Constitutional Right to Privacy

The right to privacy is embedded in Article 10 of the Dutch Constitution. This Article provides for a general right of protection of private life as well as an obligation to lay down rules on data protection. This Article must be interpreted in the light of Article 8 of the European Convention on Human Rights and Articles 7 and 8 of the European Charter of Fundamental Rights of the European Union.

The GDPR

In the Netherlands, data protection is regulated by the General Data Protection Regulation (GDPR). The GDPR came into force on 25 May 2018 and regulates the processing of the personal data of individuals by imposing obligations on data controllers and data processors.

As a directly applicable regulation, the legal obligations contained in the GDPR have direct effect in the Netherlands without any national implementing measures. However, the GDPR contains a number of derogations that provide EU member states with discretion to introduce specific derogations on how certain provisions of the GDPR will apply in member state law.

The Netherlands has introduced such specific derogations in Dutch law through the Dutch General Data Protection Regulation Implementation Act (the Implementation Act). The Implementation Act repealed the implementation act of the EU Data Protection Directive – the Dutch Data Protection Act. Aside from the enforcement regime set out in the GDPR, the Implementation Act provides for the possibility of an administrative enforcement order being imposed by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP) to enforce obligations laid down by the Implementation Act.

The E-Privacy Directive and Sector-Specific Laws

The E-Privacy Directive 2002 (as amended in 2009) regulates direct marketing. The E-Privacy Directive has been implemented through the Dutch Telecommunications Act, which also includes provisions on the use of cookies and similar techniques. The E-Privacy Directive will be replaced by the E-Privacy Regulation within the next few years.

The collection and processing of personal data is also regulated by various specific laws and regulations and certain sector-specific laws.

The national data supervisory authority is the AP, which is charged with the supervision of the processing of personal data in accordance with the GDPR and the Implementation Act. The AP is competent to perform the tasks and exercise the powers set forth in Articles 57 and 58 of the GDPR. In addition, the Implementation Act provides for the possibility of an administrative enforcement order being imposed by the AP to enforce obligations laid down by the GDPR and the Implementation Act.

In general, the AP focuses on material personal data breaches. Priority is given to violations that have a big impact on privacy or on minor violations affecting many data subjects. If the AP finds minor violations, it will often first give a warning, provided the violator can demonstrate good faith and is prepared to improve (for example, by implementing new privacy procedures).

Enforcement Examples

In December 2021 the AP imposed a penalty of EUR2.75 million on the Dutch tax authority for its alleged discriminatory use of personal data. This is the highest penalty imposed by the AP so far. In November 2021, the AP imposed a penalty of EUR400,000 on Dutch airline Transavia for inadequate security of its processing which resulted in a data breach. In July 2021, the AP imposed a penalty of EUR750,000 on TikTok for violating the obligation to provide information on its processing using clear and plain language, by only providing its privacy statement in English, considering the age and vulnerability of its users (mostly children). Further examples are a penalty of EUR440,000 imposed on a Dutch hospital for taking insufficient measures to prevent unauthorised staff from accessing data concerning patients and their health, a penalty of EUR475,000 imposed on travel agency Booking.com for a failure to timely inform the AP of a data breach, and a penalty of EUR525,000 on Locatefamily.com for the absence of a GDPR representative in the EU (together with an administrative order subject to a penalty for non-compliance in remedying the breach). Some of these penalty decisions are still under appeal.

Areas of Focus for Enforcement

From time to time, the AP announces specific areas of focus. Data broking, digital government, artificial intelligence and algorithms are the focus points for the upcoming period until 2023. Moreover, the AP has expressed its concern over the dramatic increase in hacking, data theft and data breaches, and launched web forms for victims of data breaches.

The Dutch Authority for Consumers and Markets (Autoriteit Consument & Markt, or ACM) is charged with the supervision of the Telecommunications Act (direct marketing and cookies). For violations of the Telecommunications Act, the ACM may impose an administrative penalty of up to EUR900,000 per breach or 10% of the annual turnover of the company in breach (whichever is higher).

In general, the enforcement process starts with a suspicion or a complaint. The regulator can then decide to launch an investigation. The findings of this investigation are recorded in a report (called a statement of objections). The offender is given the opportunity to express their opinion in writing or orally. If the regulator decides to impose a penalty, it will lay down this penalty in a penalty decision. This decision will, in principle, be published on the website of the regulator.

Within six weeks after the penalty decision the offender can file an objection with the regulator. During the objection process, the interested parties are given the opportunity to be heard at an oral hearing. The regulator then renders a written decision. The offender can appeal this decision with the District Court and ultimately appeal the judgment of the District Court to either the Administrative High Court for Trade and Industry or the Administrative Jurisdiction Division of the Council of State.

The Netherlands belongs to the continental law tradition, in which statutory law is the primary legal source. Dutch privacy and data protection law is based on the same sources as Dutch law in general – law and other statutes, court practice, parliamentary history and established legal doctrine. Being a member of the EU, the legal framework for privacy and data protection law in the Netherlands is, to a significant and continuously growing extent, based on European and EU law.

There are several organisations that are committed to civil rights, privacy and consumer interests in the Netherlands. In 2021, several class actions were initiated by (mainly Dutch) privacy advocacy groups (see 2.5 Enforcement and Litigation).

The AP regularly investigates potential violations and often looks for an amicable solution. Generally, the AP tends to impose a penalty, or an administrative order subject to a penalty in the event of non-compliance, allowing companies to end their violation and so avoid a substantial penalty (see 1.2 Regulators).

Over the course of the last couple of years, the focus on the GDPR has increased in the Netherlands, as well as the number of penalties imposed by the AP. There have been a significant number of GDPR-related court cases, mostly relating to the right to be forgotten, freedom of speech or right of access. Also, an increasing number of data subjects have initiated proceedings to claim (immaterial) damages resulting from a breach of the GDPR. In the past year, GDPR-related class actions have taken off. However, it is too early to determine whether or not such actions will be successful.

The next 12 months will be dominated by further enforcement by the AP, case law on the GDPR, debate over upcoming privacy-related legislation, including the E-Privacy Regulation, the Digital Services Act and the AI Regulation, and obviously international data transfers in the light of the Schrems II decision and further guidance issued in this respect by the European Data Protection Board (EDPB).

The general requirements that apply in the Netherlands derive from the GDPR and, to a certain degree, from the Implementation Act.

Data Protection Officers

According to Article 37 of the GDPR, the appointment of a data protection officer (DPO) in the private sector is required where an organisation’s core activities involve:

• the regular and systematic monitoring of individuals on a large scale; or
• the large-scale processing of special categories of personal data (eg, health data) or personal data relating to criminal convictions and offences.

The EDPB, which consists of representatives of European data protection authorities and the European Data Protection Supervisor, and succeeded the Article 29 Working Party (Art29WP), has adopted a guideline on DPOs (WP 243). In this guideline, the EDPB elaborates on the criteria of mandatory designation, the position and the tasks of the DPO.

In 2021, the AP published further, practical guidance for data protection officers on its website, in the document “Positioning of the data protection officer. Starting points: roles, processes and responsibilities”.

The GDPR requires an organisation to publish the contact details of the DPO and to communicate these to the AP. To notify the AP, organisations should send an email to fg@autoriteitpersoonsgegevens.nl. The AP answers specific (administrative) questions of registered DPOs and sends a quarterly newsletter to DPOs.

Lawful Processing

The criteria for the lawfulness of processing are included in Article 6 of the GDPR. Apart from obtaining consent, personal (non-sensitive) data can be processed based on a number of grounds, such as the performance of a contract or for upholding legitimate interests.

Privacy by Design/Default

The principles of “privacy by design” and “privacy by default” (a requirement to put appropriate technical and organisational measures, such as pseudonymisation, in place to implement the data protection principles and safeguard individual rights) have been included in Article 25 of the GDPR.

The EDPB has published guidelines on Article 25 (4/2019). In these guidelines, it advises taking into account the technical state of the art; costs of the measures; the nature, duration, context and goal of the data transfer; and the probability of risks when applying these principles.

Data Protection Impact Assessments

Under Article 35 of the GDPR, controllers are obliged to carry out a data protection impact assessment (DPIA) where their processing is likely to result in a high risk to individuals. The AP has created a DPIA checklist. Also, the AP has published a list of processing operations that require a DPIA. On this list are processing activities such as covert research, blacklists, credit scoring, monitoring employees, communication and location data and profiling.

Controllers must check whether their intended type of processing is on the list of processing operations that require a DPIA.

If the intended processing is not on the list, controllers need to assess the risk. The AP refers to the nine criteria set out by the European data protection authorities. As a rule of thumb, a controller has to perform a DPIA if the processing meets two or more of the nine criteria such as evaluation or scoring, systematic monitoring, matching or combining datasets or innovative use of data.

If the intended data processing strongly resembles a type of data processing for which a DPIA has already been performed, there is no need for a DPIA with regard to the intended data processing.

Privacy Policies

The implementation of privacy policies also assists organisations in meeting the principle of accountability (Article 5(2) of the GDPR). In addition, it is the controller’s responsibility to implement appropriate data protection policies, proportionate in relation to processing activities (Article 24(2) of the GDPR).

Article 12 of the GDPR requires that information in privacy policies should be provided using clear and plain language, in particular for any information addressed specifically to a child. In 2021, the AP imposed a penalty of EUR750,000 on TikTok for violating this information obligation by only providing its privacy statement in English, and not in Dutch, considering the age and vulnerability of its users (mostly children).

Data Subject Access Rights

The GDPR grants data subjects a number of rights under Articles 13–22, including the right of access.

Based on the Implementation Act, the controller may refrain from applying the access right, insofar as this is necessary and proportionate to safeguard – amongst other things – national security, public security and the enforcement of civil law claims.

In 2022, the EDBP published a consultation version of its Guidelines on data subject rights – Right of access (01/2022) to provide further guidance on the application of the access right.

Anonymisation and Pseudonymisation

The GDPR does not apply to anonymous data, as this data does not relate to an identified or identifiable individual. Pseudonymised data can be used to identify an individual and therefore the GDPR applies to the processing of pseudonymised data. Pseudonymisation, however, is an appropriate measure to ensure an appropriate level of security (Article 32(1)(a)).

Automated Decision-Making

Article 40 of the Implementation Act stipulates that Article 22(1) of the GDPR – regarding automated individual decision-making – does not apply if the automated individual decision-making, other than based on profiling, is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out for reasons of public interest. If this exception applies, the controller must take appropriate measures to safeguard the data subject’s rights, freedoms and legitimate interest. If the controller is not an administrative body, the appropriate measures should in any case have been taken if the right to obtain human intervention, the data subject’s right to express their point of view and the right to contest the decision have been safeguarded.

Compensation

Any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered. Under Dutch law, financial loss and other disadvantages can be compensated. Other disadvantages may include immaterial or emotional damage. Normally, damage will be calculated in monetary form.

The concept of injury and harm may also play a role in the determination of the amount of a penalty by the AP.

Sensitive Data

The GDPR indicates a special category of personal data that, by its nature, merits higher protection as the context of its processing could create significant risks to fundamental rights and freedoms.

This special category of personal data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation. Personal data relating to criminal convictions and offences, or related security measures, is not considered a special category of personal data, but there are specific rules for processing this type of data.

In addition to the exceptions for processing this special category of data mentioned in the GDPR, the Implementation Act provides for a number of exceptions.

In addition to the various types of sensitive data mentioned in the GDPR, the AP also treats other data as sensitive, such as financial data, location data, behavioural data and communications data. Moreover, data relating to criminal convictions and offences is treated in the same way as sensitive data by the AP.

Financial Data

Although financial information does not, as such, qualify as sensitive data in the GDPR, information about someone’s financial details will nonetheless probably be treated as sensitive data by the AP. The code of conduct for financial institutions, which is binding for almost all Dutch financial institutions, gives important guidance on the use of personal data, even though the formal approval of this code from the AP has lapsed.

Health Data

The GDPR defines data concerning health as personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about their health status. Health data may be processed, inter alia, if necessary to protect the vital interest of the data subject, for the purpose of medical diagnosis, for reasons of public interest in the area of public health and for scientific purposes. The Implementation Act provides for additional exceptions for administrative bodies, pension funds and employers, for schools, institutions of rehabilitation, healthcare providers and insurers.

Due to the COVID-19 pandemic, health data has been a hot topic in recent years. The AP imposed an order subject to a penalty on Dutch health insurance company CZ in 2020 relating to its processing of health data, and investigated the security measures taken to protect health data by the Dutch public health service.

Online Data

The AP and EDPB consider personal data with regard to online behaviour to be qualified as sensitive data. This type of data provides a lot of information about the user. For example, communication, browsing, viewing and location data, cookies (see The Dutch Telecommunications Act section of 2.3 Online Marketing), tracking technologies and targeted advertising all have the ability to be tracked back directly to the subject’s personal life. Another problematic feature is the lack of liability regarding user generated content in social media, search engines and other large online platforms. Since these platforms offer the possibility of sharing another human being’s data with extreme ease, normally the intermediary is liable. The same goes for hate speech, disinformation, (terrorist) propaganda or abusive material. New challenges are also arising in the form of “deep fakes”.

Data Subject Rights

The GDPR provides certain rights for individuals whose personal data is being used (data subjects).

Under the GDPR, individuals can exercise:

• the right to be informed;
• the right of access;
• the right to rectification or correction;
• the right to be forgotten;
• the right to data portability;
• the right to object to processing; and
• rights in relation to automated decision-making and profiling.

The scope of some of these rights, including the access and correction rights and the right to be forgotten, is often subject to litigation in the Netherlands.

Legislation

The GDPR

Based on Recital (47) of the GDPR, the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. Direct marketing generally refers to any form of advertising by which a natural or legal person sends direct marketing communications directly to one or more identified or identifiable end users using electronic communications services. In addition to the offering of products and services for commercial purposes, this also includes messages sent by political parties and other non-profit organisations to support the purpose of the organisation.

Where personal data is processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

General rules for direct marketing may be found in the GDPR. The data subject has a right to object to the processing of their personal data for direct marketing purposes, without any justification being necessary. Furthermore, the data subject must be informed of their right to object to any direct marketing communication.

The E-Privacy Directive

With regard to direct marketing by means of telecommunications and the use of cookies and similar techniques, the Dutch Telecommunications Act provides for detailed regulation via the implementation of the E-Privacy Directive. The Directive will be replaced by the E-Privacy Regulation within the next few years.

The Dutch Telecommunications Act

The Dutch Telecommunications Act provides for an opt-in regime (one that basically requires consent) for marketing via email, SMS and similar techniques. Sending unsolicited communications to customers by a data controller is allowed when the contact details have been obtained in the context of the sale of a product or a service; the message relates to its own similar products or services; and the customer has been given an opportunity to object, free of charge and in an easy manner. If the customer does not object to the initial collection of its electronic contact details, the customer should be given the possibility to object in each message sent.

Specific rules apply to promotional telephone calls. These rules provide for an opt-out regime, but require a mandatory check of the do-not-call register. The Dutch government has adopted a legislative proposal to replace the opt-out regime for an opt-in regime. An exception will be made for promotional telephone calls to existing customers.

The Dutch Telecommunications Act also provides for rules regarding the use of cookies and similar techniques. In general, the use of cookies that are strictly necessary to provide the requested services, to carry out the transmission of electronic communication over an electronic communications network, or to gather information on the quality or effectiveness of the services provided – with no, or only minor, consequences to the end user’s privacy – are allowed. However, the use of other cookies – such as tracking cookies, cookies for behavioural targeting and device fingerprinting – require consent and end users need to be informed properly and in advance in order to give that consent.

Regulation

The AP has published various opinions, inter alia, on direct marketing (most recently in October 2018), on the concept of legitimate interest (November 2019) and the use of cookies (most recently in December 2019) on its website. In 2015, the AP investigated Wi-Fi tracking technology in shops and on public roads provided by Bluetrace. In short, the AP decided that by way of Wi-Fi tracking, unique MAC addresses of mobile devices were being collected that – combined with information concerning location, date and time of registration – could be considered personal data. It even involved processing of personal data of a sensitive nature – ie, the location data of individuals. Hashing of the MAC addresses does not lead to the conclusion that they are no longer personal data.

In December 2019, the AP decided that a staggering amount – 50% – of a randomly selected group of websites incorrectly gained permission from their users. In its position on the use of tracking cookies, the AP states that there is no valid consent in a situation where the user of a website must deselect a pre-ticked checkbox to refuse their consent. In addition, the AP concluded that no valid consent is given if a website only informs the website visitor that “by continuing to use this website you agree to the use of tracking cookies”.

In its position on direct marketing, the AP stresses that – despite Recital 47 of the GDPR – in most cases data controllers cannot rely on a legitimate interest when processing personal data for direct marketing purposes, rather processing should be based on consent. However, the court in the VoetbalTV case ruled that this interpretation by the AP was too strict.

Workplace privacy is protected by several laws and regulations. The GDPR applies to the workplace. The right to privacy of employees in the Netherlands is furthermore recognised under the European Convention for the Protection of Human Rights. The general principles of fair employment practices of the Dutch Civil Code also protect the privacy rights of employees to some extent. The Works Council Act contains the legal framework for works council involvement in certain privacy issues.

Employee-Communication Monitoring

Since the worldwide outbreak of the COVID-19 pandemic, the majority of employees have shifted to working from home. According to the guidelines of the AP, monitoring of internet and email usage of employees is allowed, provided some safeguards are taken, including:

• the employer has a legitimate interest in monitoring that, in the given situation, prevails over the employee’s right of privacy;
• there is a necessity for such monitoring;
• the employees are informed about the monitoring;
• the employee’s privacy is respected where reasonably possible, especially within the range of the employee’s personal, non-work related communication; and
• an employee privacy protocol is approved by the works council (if any).

Courts take this framework as their starting point to assess whether monitoring is lawful. If these criteria are strictly met, the employer is allowed to monitor their employees to a certain degree.

Works Councils

Works councils have an active role with respect to workplace privacy, regulated in the Works Council Act. The Act requires companies that have a works council to:

• consult the works council when introducing new technical applications; and
• obtain works council approval when introducing new employment-related privacy policies or a system that can monitor employees (such as a camera system or building access system).

Persons from other jurisdictions sometimes underestimate the impact of Dutch works council practices. There are various examples of cases where works councils have gone to court to enforce their rights, also with respect to workspace privacy (such as the works councils of Omron and Apple Retail). The basic rule is that (legal) costs of a works council should be borne by the employer.

Whistle-Blowing

The Act on the House for Whistle-Blowers allows (former) employees to report suspected wrongdoings at work or that the employee came across as a result of work. The Act requires every company with more than 50 employees to have a whistleblowing policy. Employees may report to the House of Whistle-Blowers, a government agency, that can further investigate the reported wrongdoings. An investigation may lead to a report. According to the Civil Code, an employer may not retaliate against an employee who has reported a wrongdoing in accordance with the Act on the House for Whistle-Blowers.

Current Dutch law is not compliant with Directive 2019/1937/EU, which should have been implemented by 17 December 2021. Whistle-blower protection, for example, is currently only offered to employees, the possibility of seeking publicity is currently not addressed and the shifted burden of proof requires implementation. A proposal to amend legislation is currently discussed and is expected to be adopted mid-2022.

The ArtWP29 has given guidance on the processing of personal data in the context of whistle-blowing (WP 117). In this opinion, the ArtWP29 acknowledges that, in general, companies can have a legitimate interest in having a whistle-blower hotline. Although this opinion is not explicitly endorsed by the EDPB in Endorsement 1/2018, it may still serve as useful guidance on the matter.

Other Workplace Privacy Issues

As well as the foregoing, there are a couple of other issues relating to workplace privacy.

On its website, the AP offers FAQ relating to workplace privacy. Amongst others, the AP gives guidance on internet research regarding job applicants (generally accepted) and retention periods of CVs (four weeks).

E-discovery is not a known concept under Dutch law.

Regulators must act in accordance with the principles of proper public administration, which, inter alia, means they must act fairly and proportionally, may not discriminate and should treat civilians equally. If regulators fail to comply, the Dutch courts will hold that against them.

Enforcement Penalties

For violations of the GDPR, the AP may impose a penalty up to EUR20 million, or in the case of an undertaking, up to 4% of the organisation’s total worldwide annual turnover for the preceding financial year, whichever is higher.

In 2019 the AP issued guidelines in a Penalty Policy. The guidelines provide insight into how the AP will use its fining powers, in addition to the guidance given in the EDPB guidelines on the application and setting of administrative fines for the purposes of the GDPR (WP253). This policy distinguishes between four categories of GDPR violation, depending on the nature and impact of the violation. For each category the AP has established a bandwidth, setting out the minimum and maximum penalty for a violation of each category. In addition, the AP has determined a default basic penalty amount for each category. When calculating a penalty, the AP starts with the amount of the basic penalty and then increases (or decreases) the penalty depending on specific factors, based on the circumstances of the relevant case. This default amount will be used a starting point and can be decreased or increased, depending on the circumstances of the case. The basic penalties range from EUR100,000 for low impact violations to EUR725,000 for violations in the highest category. It is noteworthy that the absolute maximum amount set for the highest category of infringements is limited to EUR1 million, which amount is considerably lower than the maximum amounts provided in the GDPR. However, the guidelines stress that the AP can easily increase the amount if the maximum amount would be “inappropriate” in a particular case.

