk purposes must ensure the secure and fair processing of personal data. Furthermore, these providers must monitor any negative consequences the application of the model has on individuals. User of these AI products and services are also regulated through this AI Act. The proposal is still under review in the EU legislative process.
E-Privacy Regulation
The E-Privacy Regulation is an Act that is intended to replace the E-Privacy Directive which has been mentioned in this document multiple times. The proposal for the regulation has seen multiple revisions over the past year and the last discussions in the European Council are more than a year old. Therefore, the status of the proposal and its expected content are still unclear.
EU Data Act
The Act is intended to clarify the legal position of users and manufacturers of products and related services that process (non-)personal data. This will indirectly affect the GDPR, as this Act will no longer allow manufacturers to withhold data generated by their products and related services to its users. This data may also include personal data; however, the current proposal does include several limitations and additional obligations if the generated data contains personal data. For example, the manufacturer must pseudonymize any personal data as much as possible when sharing the data with its users. The proposal is still under review in the EU legislative process.
EU Digital Services Act
The Act will enter into force in February 2024. It is, together with the Digital Markets Act, part of the Digital Services Act package. The Digital Services Act introduces the first common set of rules of online intermediaries’ obligations and thereby ensures a higher level of protection to all users. Among other things, it imposes obligations on domains such as transparency reporting, notice and takedown, and risk management. This Act will have direct effect.
European Health Data Space Act
The European Union has released the proposal for an Act that will allow for the re-use of medical data for research and innovation, as well as allow for individuals to be more in control of their own data. The proposal is still under review in the EU legislative process.
EU Cyber Resilience Act
The European Union has released the proposal for an Act that will impose cybersecurity and security-by-design requirements for products and software which connect to the internet. The aim of the Act is to ensure that manufacturers prioritize cybersecurity in their products, as well as reduce the number of exploitable vulnerabilities in products and software. The proposal is still under review in the EU legislative process.
EU NIS2 Directive 2022/2555
The NIS Directive as implemented in the Network and Information System Security Act will be replaced by the NIS2 Directive. A result of the NIS review, the number of organisations falling under NIS2 will be greatly increased and the security standards required will be increased when compared to the original Network and Information Security Directive. On 16 January 2023 NIS2 entered into force replacing the NIS Directive. However, no proposal to implement the act in the Netherlands has been introduced yet.
Netherlands: Data Protection & Cybersecurity
This country-specific Q&A provides an overview of Data Protection & Cybersecurity laws and regulations applicable in Netherlands.
-
Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered by them; what sectors, activities or data do they regulate; and who enforces the relevant laws).
-
Are there any expected changes in the data protection, privacy and cybersecurity landscape in 2023-2024 (e.g., new laws or regulations coming into effect, enforcement of any new laws or regulations, expected regulations or amendments)?
-
Are there any registration or licensing requirements for entities covered by these laws, and, if so, what are the requirements? Are there any exemptions?
-
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
-
What are the principles related to the general processing of personal data or PII. For example, must a covered entity establish a legal basis for processing personal data or PII in your jurisdiction, or must personal data or PII only be kept for a certain period? Please outline any such principles or “fair information practice principles” in detail.
-
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII?
-
What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?
-
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection or disclosure?
-
How do the laws in your jurisdiction address children’s personal data?
-
How do the laws in your jurisdiction address health data?
-
Do the laws include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
-
Does your jurisdiction impose requirements of ‘data protection by design’ or ‘data protection by default’ or similar? If so, please describe the requirement and how businesses typically meet the requirement.
-
Are owners/controllers or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
-
Do the laws in your jurisdiction require or recommend having defined data retention and data disposal policies and procedures? If so, please describe these data retention and disposal requirements.
-
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
-
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
-
Do the laws in your jurisdiction require appointment of a data protection officer or a chief information security officer (or other person to be in charge of privacy or data protection at the organization), and what are their legal responsibilities?
-
Do the laws in your jurisdiction require or recommend employee training? If so, please describe these training requirements.
-
Do the laws in your jurisdiction require businesses to provide notice to data subjects of their processing activities? If so, please describe these notice requirements (e.g., posting an online privacy notice).
-
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data, and, if so, what are they? (For example, are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
-
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII, or are there any other restrictions relating to the appointment of processors (e.g., due diligence or privacy and security assessments)?
-
Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including the use of tracking technologies such as cookies. How are these terms defined, and what restrictions are imposed, if any?
-
Please describe any restrictions on targeted advertising and cross-contextual behavioral advertising. How are these terms or related terms defined?
-
Please describe any laws in your jurisdiction addressing the sale of personal data. How is “sale” or related terms defined, and what restrictions are imposed, if any?
-
Please describe any laws in your jurisdiction addressing telephone calls, text messaging, email communication or direct marketing. How are these terms defined, and what restrictions are imposed, if any?
-
Please describe any laws in your jurisdiction addressing biometrics such as facial recognition. How are these terms defined, and what restrictions are imposed, if any?
-
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism? Does a cross-border transfer of personal data or PII require notification to or authorization from a regulator?)
-
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
-
Do the data protection, privacy and cybersecurity laws in your jurisdiction address security breaches, and, if so, how does the law define “security breach”?
-
Does your jurisdiction impose specific security requirements on certain sectors, industries or technologies (e.g., telecoms, infrastructure, artificial intelligence)?
-
Under what circumstances must a business report security breaches to regulators, to individuals or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator, and what is the typical custom or practice in your jurisdiction?
-
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cybercrime, such as the payment of ransoms in ransomware attacks?
-
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
-
Do the laws in your jurisdiction provide individual data privacy rights such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
-
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
-
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
-
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection, privacy and/or cybersecurity laws? Is actual damage required, or is injury of feelings sufficient?
-
How are data protection, privacy and cybersecurity laws enforced?
-
What is the range of sanctions (including fines and penalties) for violation of data protection, privacy and cybersecurity laws?
-
Are there any guidelines or rules published regarding the calculation of fines or thresholds for the imposition of sanctions?
-
Can personal data or PII owners/controllers appeal to the courts against orders of the regulators?
-
Are there any identifiable trends in enforcement activity in your jurisdiction?
-
Are there any proposals for reforming data protection, privacy and/or cybersecurity laws currently under review? Please provide an overview of any proposed changes and how far such proposals are through the legislative process.