UNOFFICIAL TRANSLATION
UPPER
HOUSE OF THE DUTCH PARLIAMENT
Session
1999-2000 Nr. 92
25 892
- Rules for the protection of
personal data (Personal Data Protection Act)
(Wet bescherming persoonsgegevens)
REVISED BILL (as approved by the Lower House on 23 November
1999)
We, Beatrix,
by the grace of God, Queen of the Netherlands, Princess of
Orange-Nassau, etc. etc. etc.
To all those
who read or hear this, We greet you and hereby proclaim as
follows:
Whereas it is
necessary to implement Directive 95/46/EC of the European
Parliament and of the Council of the European Union of 23
November 1995 on the protection of individuals with regard to
the processing of personal data and on the free movement of
that data (OJ L 28 1);
Having regard
to Article 10(2) and (3) of the Constitution;
We, having
consulted the State Council, and in joint consultation with
Parliament, have approved and understood, as We approve and
understand, the following:
CHAPTER 1.
GENERAL PROVISIONS
Article 1
For the
purposes of this Act and the provisions based upon it:
a. "personal
data" shall mean: any information relating to an identified or
identifiable natural person;
b. "processing of personal data" shall mean: any operation or
any set of operations concerning personal data, including in
any case the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use,
dissemination by means of transmission, distribution or making
available in any other form, merging, linking, as well as
blocking, erasure or destruction of data;
c. "file" shall mean: any structured set of personal data,
regardless of whether or not this data set is centralised or
dispersed along functional or geographical lines, that is
accessible according to specific criteria and relates to
different persons;
d. "responsible party" shall mean: the natural person, legal
person, administrative body or any other entity which, alone
or in conjunction with others, determines the purpose of and
means for processing personal data;
e. "processor" shall mean: the person or body which processes
personal data for the responsible party, without coming under
the direct authority of that party;
f. "data subject" shall mean: the person to whom personal data
relate;
g. "third party" shall mean: any party other than the data
subject, the responsible party, the processor, or any person
under the direct authority of the responsible party or the
processor, who is authorised to process personal data;
h. "recipient" shall mean: the party to whom the personal data
are provided;
i. consent of the data subject: any freely-given, specific and
informed expression of will whereby data subjects agree to the
processing of personal data relating to them;
j. "Our Minister" shall mean: Our Minister of Justice;
k. "Data Protection Commission" or "Commission" shall mean:
the body referred to in Article 51;
1. "officer" shall mean: the data protection officer referred
to in Article 62;
m. "prior investigation" shall mean: an investigation as
referred to in Article 31;
n. "provision of personal data" shall mean: the disclosure or
making available of personal data;
o. "collection of personal data" shall mean: the obtaining of
personal data.
Article 2
1 . This
Act applies to the fully or partly automated processing of
personal data, and the non-automated processing of personal
data entered in a file or intended to be entered therein.
2. This Act
does not apply to the processing of personal data:
a. in the
course of a purely personal or household activity;
b.
by or on behalf of the intelligence or security services
referred to in the Intelligence and Security Services Act
(Wet op de
inlichtingen- en veiligheidsdiensten);
c. for the purposes of implementing the
police tasks defined in Article 2 of the Police Act 1993
(Politiewet 1993);
d. governed by or under the
Municipal Database (Personal Records) Act
(Wet gemeentelijke basisadministratie
persoonsgegevens);
e. for the purposes of
implementing the Judicial Documentation Act
(Wet justitiële documentatie)
and
f. for the purposes of
implementing the Electoral Provisions Act
(Kieswet).
3. This Act
does not apply to the processing of personal data by the armed
forces where Our Defence Minister so decides with a view to
deploying or making available the armed forces to maintain or
promote the international legal order. Such a decision shall
be communicated to the Data Protection Commission as quickly
as possible.
Article 3
1.This Act
does not apply to the processing of personal data for
exclusively journalistic, artistic or literary purposes,
except where otherwise provided in this Chapter and in
Articles 6 to 11, 13 to 15, 25 and 49.
2. The
prohibition on processing personal data referred to in Article
16 does not apply where this is necessary for the purposes
referred to under (1).
Article 4
1. This
Act applies to the processing of personal data carried out in
the context of the activities of an establishment of a
responsible party in the Netherlands.
2. This Act
applies to the processing of personal data by or for
responsible parties who are not established in the European
Union, whereby use is made of automated or non-automated means
situated in the Netherlands, unless these means are used only
for forwarding personal data.
3. The
responsible parties referred to under (2) are prohibited from
processing personal data, unless they designate a person or
body in the Netherlands to act on their behalf in accordance
with the provisions of this Act. For the purposes of
application of this Act and the provisions based upon it, the
said person or body shall be deemed to be the responsible
party.
Article 5
1. In the
case that the data subjects are minors and have not yet
reached the age of sixteen, or have been placed under legal
restraint or the care of a mentor, instead of the consent of
the data subjects, that of their legal representative is
required.
The data
subjects or their legal representative may withdraw consent at
any time.
CHAPTER 2.
CONDITIONS FOR THE LAWFUL PROCESSING OF PERSONAL
DATA
Section 1. Processing of personal data in general
Article 6
Personal
data shall be processed in accordance with the law and in a
proper and careful manner.
Article 7
Personal
data shall be collected for specific, explicitly defined and
legitimate purposes.
Article 8
Personal
data may only be processed where:
a. the data
subject has unambiguously given his consent for the
processing;
b. the processing is necessary for the performance of a
contract to which the data subject is party, or for actions to
be carried out at the request of the data subject and which
are necessary for the conclusion of a contract;
c. the processing is necessary in order to comply with a legal
obligation to which the responsible party is subject;
d. the processing is necessary in order to protect a vital
interest of the data subject;
e. the processing is necessary for the proper performance of a
public law duty by the administrative body concerned or by the
administrative body to which the data are provided, or
f. the processing is necessary for upholding the legitimate
interests of the responsible party or of a third party to whom
the data are supplied, except where the interests or
fundamental rights and freedoms of the data subject, in
particular the right to protection of individual privacy,
prevail.
Article 9
1.
Personal data shall not be further processed in a way
incompatible with the purposes for which they have been
obtained.
2. For the
purposes of assessing whether processing is incompatible, as
referred to under (1), the responsible party shall in any case
take account of the following:
a. the
relationship between the purpose of the intended processing
and the purpose for which the data have been obtained;
b. the nature of the data concerned;
c. the consequences of the intended processing for the data
subject;
d. the manner in which the data have been obtained, and
e. the extent to which appropriate guarantees have been put in
place with respect to the data subject.
3. The
further processing of personal data for historical,
statistical or scientific purposes shall not be regarded as
incompatible where the responsible party has made the
necessary arrangements to ensure that the further processing
is carried out solely for these specific purposes.
4. The
processing of personal data shall not take place where this is
precluded by an obligation of confidentiality by virtue of
office, profession or legal provision.
Article 10
1.
Personal data shall not be kept in a form which allows the
data subject to be identified for any longer than is necessary
for achieving the purposes for which they were collected or
subsequently processed.
2. Personal
data may be kept for longer than provided under (1), where
this is for historical, statistical or scientific purposes,
and where the responsible party has made the necessary
arrangements to ensure that the data concerned are used solely
for these specific purposes.
Article 11
1.
Personal data shall only be processed where, given the
purposes for which they are collected or subsequently
processed, they are adequate, relevant and not excessive.
2. The
responsible party shall take the necessary steps to ensure
that personal data, given the purposes for which they are
collected or subsequently processed, are correct and accurate.
Article 12
1. Anyone
acting under the authority of the responsible party or the
processor, as well as the processor himself, where they have
access to personal data, shall only process such data on the
orders of the responsible party, except where otherwise
required by law.
2. The
persons referred to under (1), who are not subject to an
obligation of confidentiality by virtue of office, profession
or legal provision, are required to treat as confidential the
personal data which comes to their knowledge, except where the
communication of such data is required by a legal provision or
the proper performance of their duties. Article 272(2) of the
Penal Code is not applicable.
Article 13
The
responsible party shall implement appropriate technical and
organizational measures to secure personal data against loss
or against any form of unlawful processing. These measures
shall guarantee an appropriate level of security, taking into
account the state of the art and the costs of implementation,
and having regard to the risks associated with the processing
and the nature of the data to be protected. These measures
shall also aim at preventing unnecessary collection and
further processing of personal data.
Article 14
1. Where
responsible parties have personal data processed for their
purposes by a processor, these responsible parties shall make
sure that the processor provides adequate guarantees
concerning the technical and organizational security measures
for the processing to be carried out. The responsible parties
shall make sure that these measures are complied with.
2. The
carrying out of processing by a processor shall be governed by
an agreement or another legal act whereby an obligation is
created between the processor and the responsible party.
3. The
responsible party shall make sure that the processor:
a. processes
the personal data in accordance with Article 12(l) and
b. complies with the obligations incumbent upon the
responsible party under Article 13.
4. Where the
processor is established in another country of the European
Union, the responsible party shall make sure that the
processor complies with the laws of that other country,
notwithstanding the provisions of (3)(b).
5. With a
view to the keeping of proof, the parts of the agreement or
legal act relating to personal data protection and the
security measures referred to in Article 13, shall be set down
in writing or in another equivalent form.
Article 15
The
responsible party shall make sure that the obligations
referred to in Articles 6 to 12 and 14(2) and (5) of this
Chapter are complied with.
Section 2.
Processing of special personal data
Article 16
It is
prohibited to process personal data concerning a person's
religion or philosophy of life, race, political persuasion,
health and sexual life, or personal data concerning trade
union membership, except as otherwise provided in this
Section. This prohibition also applies to personal data
concerning a person's criminal behaviour, or unlawful or
objectionable conduct connected with a ban imposed with regard
to such conduct.
Article 17
1. The
prohibition on processing personal data concerning a person's
religion or philosophy of life, as referred to in Article 16,
does not apply where the processing is carried out by:
a. church
associations, independent sections thereof or other
associations founded on spiritual principles, provided that
the data concerns persons belonging thereto;
b. institutions founded on religious or philosophical
principles, provided that this is necessary to the aims of the
institutions and for the achievement of their principles, or
c. other institutions provided that this is necessary to the
spiritual welfare of the data subjects, unless they have
indicated their objection thereto in writing.
2. In the
cases referred to under (1)(a), the prohibition also does not
apply to personal data concerning the religion or philosophy
of life of family members of the data subjects, provided that:
a. the
association concerned maintains regular contacts with these
family members in connection with its aims, and
b. the family members have not indicated any objection thereto
in writing.
3. In the
cases referred to under (1) and (2), no personal data may be
supplied to third parties without the consent of the data
subject.
Article 18
1. The
prohibition on processing personal data concerning a person's
race, as referred to in Article 16, does not apply where the
processing is carried out:
a. with a
view to identifying data subjects and only where this is
essential for that purpose;
b. for the purpose of assigning a preferential status to
persons from a particular ethnic or cultural minority group
with a view to eradicating or reducing actual inequalities,
provided that:
1º. this is
necessary for that purpose;
2º. the data only relate to the country of birth of the data
subjects, their parents or grandparents, or to other
criteria laid down by law, allowing an objective
determination whether a person belongs to a minority group
as referred to under (b), and
3º. the data subjects have not indicated any objection
thereto in writing.
Article 19
1. The
prohibition on processing personal data concerning a person's
political persuasion, as referred to in Article 16, does not
apply where the processing is carried out:
a. by
institutions founded on political principles with respect to
their members or employees or other persons belonging to the
institution, provided that this is necessary to the aims of
the institutions and for the achievement of their principles,
or
b. with a view to the requirements concerning political
persuasion which can reasonably be applied in connection with
the performance of duties in administrative and advisory
bodies.
2. In the
cases referred to under (1)(a), no personal data may be
supplied to third parties without the consent of the data
subject.
Article 20
1. The
prohibition on processing personal data concerning a person's
trade union membership, as referred to in Article 16, does not
apply where the processing is carried out by the trade union
concerned or the trade union federation to which this trade
union belongs, provided that this is necessary to the aims of
the trade union or trade union federation;
2. In the
cases referred to under (1), no personal data may be supplied
to third parties without the consent of the data subject.
Article 21
1. The
prohibition on processing personal data concerning a person's
health, as referred to in Article 16, does not apply where the
processing is carried out by:
a. medical
professionals, healthcare institutions or facilities or social
services, provided that this is necessary for the proper
treatment and care of the data subject, or for the
administration of the institution or professional practice
concerned;
b.
insurance companies as referred to in Article 1(1)(h) of the
Insurance Supervision Act 1993
(Wet toezicht verzekeringsbedrijf 1993),
insurance companies as
referred to in Article 1(c) of the Funeral Insurance
Supervision Act (Wet toezicht
natura-uitvaartverzekeringsbedrijf),
and intermediaries and sub-agents as referred to in Article
1(b) and (c) of the Insurance Mediation Act
(Wet assurantiebemiddelingsbedrijf)
, provided that this is necessary for:
1º.
assessing the risk to be insured by the insurance company
and the data subject has not indicated any objection
thereto, or
2º. the performance of the insurance agreement;
c. schools,
provided that this is necessary with a view to providing
special support for pupils or making special arrangements in
connection with their state of health;
d. institutions for probation, child protection or
guardianship, provided that this is necessary for the
performance of their legal duties;
e. Our Minister of Justice, provided that this is necessary in
connection with the implementation of prison sentences or
detention measures, or
f. administrative bodies, pension funds, employers or
institutions working for them, provided that this is necessary
for:
1º. the
proper implementation of the provisions of laws, pension
regulations or collective agreements which create rights
dependent on the state of health of the data subject, or
2º. the reintegration of or support for workers or persons
entitled to benefit in connection with sickness or work
incapacity.
2. In the
cases referred to under (1), the data may only be processed by
persons subject to an obligation of confidentiality by virtue
of office, profession or legal provision, or under an
agreement. Where responsible parties personally process data
and are not already subject to an obligation of
confidentiality by virtue of office, profession or legal
provision, they are required to treat the data as
confidential, except where they are required by law or in
connection with their duties to communicate such data to other
parties who are authorised to process such data in accordance
with (1).
3. The
prohibition on processing other personal data, as referred to
in Article 16, does not apply where this is necessary to
supplement the processing of personal data concerning a
person's health, as referred to under (1)(a), with a view to
the proper treatment or care of the data subject.
4. Personal
data concerning inherited characteristics may only be
processed, where this processing takes place with respect to
the data subject from whom the data concerned have been
obtained, unless:
a. a serious
medical interest prevails, or
b. the processing is necessary for the purpose of scientific
research or statistics.
In the case
referred to under (b), Article 23(l)(a) and (2) shall likewise
be applicable.
5. More
detailed rules may be issued by general administrative
regulation concerning the application of (1)(b) and (e).
Article 22
1.
The prohibition on processing personal data concerning a
person's criminal behaviour, as referred to in Article 16,
does not apply where the processing is carried out by bodies,
charged by law with applying criminal law and by responsible
parties who have obtained these data in accordance with the
Police Registers Act (Wet
politieregisters) or the
Judicial Documentation Act
(Wet justitiële documentatie)
.
2. The
prohibition does not apply to responsible parties who process
these data for their own purposes with a view to:
a. assessing
an application by data subjects in order to take a decision
about them or provide a service to them, or
b. protecting their interests, provided that this concerns
criminal offences which have been or, as indicated by certain
facts and circumstances, can be expected to be committed
against them or against persons in their service.
3. The
processing of these data concerning personnel in the service
of the responsible party shall take place in accordance with
the rules established in compliance with the procedure
referred to in the Works Councils Act
(Wet op de
ondernemingsraden).
4. The
prohibition does not apply where these data are processed for
the account of third parties:
a. by
responsible parties acting in accordance with a licence issued
under the Private Security Organisations and Investigation
Bureaus Act
(Wet particuliere
beveiligingsorganisaties en recherchebureaus)
;
b. where these
third parties are legal persons forming part of the same
group, as referred to in Article 2:24(b) of the Civil Code, or
c. where appropriate and specific guarantees have been
provided and the procedure referred to in Article 31 has been
followed.
5. The
prohibition on processing other personal data, as referred to
in Article 16, does not apply where this is necessary to
supplement the processing of data on criminal behaviour, for
the purposes for which these data are being processed.
6. The
provisions of (2) to (5) are likewise applicable to personal
data relating to a ban imposed by a court concerning unlawful
or objectionable conduct.
7. Rules may
be issued by general administrative regulation concerning the
appropriate and specific guarantees referred to under (4)(c).
Article 23
1.
Without prejudice to Articles 17 to 22, the prohibition on
processing personal data referred to in Article 16 does not
apply where:
a. this is
carried out with the express consent of the data subject;
b. the data have manifestly been made public by the data
subject;
c. this is necessary for the establishment, exercise or
defence of a right in law;
d.
this is
necessary to comply with an
obligation of international public law, or
e. this is
necessary with a view to an important public interest, where
appropriate guarantees have been put in place to protect
individual privacy and this is provided for by law or else the
Data Protection Commission has granted an exemption. When
granting an exemption, the Commission can impose rules and
restrictions.
2. The
prohibition on the processing of personal data referred to in
Article 16 for the purpose of scientific research or
statistics does not apply where:
a. the
research serves a public interest,
b. the processing is necessary for the research or statistics
concerned,
c. it appears to be impossible or would involve a
disproportionate effort to ask for express consent, and
d. sufficient guarantees are provided to ensure that the
processing does not adversely affect the individual privacy of
the data subject to a disproportionate extent.
3. Processing
referred to under (1)(e) must be notified to the European
Commission. This notification shall be made by Our Minister
concerned where the processing is provided for by law. The
Data Protection Commission shall make the notification in the
case that it has granted an exemption for the processing.
Article 24
1. A
number that is required by law for the purposes of identifying
a person may only be used for the processing of personal data
in execution of the said law or for purposes stipulated by the
law.
2.
Cases other than those referred to under (1) can be designated
by general administrative regulation in which a number to be
indicated in this connection, as referred to under (1), can be
used. More detailed rules may be laid down in this connection
concerning the use of such
a number.
CHAPTER 3.
CODES OF CONDUCT
Article 25
1. An
organisation or organisations planning to draw up a code of
conduct may request the Data Protection Commssion to declare
that, given the particular features of the sector or sectors
of society in which these organisations are operating, the
rules contained in the said code properly implement this Act
or other legal provisions on the processing of personal data.
Where a code of conduct provides for the arrangement of
disputes about its observance, the Commission may only issue a
declaration, if guarantees have been provided for its
independent character.
2. The
provisions of (1) are likewise applicable to amendments or
extensions to existing codes of conduct.
3. The
Commission shall only consider requests where, in its opinion,
the requester or requesters are sufficiently representative
and the sector or sectors concerned are sufficiently precisely
defined in the code.
4. A
decision on a request referred to under (1) shall be deemed to
be equivalent to a decision within the meaning of the General
Administrative Regulations Act
(Algemene wet bestuursrecht).
This decision shall be arrived at in
accordance with the procedure laid down by Section 3.4 of that
Act. The decision must be taken within a reasonable period of
time, it being understood that this period must be no longer
than thirteen weeks.
5. The
declaration shall apply for the duration of the code of
conduct, while not exceeding five years from the date on which
the declaration is announced. Where a declaration is requested
for an amendment to a code of conduct for which a declaration
has already been issued previously, the declaration shall
apply for the duration of the declaration issued previously.
6. The
Commission is responsible for publishing the declaration,
together with the associated code, in the Official Gazette
(Staatscourant).
Article 26
1. More
detailed rules may be issued by general administrative
regulation with regard to a particular sector concerning the
matters covered in Articles 6 to 11 and 13.