For violations of the Telecommunications Act, the ACM may impose an administrative penalty of up to EUR900,000 per breach or 10% of the annual turnover of the company in breach (whichever is higher).

Both the AP and the ACM may impose an administrative enforcement order to enforce obligations laid down by the GDPR, Implementation Act or Telecommunications Act.

Leading Enforcement Cases

The leading enforcement case brought in the last 12 months is the case against the Dutch tax authority, discussed in 1.2 Regulators.

Private Litigation

Data protection issues are raised in private litigation on a regular basis, see 1.7 Key Developments. The normal standards of Dutch procedural law apply to private litigation for alleged privacy or data protection violations. For instance, courts should respect the right to a fair trial and the principle of an adversarial process.

A distinction can be made between different uses of data protection law in litigation, several of these uses are set out below.

Enforcement of data protection law rights (such as the right to access to personal information or the right to be forgotten)

As an example of this, the Dutch Supreme Court, in its judgment of 21 December 2018, sanctioned a lower court decision that the right of access to personal data under the regime of Directive 95/46/EC does not require the controller to provide access to the full documents containing the personal data. Another example is the judgment of the Court of Appeal of The Hague, dated 24 September 2019, in which a claim to be forgotten was denied.

Balancing of the human right of privacy against other rights, such as the freedom of speech

There is much case law regarding media coverage where persons (often celebrities) are featured against their will; an example is the case in which the name of a university professor was disclosed in a newspaper article about sexual harassment (Court of Appeal Arnhem-Leeuwarden, 17 December 2019). Another example is the case in which a lookalike of Formula One driver Max Verstappen appeared in an online advertisement for a supermarket (Court of Appeal Amsterdam, 2 June 2020).

Damage claims for privacy infringements

In 2021, a substantial amount of damages cases were settled in court. Generally, the amounts awarded were not very high. The highest amount awarded in 2021 was EUR5,000 for immaterial damages. In this case of 6 April 2021, the Court of Appeal Arnhem-Leeuwarden ruled that the Dutch foundation SIN was liable to pay immaterial damages for unfairly blacklisting the claimant for years. In a case of 12 July 2021, the Court Rotterdam ordered the local municipality to pay EUR2,500 to a claimant for refusing to remove health data, which the municipality had been storing for a period lasting over ten years.

Litigation against the AP

An example of such litigation is the judgment of the Court Midden-Nederland, dated 23 November 2020, in a case between VoetbalTV and the AP. The AP suggested that commercial interests do not qualify as a legitimate interest to justify usage of personal data in terms of the GDPR, but the Court disagreed.

Class actions

Class actions are allowed, including to claim damages. Both the Dutch Civil Code and the Dutch General Administrative Law Act allow for class actions, which for instance could lead to a judgment declaring a certain processing unlawful. In 2021, several class actions were initiated by (mainly Dutch) privacy advocacy groups, including against Facebook, Oracle, Salesforce, TikTok and the Dutch Royal Marshal. The class action against Oracle and Salesforce was found to be inadmissible (Court Amsterdam, 29 December 2021).

The primary source with respect to law enforcement access to data for serious crimes is the Dutch Code of Criminal Procedure. Other relevant laws are the Police Data Act and the Judicial Data and Criminal Records Act. Furthermore, sector-specific regulators may have access under sector-specific legislation, such as the Competition Law Act.

For accessing means of communication and private homes, the general rule is that independent judicial approval is required.

It is generally believed that Dutch law enforcers and regulators obey legal restrictions to access to data. If personal data has been accessed without proper legal grounds, the basic rule is that the courts will ignore that data and may declare a certain investigation or prosecution unlawful.

The main laws applying to government access to data for intelligence, anti-terrorism or other national security purposes are:

• the Dutch Code of Criminal Procedure for regular public prosecutions; and
• the Intelligence and Security Services Act 2017 for the two secret services, these being the General Intelligence and Security Service and the Military Intelligence and Security Service – the Act is currently being amended to face the growing global cyberthreat.

For accessing means of communication and private homes, the general rule is that independent judicial approval is required, and that there must be a well-founded suspicion of a severe crime committed by the monitored person concerned

The aforementioned secret services are supervised by the Review Committee for the Intelligence and Security Services (Commissie van Toezicht op de Inlichtingen en Veiligheidsdiensten, or CTIVD). As well as the CTIVD, the Dutch Intelligence Review Committee (Toetsingscommissie Inzet Bevoegdheden, or TIB) has been established to review the use of the specific or general powers of the secret services. As a basic rule, access to personal data requires prior approval of the responsible minister or the TIB.

It is generally believed that Dutch law enforcers and regulators obey legal restrictions regarding access to data. If personal data has been accessed without proper legal grounds, the basic rule is that courts will ignore such data and may declare a certain investigation or prosecution unlawful. The CTIVD actively supervises the secret services. For instance, it has published various progress reports regarding the introduction of the Intelligence and Security Services Act 2017.

There is no Dutch law that expressly allows an organisation to invoke a foreign government access request as a legitimate basis for the collection and transfer of personal data, except that the secret services or other governmental agencies may have certain rights to share data with foreign governmental agencies.

With respect to foreign government access requests, the basic rule is therefore, as follows from Article 6(3) of the GDPR, that an organisation may not invoke such a request as a legitimate basis to collect or transfer personal data. However, a foreign government access request may offer evidence that the processing can be based on the legitimate interests ground of Article 6(1) of the GDPR. In this respect, reference is made to the guidance on the processing of personal data in the context of whistle-blower hotlines that was issued by ArtWP29 (WP 117). Although this opinion is not explicitly endorsed by the EDPB in Endorsement 1/2018, it may still serve as useful guidance on this matter.

The main privacy issues that have arisen in the last few years have been in connection with government access to personal data, particularly access to bulk internet data by the secret services. The government wanted to introduce such access rights in the Intelligence and Security Services Act 2017. A referendum was held with respect to the draft of this Act, and the majority of voters expressed their criticism. Nonetheless the Act was adopted, although with some minor changes. Also, a new proposal for amendment of the Intelligence and Security Services Act 2017 is pending.

Under the applicable GDPR framework, international data transfers of personal information to countries outside the EU (or the EEA) are subject to restrictions. 

International data transfers are subject to the mechanisms set out in the GDPR. For instance, it is permitted to transfer data to a country outside the EU (or EEA) if the transfer is based on binding corporate rules (BCRs) for intra-group transfers, updated standard contractual clauses, approved codes of conduct or approved certification mechanisms. BCRs are well established in the Netherlands, with some Dutch multinationals being pioneers in this respect. The AP has played an active role and the EDPB has adopted several documents in which guidance is given to companies wishing to implement BCRs. Another mechanism are the standard contractual clauses (SCCs). In July 2020, the Court of Justice of the European Union published the Schrems II case. In this case the Privacy Shield framework between the EU and the US was invalidated. The SCCs remain a valid mechanism for data transfers (with possible additional safeguards) and have been updated drastically.

With the exception of the events set out in Article 46 of the GDPR (Transfers subject to appropriate safeguards), Dutch law does not require any government notifications or approvals to transfer data internationally.

Where a company wishes to implement BCRs for the international transfer of data, such BCRs need to be approved by the competent data protection authorities within the EU and the EDPB. Once BCRs are in place, no further authorisation from the AP is required.

There are no data localisation requirements, as such, in the Netherlands. However, companies should ensure that the international transfer of data does not restrict supervision by competent regulators, including the AP and financial regulators such as the Dutch National Bank (DNB) and the Financial Market Supervisor (AFM).

The DNB has provided guidance on cloud computing. It refers to the recommendations of the European Banking Authorities on outsourcing to cloud service providers (EBA/REC/2017/03).

In the Netherlands, there is no requirement to share software code or algorithms or similar technical details with the government.

An organisation collecting and transferring data in violation of the GDPR or Dutch law faces the risk of legal action against it. In practice, this often means an organisation has to choose which law it decides to violate. There is no “golden bullet” to solve this dilemma. As discussed in 3.3 Invoking Foreign Government Obligations, an organisation may argue that a foreign government data request adds weight to its argument that it has a legitimate interest for the data processing as defined by Article 6(1) of the GDPR.

The Netherlands does not have a tradition of blocking statutes in which the application of law of other jurisdictions is hindered, and no such blocking statutes are active. On a European level, blocking statutes may be adopted, for example in 2019 with respect to US sanctions in relation to Iran. The Commission is also considering amending the blocking statue to further deter and counteract the unlawful extra-territorial application of sanctions to EU operators by countries outside of the EU.

Big Data Analytics

General data processing principals, such as purpose limitation and data minimisation, should be complied with when processing personal data in the context of big data analytics, as well as the other requirements laid down in the GDPR, such as those to provide adequate information on the use of data analytics to data subjects and to keep data up to date. To the extent big data analytics results in profiling or automated decision-making, the rules on profiling or automated decision-making should be adhered to. Moreover, where AI and algorithms are used for big data analytics, the AP stresses that information should be provided on the processes used, and that adequate supervisory systems should be in place.

The AP is investigating possible privacy issues with regards to Google Analytics, and expects to conclude this investigation early 2022. If the conclusion is that use of Google Analytics is not permitted pursuant to the GDPR, the AP’s current guidelines on using Google Analytics in a privacy-friendly manner will likely being withdrawn. The AP’s Austrian counterpart has already completed similar research and concluded that use of Google Analytics is not in accordance with the GDPR.

Automated Decision-Making

The GDPR specifically addresses automated individual decision-making, including profiling, in Article 22. The starting point is that data subjects have the right not to be subject to automated decision-making, where such automated decision-making produces legal or similarly significant effects concerning them, or unless one of the exceptions laid down in the GDPR or national data protection law applies. A controller who wishes to rely on an exception for automated individual decision-making based on special categories of data should take additional safeguards.

For the Netherlands, Article 40 of the Implementation Act contains an additional exemption in situations where the automated individual decision-making, unless it is based on profiling, is necessary for compliance with a legal obligation to which the controller is subject, or the performance of a task carried out for reasons of public interest. In order to be able to rely on this exemption, the controller should take suitable measures to safeguard the data. For this purpose, private entities should safeguard the right to obtain human intervention; the data subject’s right to express their point of view; and the right to contest the decision over the data subject’s rights, freedoms and legitimate interests.

The controller should provide information to the subject on the automated decision-making as part of its information requirement and the data subject’s access right (Articles 13–15 of the GDPR). Moreover, the controller should make a DPIA in the case of automated individual decision-making (Article 35 of the GDPR).

