| The
Personal Data Protection Act (Wet
bescherming persoonsgegevens), hereafter “the Act”,
entered into force on 1 September 2001. The Act implements
Directive 95/46/EC of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and
on the free movement of such data (OJ 1995 L 281/31)
and replaces the Registration of Persons Act ( Wet
persoonsregistraties). This note will give an overview of
the most significant provisions of the Act.
Data Processing
The Act focuses on the
processing of personal data – defined as “any information
relating to an identified or identifiable natural person” –
whereas the previous Act concentrated on the registration of
personal data. The term 'processing' applies to the entire
processing chain and means “any (set of) operation(s)
concerning personal data”. This includes inter alia the
collection, recording, storage, modification, retrieval, use,
dissemination by means of transmission, distribution or making
available in any other form, merging, linking, blocking,
erasure or destruction of data. Printing data and sending data
by fax or e-mail now fall under the term processing, therefore
broadening the scope of the Act.
While the previous Act was
primarily aimed at the holder, this Act is directed at the
responsible party and, to a lesser extent, the processor. In
order to determine the responsible party, it should be decided
who has the legal authority to determine the purposes and
means of the processing.
The Act – which makes no
distinction between processing by public authorities or by
private parties – determines that personal data shall be
processed in accordance with the law, in a proper and careful
manner and shall be collected for specific, explicitly defined
and legitimate purposes only. Personal data may only be
processed under a few conditions, of which the most important
are:
(a) the data subject ( the
person whose personal data are processed ) has unambiguously
consented to the processing;
(b) the processing is
necessary for the performance of a contract to which the
data subject is party; and
(c) the processing is
necessary in order to comply with a legal obligation to
which the responsible party is subject. These data may only
be further processed in a way compatible with the purposes
for which they have been obtained and may not be kept in a
form which allows the data subject to be identified for any
longer than is necessary for achieving the purposes.
Furthermore, personal data may only be processed where they
are adequate, relevant and not excessive.
The rules and conditions for
the processing of special personal data – formerly sensitive
data – have been tightened. Special data are data concerning a
person's religion, race, political persuasion, health and
sexual life, or data concerning trade union membership and
data about criminal behaviour. These data may only be
processed in a concretely defined interest or important public
interest.
Obligations of Responsible
Party
The responsible party has to
take the necessary steps to ensure that personal data are
correct and accurate and is obligated to implement appropriate
technical and organisational measures to secure personal data
against loss or against any form of unlawful processing. The
obligation of the responsible party to provide the data
subject with information on the processing has been extended.
Before obtaining personal data from a data subject, the
responsible party must inform him about its identity and the
purposes of the processing.
Where personal data are not
obtained from the data subject, the responsible party will
provide the data subject with this information, unless the
data subject is already aware of this information. Under the
previous Act, the holder did not have to inform the data
subject if he could reasonably have been informed. The
responsible party is exempted from this duty if either it
appears to be impossible, or would involve a disproportionate
effort to provide the data subject with this information, or
where this is necessary for instance in the interests of State
security or the prevention, detection and prosecution of
criminal offences.
Rights of Data Subject
The data subject has been
granted a number of rights. He has the right, freely and at
reasonable intervals, to request the responsible party to
inform him as to whether personal data relating to him are
being processed. He may request the responsible party to
correct, delete or block data if these are factually
inaccurate, incomplete or irrelevant to the purpose of the
processing, or are being processed in any other way which
infringes a legal provision. In addition to this, the data
subject has been assigned the right to object, if he can
demonstrate a justified individual interest. The responsible
party has to end the processing if he feels the objection is
justified. If personal data are collected and processed for
direct marketing purposes, the data subject has the right to
object without any cost.
Fair Compensation
Within the scope of legal
protection, the Act determines that for harm that does not
comprise damage to property, the injured party has the right
to fair compensation. The responsible party is liable for harm
resulting from non-compliance with the Act. Processors are
liable for this harm when it is incurred as a result of their
actions. The strict liability for unlawful processing of
personal data has been mitigated. Responsible parties or
processors may be exempted from liability if they can prove
that the harm cannot be attributed to them. This provision is
more flexible than the previous Act.
Powers of Data Protection
Commission
The powers of the independent
Data Protection Commission (College
bescherming persoonsgegevens) – formerly the
Registration Chamber (Registratiekamer) – have been
extended. The automated processing of personal data intended
to serve a specific purpose must be notified to the Commission
prior to the processing. The non-automated processing must be
notified where this is subject to a prior investigation. The
Commission will initiate an investigation prior to the
processing, if the processing carries a particular risk for
the individual rights and freedoms of the data subject. This
investigation is a judicial review of the lawfulness of the
processing. It regards, for instance, the processing of a
personal number, which identifies persons for a purpose other
than the one for which the number is specifically intended
with the aim of linking the data together with data processed
by other responsible parties, and the recording of data on the
basis of the responsible party's own observations without
informing the data subject thereof. The Commission maintains
an up-to-date, public register of the data processing of which
the Commission is notified.
The Commission has an
additional, more general, investigative power. The Commission,
acting ex officio or at the request of an interested
party, may initiate an investigation into the manner in which
provisions of the Act are being applied with respect to the
processing of data, especially if the personal data were
processed in accordance with the law and in a proper and
careful manner.
The (special) members of the
Commission, the officials of the Commission Secretariat and
the persons designated by decision of the Commission are
responsible for the supervision of compliance with provisions
of the Act. These persons are authorised to enter a residence
without the consent of the resident, however the express and
special authority of the Commission is required for that
purpose.
The most significant
difference, however, is that the Commission is authorised to
apply administrative measures of constraint pursuant to the
obligations laid down by or under the Act and is authorised to
impose a fine of a maximum amount of NLG 10,000 when the
processing of data is not notified in advance. Under the Act,
Bills and draft texts of general administrative regulations
relating to the processing of personal data have to be
submitted to the Commission for advice. |