2. The Data
Protection Commission shall indicate in its annual report the
extent to which, in its opinion, the provisions of (1) should
be applied.
CHAPTER 4.
NOTIFICATION AND PRIOR INVESTIGATION
Section 1.
Notification
Article 27
1. The
fully or partly automated processing of personal data intended
to serve a single purpose or different related purposes, must
be notified to the Data Protection Commission or the officer
before the processing is started.
2. The
non-automated processing of personal data intended to serve a
single purpose or different related purposes, must be notified
where this is subject to a prior investigation.
Article 28
1. The
notification shall contain the following particulars:
a. the name
and address of the responsible party;
b. the purpose or purposes of the processing;
c. a description of the categories of data subjects and of the
data or categories of data relating thereto;
d. the recipients or categories of recipients to whom the data
may be supplied;
e. the planned transfers of data to countries outside the
European Union;
f. a general description allowing a preliminary assessment of
the suitability of the planned measures to guarantee the
security of the processing, in application of Articles 13 and
14.
2. The
notification shall include the purpose or purposes for which
the data or categories of data have been or are being
collected.
3. Changes in
the name or address of the responsible party must be notified
within one week. Changes to the notification which concern
(1)(b) to (f) shall be notified in each case within one year
of the previous notification, where they appear to be of more
than incidental importance.
4. Any
processing which departs from that which has been notified in
accordance with the provisions of (1)(b) to (f) shall be
recorded and kept for at least three years.
5. More
detailed rules can be issued by or under general
administrative regulation concerning the procedure for
submitting notifications.
Article 29
1. It may
be laid down by general administrative regulation that certain
categories of data processing which are unlikely to infringe
the fundamental rights and freedoms of the data subject, are
exempted from the notification requirement referred to in
Article 27.
2. In this
case, the following particulars shall be stated:
the purposes
of the processing,
the processed data or categories of processed data,
the categories of data subjects,
the recipients or categories of recipients to whom the data is
to be supplied, and
the period during which the data are to be stored.
3 . Where
this is necessary in order to detect criminal offences in a
particular case, it may be laid down by general administrative
regulation that certain categories of processing by
responsible parties who are vested with investigating powers
by law shall be exempt from notification. Compensatory
guarantees to protect personal data can be provided in this
connection. The processed data may only be used for the
purposes expressly stated in the said general administrative
regulation.
4. The
notification requirement does not apply to public registers
set up by law or to data supplied to an administrative body
pursuant to a legal obligation.
Article 30
1. Both
the Data Protection Commssion and the officer shall maintain
an up-to-date register of the data processing notified to
them. The register shall contain as a minimum the information
provided in accordance with Article 28(l)(a) to (e).
2. The
register may be consulted by any person free of charge.
3. The
responsible party shall provide any person who so requests
with the information referred to in Article 28(l)(a) to (e)
concerning data processing exempted from the notification
requirement.
4. The
provisions of (3) do not apply to:
a. data
processing which is covered by an exemption under Article
29(3).
b. public registers set up by law.
Section 2.
Prior investigation
Article 31
1. The Data
Protection Commission shall initiate an investigation prior to
any processing for which responsible parties:
a. plan to
process a number identifying persons for a purpose other than
the one for which the number is specifically intended with the
aim of linking the data together with data processed by other
responsible parties, unless the number is used for the cases
defined in Article 24;
b. plan to record data on the basis of their own observations
without informing the data subjects thereof, or
c. plan to process data on criminal behaviour or on unlawful
or objectionable conduct for third parties other than under
the terms of a licence issued under the Private Security
Organisations and Investigation Bureaus Act.
2. The
provisions of (1)(b) do not apply to public registers set up
by law.
3. The
provisions of (1) may be rendered applicable to other types of
data processing by law or general administrative regulation
where such processing carries a particular risk for the
individual rights and freedoms of the data subject. The Data
Protection Commission shall indicate in its annual report the
extent to which, in its opinion, the said provisions should be
rendered applicable to such data.
4. The Data
Protection Commission shall notify processing referred to
under (1)(c) to the European Commission.
Article 32
1. Data
processing to which Article 31(1) is applicable shall be
notified as such by the responsible party to the Data
Protection Commssion.
2. The
notification of such data processing requires responsible
parties to suspend the processing they are planning to carry
out until the Commission has completed its investigation or
until they have received notice that a more detailed
investigation will not be conducted.
3. In the
case of the notification of data processing to which Article
31(1) is applicable, the Commission shall communicate its
decision in writing within four weeks of the notification as
to whether or not it will conduct a more detailed
investigation.
4. In the
event that the Commission decides to conduct a more detailed
investigation, it shall indicate the period of time within
which it plans to conduct this investigation. This period must
not exceed thirteen weeks.
5
. The more detailed
investigation referred to under (4) leads to a statement
concerning the lawfulness of the data processing.
6. The
statement by the Commission is deemed to be equivalent to a
decision within the meaning of the General Administrative
Regulations Act. This statement shall be prepared in
accordance with the procedure laid down by Section 3.4 of that
Act.
CHAPTER 5.
INFORMATION PROVIDED TO THE DATA SUBJECT
Article 33
1. Where
personal data are to be obtained from a data subject, the
responsible party shall provide the data subject with the
information referred to under (2) and (3) prior to obtaining
the said personal data, unless the data subject is already
acquainted with this information.
2. The
responsible party shall inform the data subject of its
identity and the purposes of the processing for which the data
are intended.
3. The
responsible party shall provide more detailed information,
where given the type of data, the circumstances in which they
are to be obtained or the use to be made thereof, this is
necessary in order to guarantee with respect to the data
subject that the processing is carried out in a proper and
careful manner.
Article 34
1. Where
personal data are obtained in a manner other than that
referred to in Article 33, the responsible party shall provide
the data subject with the information referred to under (2)
and (3), unless the data subject is already acquainted with
this information:
a. at the
time that the data relating to him is recorded; or
b. when it is intended to supply the data to a third party, at
the latest on the first occasion that the said data are so
supplied.
2. The
responsible party shall inform the data subject of its
identity and the purposes of the processing.
3. The
responsible party shall provide more detailed information,
where given the type of data, the circumstances in which they
have been obtained or the use to be made thereof, this is
necessary in order to guarantee with respect to the data
subject that the processing is carried out in a proper and
careful manner.
4. The
provisions of (1) do not apply if it appears to be impossible
or would involve a disproportionate effort to provide the said
information to the data subject. In that case, the responsible
party shall record the origin of the data.
5. The
provisions of (1) likewise do not apply if the recording or
provision of the data is required by or under the law. In that
case, the responsible party must inform the data subject, upon
his request, about the legal provision which led to the
recording or supply of data relating to the data subject.
