• VMW Taxand
• About us
• Services
• Flex BV
• Credentials
• People
• Publications
• Working at VMW Taxand
• News
• Events
• Contact

• Newsletters Privacy
• • •   Hidden cameras in the workplace
  • •   Tax Authorities violate tenant privacy
  • •   Personal Data Protection Act amended
  • •   ECHR rules against the Netherlands
  • •   Amendments to the Exemption Decree Personal Data Protection Act
  • •   Hacking by the police
  • •   Processing is allowed, notification is mandatory
  • •   In the cloud
  • •   International transfer of personal data
  • •   Is monitoring employee behaviour an infringement of privacy?
  • •   Tax and Customs Administration lax in checking requests for tax data
  • •   Failing to provide information when fines have been imposed will be an offence
  • •   Legislative proposal for amendments to personal data protection
• Update on 2012 Dutch Corporate Tax Proposals
• The Amended 30% Ruling Regime

Processing is allowed, but notification is mandatory

If your plans to send a newsletter to potential or existing customers, or the performance of a contract – e.g. to sell your product – mean you need to obtain someone’s personal data, it is essential that you inform the person concerned (whose data are being processed) fully about how their data will be handled.

Both the Personal Data Protection Act (Wbp) and the Telecommunications Act (Tw) impose an obligation on the data controller (in this example the entrepreneur) to notify the person concerned (the customer) about the purposes, the nature and the retention period of the personal data. Any entrepreneur who fails to comply with these rules risks a fine of up to 450,000 euros. Compliance with the obligation to notify may be achieved by soliciting the person concerned’s agreement to a privacy statement before concluding a contract, or by means of a link in the newsletter that is sent. A privacy statement therefore – contrary to what is often believed – is more than a few lines of text to reassure a customer.

The obligation to notify

Article 33 of the Wbp requires a data controller, prior to acquiring personal data, to inform the person concerned about the following points:

- who he (the data controller) is;

- for which purposes the personal data are to be processed;

- how the data are to be used.

The Wbp defines data controller as the person who establishes the purpose of and the resources for processing personal data.[1] The article concerned is applicable when a person (the person whose data is to be processed[2]) provides their own data to the data controller in order to perform a contract (e.g. a purchase from a web shop). The purposes for which the data are to be processed must be described clearly, so that the person concerned knows what they are consenting to. The same applies to how personal data are used. Among the points to consider are the method of storage and retention period, but also disclosure to third parties.

When personal data are acquired by different means, Article 34 of the Wbp defines the scope of the obligation to notify. At the time of recording the data concerned, or prior to any disclosure of the data to third parties, the information must be provided to the person concerned. An example in which data are disclosed to third parties would be when a data controller proposes to pass the data on to another commercial party, possibly for marketing purposes.

Direct Marketing

Stated briefly, pursuant to Article 11.7 paragraph 1 of the Telecommunications Act (Tw), any unsolicited communication via an electronic communication service (e.g. Internet, e-mail, or fax) to potential customers requires prior consent from the potential customers. This approach is referred to as an ‘opt-in’. An example of unsolicited communication is a newsletter sent to the person concerned with a view to establishing a customer relationship that does not yet exist. The person concerned must give consent prior to sending. No opt-in is required when sending a newsletter to existing customers. An opt-out must be available for all communication (to either potential or existing customers). In other words, the receiver of the newsletter is given the means to quickly and simply arrange to stop receiving the newsletter.

Conclusion

The processing of personal data and the use of direct marketing in running a business requires entrepreneurs to take account of the associated obligation to notify. This in turn requires a carefully worded privacy statement.

Lydia Faltas
Attorney at law, administrative law
lydia.faltas@vmwtaxand.nl

There is additional information on privacy and how our various practice groups can be of assistance to you here.