The EDPB has issued guidance on automated individual decision-making and profiling for the purposes of the GDPR (WP 251 rev 01). The ArtWP29 has issued guidance on automated individual decision-making and profiling in the context of law enforcement data processing.

The AP mentioned the general prohibition on the use of automated decision-making in its 2020 guidance on AI: “Supervision of AI and algorithms”.

Profiling

Profiling is subject to the rules of the GDPR, including the legal grounds for processing or data protection principles. Profiling in the context of automated individual decision-making is specifically addressed in Article 22. To the extent that cookies are used for the purpose of profiling, the requirements relating to the provision of information and consent as laid down in the E-Commerce Directive and the Dutch Telecommunications Act should also be complied with.

In the context of microtargeting by political parties, whereby such parties collect and use personal data for political motives, such as sending personalised messages towards the subjects, the AP has stressed that party members can only be the subject of microtargeting to a certain degree, and provided that explicit consent has been given.

The GDPR requires controllers to provide information to the subject on the use of profiling as part of its information requirement and the data subject’s access right (Articles 13–15 of the GDPR). The AP requires controllers to conduct a DPIA in case of profiling.

Artificial Intelligence

The AP published some useful guidance on AI on its website in 2020, named “Supervision of AI and algorithms”. In this document, the AP explains the legal and supervisory framework concerning AI in the Netherlands, and the manner in which the AP will co-operate with other supervisory authorities in Europe. GDPR principles that apply to AI include transparency, lawfulness, fairness, accountability. Moreover, the general prohibition on automated decision-making should be taken into account (exemptions apply).

AI is one of the focus areas of the AP for the period 2020–2023. Consequently, the AP will pay extra attention to the use thereof by companies and organisations in the coming years. The AP, inter alia, clarified that an adequate control system should be in place when using AI, and that information should be provided on the processes used in connection with AI and how results or findings are generated.

The proposed AI Regulation will further regulate the use of AI.

Internet of Things (IoT)

General data protection principles apply to data processing in the context of the IoT. The AP requires controllers to conduct a DPIA in the case of large-scale processing, or systematic monitoring of personal data generated by IoT devices (eg, mobile phones, and car sat navs). The upcoming E-Privacy Regulation will most likely affect the IoT and force parties involved to obtain the user’s consent for the transmission of data.

In relation to the above, the AP issued recommendations regarding so-called “smart city applications”, particularly including smart sensors. These ubiquitous sensors have the ability to measure traffic flows or visitor numbers, but also bring privacy-related challenges, for example in terms of obtaining consent.

Autonomous Decision-Making

The EDPB has issued (draft) guidance on the processing of personal data in the context of connected vehicles and mobility related applications (guidelines 1/2020).

In 2017 the ArtWP29 issued an opinion on processing personal data in the context of Co-operative Intelligent Transport Systems (C-ITS) (WP 252), which is still relevant in daily practice. In this opinion, the ArtWP29 considers that the principles of privacy by design and default should be implemented in such applications in line with the GDPR, that adequate security measures and retention periods should be adopted, and that special categories of data and data relating to criminal convictions and offences should not be broadcast.

Facial Recognition

Facial recognition is addressed in the GDPR and the Implementation Act in the context of biometric data only. However, both the AP and the ArtWP29 have issued guidance on facial recognition.

Facial images are considered biometric data when processed through a specific technical means which allow the unique identification or authentication of a natural person. Therefore, it is likely that the rules applying to the processing of biometric data should be complied with when using facial recognition techniques (eg, the general prohibition on the processing of such data set forth in Article 9 of the GDPR and the exceptions to this prohibition laid down in Articles 22 and 28 of the Implementation Act). This has been confirmed by the EDBP, in its guidelines on processing of personal data through video devices (3/2019).

The AP addressed facial recognition in a press release in 2020, in relating to a warning it had given to a Dutch supermarket for its use of facial recognition. It considers that the digital images recorded by smart cameras qualify as personal special data, since imagery reveals ethnic origin. As a rule of thumb, the AP stresses that facial recognition is prohibited in principle, although exceptions exist if the pictured person voiced consent or strong interests apply in the given situation.

Where facial recognition will be used for automated individual decision-making, including profiling, the rules set forth in Article 22 of the GDPR should be adhered to. Where smart cameras are used for facial recognition, data subjects should be informed about the use prior to recording (eg, by means of signs). Moreover, a DPIA must be conducted in the case of large-scale processing, or systematic monitoring of personal data by means of cameras.

The ArtWP29 published an opinion on facial recognition in online and mobile services in 2012. The ArtWP29 considers, inter alia, that facial recognition may involve processing of sensitive data, that a legal basis (eg, consent) is required to process images, that appropriate measures should be taken to secure the data transit, and that the principle of data minimisation should be adhered to. Although this opinion is not endorsed by the EDPB, it can still be useful as guidance on this matter.

Biometric Data

Biometric data is defined in Article 4(14) of the GDPR.

Pursuant to Article 9 of the GDPR, the use of biometric data for the purpose of uniquely identifying a natural person is prohibited, unless one of the exceptions listed in the Article or national law applies, such as the explicit consent of the data subject (unless this exception is prohibited by national law).

Article 22 of the Implementation Act contains additional general exceptions that apply to any special categories of personal data (including biometric data). Article 29 contains an additional exception that applies specially to the processing of biometric data for the purpose of uniquely identifying a natural person, if such processing is necessary for authentication or security purposes.

The AP requires controllers to conduct a DPIA in the case of large-scale processing, systematic monitoring of biometrical data (eg, in the context of performing DNA analyses) or bio-databanks.