CHAPTER 6.
RIGHTS OF THE DATA SUBJECT
Article 35
1. A data
subject has the right, freely and at reasonable intervals, to
request the responsible party to inform him as to whether
personal data relating to him are being processed. The
responsible party shall inform the data subject in writing
within four weeks as to whether personal data relating to him
are being processed.
2. In the
event that such data are being processed, the information
provided shall contain a full and clear summary thereof, a
definition of the purpose or purposes of the processing, the
data categories to which the processing relates and the
recipients or categories of recipients, as well as the
available information about the origin of the data.
3. Prior to
the providing of information referred to under (1) to which a
third party may be expected to object, the responsible party
shall give the third party an opportunity to express its views
where such information contains data concerning that third
party unless this appears to be impossible or would involve a
disproportionate effort.
4. Upon
request, the responsible party shall provide information
concerning the underlying logic of the automated processing of
data relating to the data subject.
Article 36
1. A
person who has been informed about personal data relating to
him in accordance with Article 35 may request the responsible
party to correct, supplement, delete or block the said data in
the event that it is factually inaccurate, incomplete or
irrelevant to the purpose or purposes of the processing, or is
being processed in any other way which infringes a legal
provision. The request shall contain the modifications to be
made.
2. The
responsible party shall inform the requester in writing within
four weeks of receiving the request as to whether and, if so,
to what extent, it is complying therewith. A refusal to do so
must be accompanied by the reasons.
3. The
responsible party must make sure that a decision to correct,
supplement, delete or block data is implemented as quickly as
possible.
4. Where
personal data have been recorded on a data carrier to which no
modifications can be made, the responsible party must take the
necessary steps to inform the data user that it is impossible
to correct, supplement, delete or block the data, even where
there are grounds under this article for modifying the data.
5
. The provisions of (1) to
(4) do not apply to public registers set up by law where this
law provides for a special procedure for correcting,
supplementing, deleting or blocking data.
Article 37
1. Where
an important interest of the requester so requires, the
responsible party shall reply to the request referred to in
Articles 35 and 36 in a form, other than in writing, which
takes due account of this interest.
2. The
responsible party shall make sure that the identity of the
requester is properly established.
3. In the
case of minors who have not yet reached the age of sixteen,
and of persons placed under legal restraint, the requests
referred to in Articles 35 and 36 shall be made by their legal
representatives. The information concerned shall also be
provided to the legal representatives.
Article 38
1. The
responsible party who has corrected, supplemented, deleted or
blocked personal data in response to a request under Article
36, has an obligation as soon as possible to inform third
parties to whom the data has previously been supplied about
the correction, addition, deletion or blocking, unless this
appears to be impossible or would involve a disproportionate
effort.
2. Upon
request, the responsible party shall notify the requester
referred to in Article 36 of those parties to whom it has
provided such information.
Article 39
1. The
responsible party may require a payment for expenses incurred
in providing the information referred to in Article 35, the
amount of which shall be laid down by or under general
administrative regulation and may not exceed ten Dutch
guilder.
2. The
payment shall be refunded in the event that the responsible
party corrects, supplements, deletes or blockes data at the
request of the data subject, on the recommendation of the Data
Protection Commission or by order of a court.
3. The amount
referred to under (1) may be modified in special cases by
general administrative regulation.
Article 40
1. Where
data are undergoing the processing referred to in Article 8(e)
and (f), the data subject may at any time register an
objection with the responsible party in connection with his
particular personal circumstances.
2. The
responsible party shall take a decision within four weeks of
receiving a notice of objection as to whether the objection is
justified. In the event that the objection is justified, the
responsible party shall stop the processing with immediate
effect.
3. The
responsible party may require a payment for expenses incurred
in dealing with an objection, which payment may not exceed an
amount to be laid down by or under a general administrative
regulation. The payment shall be refunded in the event that
the objection is found to be justified.
4. This
article does not apply to public registers set up by law.
Article 41
1. Where data
are being processed in connection with the creation or
maintenance of a direct relationship between the responsible
party or a third party and the data subject with a view to
recruitment for commercial or charitable purposes, the data
subject may register an objection to such processing with the
responsible party at any time and at no cost to himself.
2. In the
case of an objection, the responsible party shall take the
steps required to stop this form of processing with immediate
effect.
3.
Responsible parties, who are planning to provide personal data
to third parties or to use such data at their account for the
purposes referred to under (1), shall take appropriate steps
to notify the data subjects of the possibility of registering
objections. This notification shall be made via one or more
newspapers or free-sheets, or in some other suitable way. In
the case of regular provision to or use at the account of
third parties, the notification shall take place at least once
a year.
4.
Responsible parties processing personal data for the purposes
referred to under (1), shall make sure that data subjects are
notified of the possibility of registering objections,
whenever a direct message is sent to them for the said
purposes.
Article 42
1. No one
may be subject to a decision to which are attached legal
consequences for them, or which affects them to a substantial
degree, where this decision has been taken solely on the basis
of the automated processing of personal data intended to
provide a picture of certain aspects of their personality.
2. The
provisions of (1) do not apply where the decision referred to
therein:
a. has been
taken in connection with the conclusion or execution of a
contract, and
1º. the
request of the data subjects has been met, or
2º. appropriate measures have been taken to protect their
legitimate interests; or
b. is based
on a law in which measures are laid down for protecting the
legitimate interests of data subjects.
3.
Appropriate measures, as referred to under (2)(a), shall be
considered as taken where the data subjects have been given
the opportunity to put forward their views on the decisions as
referred to under (1).
4. In the
case referred to under (2), the responsible party shall inform
the data subjects about the underlying logic of the automated
processing of the data relating to them.
CHAPTER 7.
EXCEPTIONS AND RESTRICTIONS
Article 43
Responsible parties are not required to apply Articles 9(1),
30(3), 33, 34 and 35, where
this is
necessary in the interests of:
a. State
security;
b. the prevention, detection and prosecution of criminal
offences;
c. important economic and financial interests of the State and
other public bodies;
d. supervising compliance with legal provisions established in
the interests referred to under (b) and (c), or
e. protecting the data subject or the rights and freedoms of
other persons.
Article 44
1. Where
processing is carried out by institutions or services for the
purposes of scientific research or statistics, and the
necessary arrangements have been made to ensure that the
personal data can only be used for statistical or scientific
purposes, the responsible party shall not be required to
provide the information referred to in Article 34 and may
refuse to comply with the requests referred to in Article 35.
2.
Where personal data are being processed which form part of
archive records transferred to an archive storage place under
Articles 12 or 13 of the Archives Act 1995
(Archiefwet 1995) , the
responsible party shall not be required to provide the
information referred to in Article 34.
CHAPTER 8.
LEGAL PROTECTION
Article 45
A
decision taken in response to a request referred to in
Articles 30(3), 35, 36 and 38(2), and a decision taken in
response to the registering of an objection referred to in
Articles 40 or 41, shall be equivalent to a decision within
the meaning of the General Administrative Regulations Act,
where this decision has been taken by an administrative body.
Article 46
1. Where
a decision referred to in Article 45 has been taken by a body
other than an administrative body, the party concerned can
apply to the district court with a written request to order
the responsible party to grant or reject a request referred to
in Articles 30(3), 35, 36 or 38(2), or to recognise or reject
an objection referred to in Articles 40 or 41.
2. The
application must be submitted within six weeks of receiving
the reply from the responsible party. In the event that the
responsible party does not reply within the time limit, the
application must be submitted within six weeks of the expiry
of this time limit.
3. The court
shall find in favour of the request where it is ruled to be
well-founded. Before handing down a ruling, the court shall,
where necessary, give the parties concerned an opportunity to
put forward their views.
4. The
twelfth title of the First Book of the Code of Civil
Procedure, with the exception of Article 429d(3), applies.
Article 345 of the said Code does not apply.
5. The third
section of the fifth title of the Second Book of the Code of
Civil Procedure is likewise applicable.
Article 47
1. Within
the time limit provided for an appeal based on the General
Administrative Regulations Act or referred to in Article
46(2), the party concerned may apply to the Data Protection
Commission with a request to mediate or give its opinion in
the dispute with the responsible party, or make use of the
provisions concerning the arrangement of disputes in a code of
conduct which has been the subject of a declaration as
referred to in Article 25(1). In that case, notwithstanding
Article 6:7 of the General Administrative Regulations Act, the
appeal may still be lodged or the court proceedings provided
for in Article 46 still initiated after the party concerned
has received notice from the Data Protection Commission, or
further to the provisions concerning the arrangement of
disputes in a code of conduct which has been the subject of a
declaration as referred to in Article 25(1), that the case has
been dealt with, but at the latest six weeks after that
moment.
2. During the
period when the appeal and the proceedings referred to under
(1) are being dealt with, the bodies responsible for dealing
with the dispute may obtain the opinion of the Data Protection
Commission.
Article 48
The
bodies responsible for dealing with the dispute shall send a
copy of their verdict to the Data Protection Commission.
Article 49
1. Where
any person suffers harm as a consequence of acts concerning
him which infringe the provisions laid down by or under this
Act, the following paragraphs shall apply, without prejudice
to other legal provisions.
2. For harm
that does not comprise damage to property, the injured party
has the right to fair compensation.
3.
Responsible parties are liable for harm resulting from
non-compliance with the provisions referred to under (1).
Processors are liable for this harm where this was incurred as
a result of their actions.
4.
Responsible parties or processors may be exempted wholly or
partially from this liability where they can prove that the
harm cannot be attributed to them.
Article 50
1. Where
responsible parties or processors act in contravention of the
provisions laid down by or under this Act and other parties
sustain, or may sustain, harm as a consequence thereof, the
courts may, at the petition of the other parties, impose a ban
on such conduct and order them to take measures to remedy the
consequences of that conduct.
2. Processing
cannot form the basis for a claim by a legal person referred
to in Article 1:2(3) of the General Administrative Regulations
Act or Article 3:305a of the Civil Code, where the persons
affected by this processing object thereto.
CHAPTER 9.
SUPERVISION
Section 1.
The Data Protection Commission
Article 51
1. An
Office of the Data Protection Commission has been established
with the task to oversee the processing of personal data in
accordance with the provisions laid down by and under the Act.
The Commission shall also oversee the processing of personal
data in the Netherlands, where the processing takes place in
accordance with the laws of another country of the European
Union.
2. The
Commission shall be asked to issue an opinion on bills and
draft texts of general administrative regulations relating
entirely or substantially to the processing of personal data.
Article 52
1. The
Commission shall perform the other tasks vested in it by law
and treaty.
2. The
Commission is independent in the performance of its tasks.
Article 53
1. The
Commission comprises a chairperson and two other members. In
addition, special members may be appointed to the Commission.
In the appointment of special members, all efforts shall be
made to reflect the various sectors of society.
2. The
chairperson must fulfil the requirements governing the
appointment of district court judges, as laid down in Article
48(l) of the Judicature Act
(Wet op de rechterlijke
organisatie).
3. The
chairperson shall be appointed by royal decree, on the
proposal of Our Minister, for a six-year term. The other two
members and the special members shall be appointed by royal
decree, on the proposal of Our Minister, for a four-year term.
The members may be reappointed immediately thereafter. At
their own request, they are discharged by the Minister of
Justice.
4. An
advisory board has been established with the task to advise
the Commission on general aspects of the protection of
personal data. The members shall be drawn from the various
sectors of society and shall be appointed by Our Minister, on
the proposal of the Commission.
The term of
office and payment of expenses shall be laid down by general
administrative regulation.
Article 54
1.
Members shall be discharged by royal decree, on the proposal
of Our Minister, with effect from the first month following
that in which they reach the age of sixty-five.
2. Article
11, with the exception of (d)(3º), and Articles 12, 12a, 13,
13a with the exception of (5), and 13b of the Judicature Act
are likewise applicable.
Article 55
1. The
chairperson and the two other members shall receive
remuneration for their work. The special members shall receive
a session fee. In all other matters, their legal position
shall be governed by general administrative regulation.
2. The
chairperson and the two other members may not carry out any
other remunerated work where the nature or scale of this work
is incompatible with the work for the Commission, without the
authorisation of Our Minister.
Article 56
1. The
Commission has a secretariat, of which the officials are
appointed, suspended and discharged by Our Minister, on the
proposal of the chairperson.
2. The
chairperson shall direct the work of the Commission and the
secretariat.
3. The
Commission shall adopt rules of procedure. These rules shall
in any case include provisions relating to the financial
management and administrative organisation of the Commission,
as well as to working methods and procedures with a view to a
proper and careful discharge of its various tasks. The rules
shall provide guarantees against the mixing of the
supervisory, advisory and enforcement tasks of the Commission.
They may also give more detailed provisions for the advisory
board referred to in Article 53(4).
4. The rules
and any modifications thereto shall be sent to Our Minister as
quickly as possible and require his or her approval.
Article 57
1. The
Commission is represented by the chairperson and the two other
members or by one of these persons.
2. The
members shall allocate responsibilities among them and involve
the special members therein as much as possible.
Article 58
The
Commission shall produce an annual report before September on
the activities, policy pursued in general and the
effectiveness and efficiency of its mode of operation in
particular during the preceding calendar year. The report
shall be sent to Our Minister and to the data protection
officers referred to in Article 62 and made available to the
general public.
Article 59
1. The
Commission shall provide to Our Minister, upon request, the
information necessary to the performance of his or her duties.
Our Minister may require business data and records for
inspection, where this is necessary to the performance of his
or her duties.
2. The
provisions of (1) do not apply where the Commission has
obtained the information from third parties on condition that
it is kept confidential.
Article 60
1. The
Commission, acting in an official capacity or at the request
of an interested party, may initiate an investigation into the
manner in which the provisions laid down by or under the Act
are being applied with respect to the processing of data.
2. The
Commission shall present its provisional findings to the
responsible party or the group of responsible parties
concerned, and allow them to give their views. The Commission
shall present these findings also to Our Minister concerned,
where they relate to the implementation of any law.
3. In the
case of an investigation initiated at the request of an
interested party, the Commission shall inform the said party
of its findings, unless providing such information would be
incompatible with the purpose of the data processing or the
nature of the personal data, or unless important interests of
parties other than the requester, including the responsible
party, would sustain disproportionate harm as a consequence.
In the event that the Commission does not inform the
interested party of its findings, it shall send the said party
such information as it deems appropriate.
Article 61
1.
Responsibility for the supervision of compliance referred to
in Article 51(1) lies with the members and special members of
the Commission, the officials of the Commission secretariat
and the persons designated by decision of the Commission.
2. The
persons referred to under (1) are authorised to enter a
residence without the consent of the resident.
3. The
persons referred to under (1) require the express and special
authority of the Commission for the purposes of exercising the
powers defined under (2), without prejudice to Article 2 of
the General Entry Act
(Algemene wet op het
binnentreden).
4. The
Commission is authorised to apply administrative measures of
constraint pursuant to Article 5:20(l) of the General
Administrative Regulations Act, provided that this concerns
the obligation to provide assistance to an official designated
by or under (1).
5
. No appeal is possible on
the grounds of a confidentiality obligation, where information
or assistance is required in connection with the involvement
of the person concerned in the processing of personal data.
6. Upon
request, the Commission shall provide every assistance to the
supervisory authorities of the other member states of the
European Union, where this is necessary for the performance of
their work.
Section 2.
The data protection officer
Article 62
A
responsible party or an organisation to which responsible
parties are affiliated may appoint its own data protection
officer, without prejudice to the responsibilities of the
Commission under Chapters 9 and 10 of this Act.
Article 63
1. The
only persons who may be appointed as officers are natural
persons who possess adequate knowledge for performing their
duties and can be regarded as sufficiently reliable.
2. With
respect to the performances of their duties, officers may not
receive any instructions from the responsible party or
organisation which appointed them. They shall sustain no
disadvantage as a consequence of performing their duties.
Responsible parties shall give officers the opportunity to
perform their duties properly.
3. Officers
shall take up their duties only after the responsible party or
organisation which appointed them has registered them with the
Commission. The Commission shall maintain an up-to-date list
of registered officers.
4. Officers
have an obligation to treat as confidential any information
disclosed to them in connection with a complaint or request by
data subjects, unless the said data subjects have given their
consent thereto.
5. Officers
shall produce an annual report on their activities and
findings.
Article 64
1 .
Officers shall supervise the processing of personal data in
accordance with the provisions laid down by and under the Act.
This supervision shall cover the processing of personal data
by the responsible party who has appointed them or by the
responsible parties affiliated to the organisation which
appointed them.
2. Where a
code of conduct drawn up under Article 25 applies to the
processing, the supervision also covers compliance with this
code.
3. The
responsible party or organisation referred to under (1) shall
make sure that officers have the authority to perform their
duties which is equivalent to that provided for in Section 5.2
of the General Administrative Regulations Act.
4. Officers
may submit recommendations to the responsible party with a
view to improving the protection of the data being processed.
In case of doubt, they shall consult the Commission.
CHAPTER
10. SANCTIONS
Section 1.
Administrative measures of constraint
Article 65
The
Commission is authorised to apply administrative measures of
constraint pursuant to the obligations laid down by or under
this Act.
Section 2.
Administrative fines
Article 66
1. In the
event that responsible parties act in contravention of the
provisions laid down by or under Article 27 or 28, the
Commission may require them to pay an administrative fine of a
maximum amount of ten thousand Dutch guilder.
2. The
Commission shall not impose a fine where responsible parties
give a reasonable explanation as to why they cannot be
regarded as responsible for the infringement.
3. When
deciding the amount of the fine, the Commission shall in any
case take into account the seriousness and duration of the
infringement.
4. The work
carried out pursuant to Articles 69 and 70 shall be performed
by persons who were not involved in drafting the report and
associated prior investigation referred to in Article 67(l).
5. The
authority to impose fines lapses in the event that, with
respect to the infringement on which basis the fine can be
imposed, criminal proceedings have been initiated against the
infringing party and the investigation by the court has been
commenced or the right to pursue criminal proceedings has
lapsed under Article 74 of the Code of Criminal Procedure.
Article 67
1. In the
event that the Commission establishes that an infringement
referred to in Article 66(1) has been committed and that a
fine needs to be imposed for this reason, the Commission shall
draw up a report.
2. The report
shall in any case state the following particulars:
a. the
infringement, with reference to the corresponding legal
provision;
b. the designation of the place and time at which the
infringement was committed;
c. the facts and circumstances on which basis it was
established that an infringement has been committed.
3. A copy of
the report shall be sent to the responsible party referred to
in Article 66(1).
4. At the
request of responsible parties who have not understood this
report sufficiently owing to an imperfect knowledge of the
Dutch language, the Commission shall make every possible
effort to ensure that the content of the report is
communicated to the said parties in a language which they
understand.
Article 68
Responsible parties in respect of whom acts have been carried
out for which they can reasonably conclude that a fine will be
imposed on them for an infringement, shall not be required to
make any statement in relation thereto. The responsible
parties shall be informed thereof prior to an oral request for
information being submitted to them.
Article 69
1.
Notwithstanding Section 4.1.2 of the General Administrative
Regulations Act, the Commission shall give the responsible
parties referred to in Article 66(l) the opportunity to put
forward their views in writing or orally, at their choice,
within a reasonable period of time.
2. In the
case that responsible parties referred to in Article 66(l)
wish to put forward their views and do not have sufficient
understanding of the Dutch language, upon the request of the
responsible parties, the Commission shall see to it that an
interpreter is appointed who can assist the said parties,
unless it can reasonably be assumed that this is not
necessary.
Article 70
1. Fines
shall be imposed by decision of the Commission.
2. The
decision shall in all cases state the following:
a. the sum of
money to be paid;
b. the infringement for which the fine has been imposed, with
reference to the corresponding legal provision;
c. the particulars referred to in Article 67(2)(b) and (c).
3. At the
request of responsible parties who have not understood the
decision sufficiently owing to an imperfect knowledge of the
Dutch language, the Commission shall make every possible
effort to ensure that the content of the decision is
communicated to the said parties in a language which they
understand.
Article 71
Decisions
taken under Article 70 shall be inoperative until the deadline
for making objections has expired or, where an objection has
been made, until a decision has been taken on the objection.
Article 72
The
authority to impose a fine lapses five years after the
infringement has been committed.
Article 73
1. A fine
shall be payable within six weeks of the decision imposing the
fine entering into force.
2. Where
fines have not been paid within the time limit stipulated
under (1), the parties owing the fines shall be sent notice in
writing to pay the amount of the fine, plus the costs of the
notice to pay, within two weeks.
3 . Where
payment is not made within the time limit stipulated under
(2), the Commission can issue an order to pay the fine owing,
plus the costs of the notice to pay and order to pay.
4. Orders to
pay shall be served by bailiff's writ, at the expense of the
persons owing the fines, and shall be enforceable within the
meaning of the Second Book of the Code of Civil Procedure.
5. For six
weeks following the day on which the writ is served,
objections to the order to pay may be made by a writ against
the State.
6. The
objection has the effect of suspending execution. At the
request of the State, the courts may cancel the suspension of
execution.
Article 74
Our Minister
may decide on policy provisions governing the execution of the
powers of the Commission to impose fines.
Section 3.
Penal sanctions
Article 75
1.
Responsible parties who act in contravention of the provisions
laid down by or under Articles 4(3), 27, 28 or 78(2)(a), shall
be punished with a fine coming under the second category.
2.
Responsible parties who deliberately commit an offence
referred to under (1) shall be punished with a prison sentence
for a maximum of six months or a fine coming under the third
category.
3. The
punishable offences under (1) are petty offences. The
punishable offences under (2) are indictable offences.
4. Besides
the officials designated by or under Article 141 of the Code
of Criminal Procedure, the officials from the secretariat of
the Commission designated for this purpose by Our Minister are
also responsible for detecting the offences defined in this
article.
5. The right
to pursue criminal proceedings lapses where the Commission has
already imposed a fine.
CHAPTER
11. TRANSFER OF DATA TO COUNTRIES OUTSIDE THE EUROPEAN UNION
Article 76
1.
Personal data which are subject to processing or intended for
processing after they have been transferred, shall only be
transferred to a country outside the European Union in the
case that, without prejudice to compliance with the provisions
of this Act, that country guarantees an adequate level of
protection.
2. An
assessment of the adequacy of the level of protection shall
take account of the circumstances affecting a data transfer
operation or a category of data tranfer operations. Account
shall be taken in particular of the type of data, the purpose
or purposes and the duration of the planned processing or
processing operations, the country of origin and country of
final destination, the general and sectoral legal provisions
applying in the non-member country concerned, as well as the
rules governing the business sector and security rules
applying in these countries.
Article 77
1 .
Notwithstanding Article 76, an operation or category of
operations to transfer personal data to a non-member country
which does not provide guarantees for an adequate level of
protection may take place, provided that:
a. the data
subjects have unambiguously given their consent thereto,
b. the transfer is necessary for the performance of a contract
between the data subjects and the responsible parties, or for
actions to be carried out at the request of the data subjects
and which are necessary for the conclusion of a contract;
c. the transfer is necessary for the conclusion or performance
of a contract concluded or to be concluded between responsible
parties and third parties in the interests of data subjects;
d. the transfer is necessary on account of an important public
interest, or for the establishment, exercise or defence in law
of any right;
e. the transfer is necessary to protect a vital interest of
data subjects, or
f. the transfer is carried out from a public register set up
by law or from a register which can be consulted by anyone or
by any persons who can invoke a legitimate interest, provided
that in the case concerned the legal requirements for
consultation are met.
2.
Notwithstanding the provisions under (1), Our Minister, after
consulting the Data Protection Commission, may issue a permit
for a personal data transfer or category of transfers to a
non-member country that does not provide guarantees for an
adequate level of protection. Attaching to this permit are the
more detailed rules required to protect the individual privacy
and fundamental rights and freedoms of persons and to
guarantee implementation of the associated rights.
Article 78
1. Our
Minister shall notify the Commission of the European
Communities of:
a. the cases
in which, in his or her opinion, a non-member country does not
provide guarantees for an adequate level of protection within
the meaning of Article 76(l), and
b. a permit,
as referred to in Article 77(2).
2. Where this
follows from a decision of the Commission of the European
Communities or the Council of the European Union, Our Minister
shall lay down by ministerial ruling or by decision that:
the transfer
to a country outside the European Union is prohibited;
a country outside the Union is considered to guarantee an
adequate level of protection, or
a permit issued under Article 77(2) is withdrawn or modified.
3. The
notifications referred to under (1)(a) and (b) shall be
published in the Official Gazette.
CHAPTER
12. TRANSITIONAL AND FINAL PROVISIONS
Article 79
1. Within
one year of the entry into force of this Act, processing which
was already taking place at that moment shall be brought into
conformity with this Act and shall be notified to the
Commission or officer as referred to in Article 27. The time
limit referred to in the first sentence may be extended by
general administrative regulation to a maximum of three years
with respect to the notification requirement.
2. A time
limit of three years shall apply to the modification of
processing of special data to comply with Section 2 of Chapter
2, it being understood that it is not necessary to make
another request for the consent referred to in Article
23(l)(a) with respect to processing which has already taken
place and which is necessary for the performance of contracts
made prior to the date of entry into force of this Act.
3. Article
32(2) shall not apply to processing referred to in Article
31(1) and (3), which was already taking place at the moment of
the entry into force of the Act, or as the case may be, of the
Act or the general administrative regulation applying to such
processing.
Article 80
Within
five years of the entry into force of this Act, Our Ministers
of Justice and of the Interior and Kingdom Relations shall
send a report to Parliament on the effectiveness and effects
of this Act in practice.
Article 81
The
Registration of Persons Act
(Wet persoonsregistraties) is
repealed.
Article 82
This Act
shall enter into force on a date to be laid down by royal
decree.
Article 83
This Act shall be designated: Personal Data Protection Act (
Wet bescherming persoonsgegevens)
.
It
is hereby ordered that this Act shall be published in the
Official
Gazette and that all ministries,
authorities, bodies and officials whom it may concern shall
ensure that it is implemented scrupulously.
Done
The
Minister of Justice
,
The Minister
for the Major Cities and Integration Policy
|
