Short Reads

Proposal for a Dutch GDPR Implementation Act

Proposal for a Dutch GDPR Implementation Act

Proposal for a Dutch GDPR Implementation Act

24.02.2017 NL law

The proposal for a Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming, "Implementation Act") that seeks to implement the General Data Protection Regulation ("GDPR") was published online on 9 December 2016 for the purpose of public consultation. The GDPR has been adopted on 27 April 2016, and various posts on guidance regarding the contents of the GDPR can be found here.

The Implementation Act will contain a legal framework for implementing the GDPR in the Netherlands. As of 25 May 2018, this Implementation Act will replace the Dutch Data Protection Act ("DDPA"), which currently applies and implements EU Directive 95/46/EC. Because the GDPR has direct effect in all member states, the provisions thereof are not included verbatim in the Implementation Act, so one must consult both the GDPR and the Implementation Act in view of this layered legal framework.

The GDPR does require member states to implement specifically some topics by themselves, but it leaves discretionary room for specific implementation of other topics also. It is the latter which the Netherlands wishes to implement through its Implementation Act. The Dutch government has indicated that it will strive for “policy-neutral” implementation, meaning that the Dutch GDPR Implementation Act intends to follow the current DDPA as close as possible. However, we do note some specific changes that the Implementation Act will bring about if it remains unchanged from its current proposal form:

  • There will be changes as to how appointments are made at the competent supervisory authority, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), and how those appointments are regulated. To safeguard the authority's independence, its officers will be appointed directly by the authority instead of by the Ministry of Security and Justice, as is currently the case.
  • There will be a specific exception allowing for the processing of biometric data for the sole purpose of identifying a natural person. Clause 26 of the Implementation Act will allow the processing of  biometric data if such processing "is done to identify the data subject where such identification is necessary and proportional for the legitimate purposes of the controller or a third party." This exception is the Netherlands’ specific implementation of Clause 9 of the GDPR that prohibits the processing of special categories of data including biometric data for the sole purpose of identifying a natural person, and which allows by member states to lay down exceptions to it as long as certain criteria are met (Clause 9(2)(b) GDPR).

The public consultation period for the Implementation Act proposal has ended on 20 January 2017. During this time, all citizens, companies, and other bodies or institutions could submit their reactions to the proposed Implementation Act. There have been 67 reactions, which can be consulted as they are publicly available.[3]

 

Team

Related news

12.10.2018 BE law
Ignace Vernimme and Michiel Van Roey speak on IP rightsduring Agoria's Research & Standardization Event

Speaking slot - On Thursday 25 October, Agoria's Regulatory and Standardization Expertise Center organizes its 5th information day about regulations and standards for topics including international trade, privacy and contract law, transport, Internet of Things and blockchain, eHealth, ... at regional, national and European level.

Read more

11.10.2018 NL law
Stibbe hosts NGB Extra Seminar about product development and counsel’s role at the interface of new technology and law

Seminar - On 11 October 2018, Stibbe will host the NGB (Dutch Association of Corporate Lawyers) Extra Seminar.  IT/IP lawyers Judica Krikke, Jasper Klopper, Marc Spuijbroek and Frederiek Fernhout will discuss the practical aspects of the development of innovative new products. 

Read more

12.10.2018 NL law
Tim Berners-Lee's Solid proposal: the future of data traffic?

Short Reads - The General Data Protection Regulation (GDPR) aims to strengthen the rights of individuals in respect of their personal data. Although this aim has been achieved to a certain extent, the fundamental framework of the way personal data is processed remains unchanged. Companies are still able to use large amounts of user data, in many cases without even obtaining their consent. Tim Berners-Lee, the inventor of the World Wide Web, has announced his plans for a decentralised web, in which users remain in control of their personal data.

Read more

10.10.2018 NL law
Ongevraagd advies Raad van State: normering van geautomatiseerde overheidsbesluitvorming

Short Reads - Op 31 augustus 2018 heeft de Afdeling advisering van de Raad van State (hierna: "Afdeling advisering") een 'Ongevraagd advies over de effecten van de digitalisering voor de rechtsstatelijke verhoudingen' betreffende de positie en de bescherming van de burger tegen een "iOverheid" uitgebracht. Het gebeurt niet vaak dat de Afdeling advisering zo een ongevraagd advies uitbrengt. Dit onderstreept het belang van de voortdurend in ontwikkeling zijnde technologie en digitalisering in relatie tot de verhouding tussen de overheid en de maatschappij.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring