Short Reads

Proposal for a Dutch GDPR Implementation Act

Proposal for a Dutch GDPR Implementation Act

Proposal for a Dutch GDPR Implementation Act

24.02.2017 NL law

The proposal for a Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming, "Implementation Act") that seeks to implement the General Data Protection Regulation ("GDPR") was published online on 9 December 2016 for the purpose of public consultation. The GDPR has been adopted on 27 April 2016, and various posts on guidance regarding the contents of the GDPR can be found here.

The Implementation Act will contain a legal framework for implementing the GDPR in the Netherlands. As of 25 May 2018, this Implementation Act will replace the Dutch Data Protection Act ("DDPA"), which currently applies and implements EU Directive 95/46/EC. Because the GDPR has direct effect in all member states, the provisions thereof are not included verbatim in the Implementation Act, so one must consult both the GDPR and the Implementation Act in view of this layered legal framework.

The GDPR does require member states to implement specifically some topics by themselves, but it leaves discretionary room for specific implementation of other topics also. It is the latter which the Netherlands wishes to implement through its Implementation Act. The Dutch government has indicated that it will strive for “policy-neutral” implementation, meaning that the Dutch GDPR Implementation Act intends to follow the current DDPA as close as possible. However, we do note some specific changes that the Implementation Act will bring about if it remains unchanged from its current proposal form:

  • There will be changes as to how appointments are made at the competent supervisory authority, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), and how those appointments are regulated. To safeguard the authority's independence, its officers will be appointed directly by the authority instead of by the Ministry of Security and Justice, as is currently the case.
  • There will be a specific exception allowing for the processing of biometric data for the sole purpose of identifying a natural person. Clause 26 of the Implementation Act will allow the processing of  biometric data if such processing "is done to identify the data subject where such identification is necessary and proportional for the legitimate purposes of the controller or a third party." This exception is the Netherlands’ specific implementation of Clause 9 of the GDPR that prohibits the processing of special categories of data including biometric data for the sole purpose of identifying a natural person, and which allows by member states to lay down exceptions to it as long as certain criteria are met (Clause 9(2)(b) GDPR).

The public consultation period for the Implementation Act proposal has ended on 20 January 2017. During this time, all citizens, companies, and other bodies or institutions could submit their reactions to the proposed Implementation Act. There have been 67 reactions, which can be consulted as they are publicly available.[3]

 

Team

Related news

24.09.2021 EU law
Digital Law Up(to)date: (1) the download of a software with a permanent licence can constitute a “sale of goods”; (2) alert of the BEUC regarding the privacy policy of WhatsApp and its new term of use

Articles - In this blog, we briefly present two interesting news in the field of digital law: (1) a judgment of the CJEU considering that the download of a software with a permanent licence can constitute a “sale of goods”, and (2) an alert of the BEUC regarding the privacy policy of WhatsApp and its new terms of use.

Read more

09.09.2021 BE law
Digital Law Up(to)date: (1) Parliamentary initiatives about cyber attacks; (2) ‘Zero tariff’ options before the CJEU; and (3) Council of State, GDPR and encryption

Articles - In this blog, we briefly present three interesting news in the field of digital law: (1) Parliamentary initiatives to tackle cyber attacks (2) "Zero tariff" options and open internet access do not mix! (3) Council of State, GDPR and encryption: validation of a decision of the Flemish Authorities

Read more

26.08.2021 BE law
Sarah De Wulf and Malik Baba co-authored a book dedicated to the legal aspects of the video-game industry

Articles - The book, entitled 'Legal Aspects of the video-game industry', provides a first answer to the most important legal questions that might arise in the lifecycle of a video-game company. These insights are intended to be applicable irrespective of jurisdictions, illustrated by real-life situations and easy to read for individuals without a legal background.

Read more

13.09.2021 NL law
Adopting the new Standard Contractual Clauses to secure international personal data transfers

Short Reads - Recently, the European Commission issued an implementing decision on standard new contractual clauses (“SCCs”) for the transfer of personal data to countries outside the European Economic Area. Organisations need to use the new SCCs from 27 September 2021 and onwards. Transitional periods apply for existing international data transfer agreements. To meet their obligations under the General Data Protection Regulation, organisations need to make the appropriate changes in time.

Read more

26.08.2021 EU law
Facebook/Belgian DPA: Landmark ruling on cross-border enforcement under the GDPR

Short Reads - On 15 June 2021, the CJEU delivered an important judgment on the one-stop-shop mechanism. While the CJEU reinforced that the lead supervisory authority is the sole interlocutor in cross-border processing operations, it also contributed to the effective enforcement of the GDPR by reiterating the conditions under which supervisory authorities other than the lead supervisory authority can bring enforcement actions against such processing operations.

Read more