Short Reads

Proposal for a Dutch GDPR Implementation Act

Proposal for a Dutch GDPR Implementation Act

24.02.2017 NL law

The proposal for a Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming, "Implementation Act") that seeks to implement the General Data Protection Regulation ("GDPR") was published online on 9 December 2016 for the purpose of public consultation. The GDPR has been adopted on 27 April 2016, and various posts on guidance regarding the contents of the GDPR can be found here.

The Implementation Act will contain a legal framework for implementing the GDPR in the Netherlands. As of 25 May 2018, this Implementation Act will replace the Dutch Data Protection Act ("DDPA"), which currently applies and implements EU Directive 95/46/EC. Because the GDPR has direct effect in all member states, the provisions thereof are not included verbatim in the Implementation Act, so one must consult both the GDPR and the Implementation Act in view of this layered legal framework.

The GDPR does require member states to implement specifically some topics by themselves, but it leaves discretionary room for specific implementation of other topics also. It is the latter which the Netherlands wishes to implement through its Implementation Act. The Dutch government has indicated that it will strive for “policy-neutral” implementation, meaning that the Dutch GDPR Implementation Act intends to follow the current DDPA as close as possible. However, we do note some specific changes that the Implementation Act will bring about if it remains unchanged from its current proposal form:

  • There will be changes as to how appointments are made at the competent supervisory authority, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), and how those appointments are regulated. To safeguard the authority's independence, its officers will be appointed directly by the authority instead of by the Ministry of Security and Justice, as is currently the case.
  • There will be a specific exception allowing for the processing of biometric data for the sole purpose of identifying a natural person. Clause 26 of the Implementation Act will allow the processing of  biometric data if such processing "is done to identify the data subject where such identification is necessary and proportional for the legitimate purposes of the controller or a third party." This exception is the Netherlands’ specific implementation of Clause 9 of the GDPR that prohibits the processing of special categories of data including biometric data for the sole purpose of identifying a natural person, and which allows by member states to lay down exceptions to it as long as certain criteria are met (Clause 9(2)(b) GDPR).

The public consultation period for the Implementation Act proposal has ended on 20 January 2017. During this time, all citizens, companies, and other bodies or institutions could submit their reactions to the proposed Implementation Act. There have been 67 reactions, which can be consulted as they are publicly available.[3]

 

Team

Related news

21.04.2017 NL law
18 May 2017: TMT/IP Masterclass: Advertising Law Update

Masterclass - The TMT/IP (Technology,  Media and Telecommunications / Intellectual Property) team at Stibbe Amsterdam will host a Masterclass about recent developments and regulations in advertising law. During the Masterclass, TMT Lawyer Janna van Olst will discuss important regulations and the most leading cases from the 12 months.

Read more

30.05.2017 EU law
The Growth of Collective Redress in the EU: A Survey of Developments in 10 Member States—the need to maintain safeguards

Articles - In 2013, the European Commission adopted a Recommendation on Collective Redress. It invited Member States to adopt a collective redress framework by July 2016 that would include the features mentioned in the Recommendation and then by July 2017, to report to the Commission about the extent to which they had done so. On the basis of the Member States’ report, the Commission will assess whether further actions by the EU is required.

Read more

12.04.2017 NL law
What does a legal entity know?

Short Reads - In civil law many rules rely for their legal effect on the presence of certain knowledge or a certain intention with one of the parties. If the party at hand is a legal entity, like a limited company (besloten vennootschap), it can be difficult to determine what the entity knew. Fragments of information can be present in different parts of the organisation; an officer of the company may have gained his knowledge trough his private life; he may also have a duty of confidentiality.

Read more

23.05.2017 BE law
Verplichte toegang tot breedbandinternet als stedenbouwkundige verplichting: quo vadis?

Articles - Deze blog onderzoekt het toepassingsgebied van de verplichtingen (en eventuele vrijstellingen) uit de gewestelijke stedenbouwkundige verordening inzake breedband. Ook de praktische kant van de zaak komt aan bod: hoe moet hiermee in een vergunningsaanvraag worden omgegaan? Tenslotte worden enkele bedenkingen gemaakt of deze verplichtingen - gelet op hun uiterst geringe stedenbouwkundige impact - wel thuis horen in het domein van de ruimtelijke ordening.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy and Cookie Policy