• VMW Taxand
• About us
• Services
• Flex BV
• Credentials
• People
• Publications
• Working at VMW Taxand
• News
• Events
• Contact

• Newsletters Privacy
• • •   Hidden cameras in the workplace
  • •   Tax Authorities violate tenant privacy
  • •   Personal Data Protection Act amended
  • •   ECHR rules against the Netherlands
  • •   Amendments to the Exemption Decree Personal Data Protection Act
  • •   Hacking by the police
  • •   Processing is allowed, notification is mandatory
  • •   In the cloud
  • •   International transfer of personal data
  • •   Is monitoring employee behaviour an infringement of privacy?
  • •   Tax and Customs Administration lax in checking requests for tax data
  • •   Failing to provide information when fines have been imposed will be an offence
  • •   Legislative proposal for amendments to personal data protection
• Update on 2012 Dutch Corporate Tax Proposals
• The Amended 30% Ruling Regime

Legislative proposal for amendments to personal data protection

The government is currently (Sept 2011) working on a legislative proposal for amending the Personal Data Protection Act (WBP). A Ministry of Security and Justice document dated 29 April 2011 sets out the following changes to be included in the legislative proposal. 

1. An obligation to report cases in which the security measures for personal data are overridden.

2. A regulation to enable the further processing of personal data, if necessary overriding an obligation of secrecy, where there is an urgent need to do so in the vital interest (immediate or imminent impairment of life or health) of the person concerned, or a third party.

3. The qualitative strengthening of the enforcement of the WBP under administrative law, with administrative sanctions attached to the material standards of conduct of the WBP.

4. An explicit definition of a data controller’s obligation of transparency regarding the disclosure of established retention periods, and an obligation to disclose all actions taken with the personal data processed by him after the period ends.

5. A separate regulation with specific duties of transparency for the application of profiling, including an explicit statement of the purpose of processing, and the categories involved.

6. The allowance of objection and appeal against a final report of findings drawn up by the Dutch Data Protection Authority (CBP).

7. More effective scrutiny of the effectiveness and transparency of proposed measures in the area of information, and the inclusion of evaluation or sunset provisions.

8. More effective enforcement through the sharing of data in cooperation frameworks, if necessary by means of legislation.

9. The establishment of a privacy help desk for professionals in the sphere of security and youth care.

10. Investigation into opportunities for applying the General Administrative Law Act in sharing supervisory data, and for employing Privacy Impact Assessments.

Some of the above points will be given specific attention in the light of recent developments. For instance, under 1, an obligation to report is imposed on a controller who observes a data leak, and Article 13 of the WBP imposes an obligation on controllers to implement appropriate technical and organizational measures to prevent the loss or illegal processing of personal data. This subject is related to the many data leaks in the recent past, in which personal details, such as names, addresses, and in some cases also bank account details, have been made public. Examples include the error in the online accounts of the daily newspaper NRC[1], the hacking of the PlayStation Network online system in May 2011[2], and access to the Google accounts of the users of smartphones running Android 2.3.3 (or older) software[3]. It is undesirable for those whose data has been leaked to be informed only after some considerable delay. The legislative proposal will therefore include an obligation for controllers to notify any data leak to the person affected.

Point 3 includes extending the powers of the Dutch Data Protection Authority (CBP) to impose fines. The CBP currently has these powers only for violations of the obligation to report that is given in Article 27 of the WBP (on which ground a controller is obliged to report full or partial computer processing of personal data to the CBP). Furthermore, the maximum fine for violating the obligation to report is € 4,500, whereas, for example, the Independent Post and Telecommunications Authority (OPTA) is authorized to impose fines of up to € 450,000. This is another aspect that has received attention in the press. In early August this year the chairman of the CBP, Jacob Kohnstamm, was interviewed in the daily newspaper Algemeen Dagblad about the liability to be fined for publishing photos and videos of criminals[4], after which the CDA and PVV political parties expressed dissatisfaction with this aspect of the legislative proposal.

The ministerial document mentions that the state secretary, Fred Teeven, was proposing to submit the legislative proposal for consultation in 2011. At the time of writing, he had yet to do so. In view of the developments in recent months, as mentioned above, the legislative proposal may be expected to prompt much political discussion. In other words, this story is to be continued.

Lydia Faltas
Attorney at law, administrative law
lydia.faltas@vmwtaxand.nl