Geolocation

Geolocation data is governed by the GDPR, and the Dutch Telecommunications Act where the processing of location data concerns location data relating to subscribers or users of public electronic communication networks or public electronic communication services.

Pursuant to the definition of personal data in the GDPR, location data should be considered as personal data. The AP even qualifies location data as data of a sensitive nature.

The AP requires controllers to conduct a DPIA in the case of processing of geolocation data on a large scale, or systematic monitoring of geolocation data.

In 2020, the AP published guidance on the use of geolocation date in the document “On the anonymity of aggregated telco location data”. The EDPB published guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak. These guidelines clarify the conditions and principles for the proportionate use of geolocation data and contact tracing tools for the purposes of (i) supporting the response to the pandemic by modelling the spread of the virus in order to assess the overall effectiveness of confinement measures; and (ii) notifying individuals who may have been in close proximity to someone who is eventually confirmed as a carrier of the virus, in order to break the contamination chains as early as possible.

The AP has conducted various investigations in which the processing of geolocation data played an important role, including:

• its 2021 investigation into the use of Wi-Fi tracking in the city centre by the municipality of Enschede to measure crowds;
• its 2015 investigation into the processing of location data by means of Wi-Fi tracking in and outside shops by Bluetrace;
• the 2010 investigation into the processing of Wi-Fi data by using street view cars by Google; and
• the 2011 investigation into the processing of geolocation data stored in devices by TomTom.

Drones

The AP addressed drones in its policy rules and dos and don’ts on camera surveillance in 2016. It considers drones more privacy-infringing than static cameras, as drones can follow people and make recordings from places where people do not expect to be recorded. Also, the AP requires controllers to conduct a DPIA in the case of large-scale processing, or systematic monitoring of personal data by means of drones.

The subject of drones is also addressed by the ArtWP29, in its 2015 opinion on privacy and data protection issues relating to the utilisation of drones (WP 231). This opinion may be useful as a starting point when dealing with drone-related matters, although it is not endorsed by the EDPB.

Disinformation or Other Online Harms

General data processing principles, such as the principle of transparency, apply to disinformation and other online harms. 

The EDPB addressed this topic in relation to the targeting of social media users (Guidelines 8/2020). It considers that targeting can be used to unduly influence data subjects, by providing messages tailored to the particular interests and values of the target audience. In some cases, this might involve disinformation. Special attention should be taken in the event the data subject is a child.

The AP initiated a preliminary investigation on the processing of personal data in the context of election campaigns in 2019. The investigation focusses, inter alia, on the role of third parties supporting political parties in their campaigns – eg, by targeting data subjects on social media (microtargeting) or by collecting data on political preferences. Such data are a special category of personal data.

The EU released a comprehensive Action Plan against Disinformation in 2018. Its measures focus on developing societal resilience through fact-checking and rely on voluntary abidance to non-binding rules such as a Code of Practice for online platforms. In June 2020, the EU released a Joint Communication on tackling COVID-19 disinformation.

As mentioned in 2.2 Sectoral and Special Issues, “deep faking” (the phenomenon when an application “cuts out” the facial features of one person and morphs these features onto another person’s face, so that it seems as if the second person is in fact the first person) is a severe challenge for privacy and poses enormous disinformation risks. Closely related are “dark patterns”, which are fake web interfaces that trick users into for example buying overpriced goods. These forms of online manipulation make up a new wave of privacy-infringement, as well as cybercrime.

Fiduciary Duty for Privacy or Data Protection

Fiduciary duty is not specifically addressed in the GDPR or the Implementation Act, nor through guidance of the EDPB and AP. In general, under Dutch (case) law, controllers and processers have a duty of care.

There or no specific protocols for digital governance or specific fair data practice review boards or committees in the Netherlands. However, over the years, various initiatives and studies relating to the use of new technologies have been conducted at the request of the Dutch government, including into the procedural safeguards required for the use of big data.

See 1.2 Regulators and 2.5 Enforcement and Litigation for details of significant recent cases.

Conducting diligence must take place in accordance with the applicable data protection laws, including the GDPR. Two important provisions the target must comply with are (i) the need of a legal basis for disclosing personal data in the data room, and (ii) the principle of data minimisation. In particular, issues may arise in relation to the disclosure of HR-related data.

Moreover, potential buyers will need a legal basis for accessing and using personal data made available in the data room. As a general rule, personal data processed in the context of due diligence should be erased upon completion of the investigation.

Other important GDPR requirements relating to confidentiality, security and limitation of access to data are generally already well arranged in the context of due diligence.

It is advisable to make arrangements on the processing of personal data in the context of the due diligence in addition to the arrangements on secrecy (ie, non-disclosure agreements) prior to conducting diligence.

As part of the due diligence itself, it is generally advisable for a potential acquirer to assess whether the target complies with applicable data protection laws, including by requesting disclosure of:

• the data processing register;
• the data breach register;
• template agreements;
• template DPIA;
• (external) privacy statement;
• (internal) privacy policies;
• information on the DPO (if any);
• information on contact with the supervisor;
• information on privacy-related claims, investigations and litigation; and
• information on the use of cookies.

Depending on the circumstances, an organisation’s cybersecurity risk profile or experience may be considered as price sensitive information, and consequently disclosed in accordance with the Dutch Act on Financial Supervision. 

In 2018, Dutch healthcare insurer Menzis published information on a periodic penalty payment that was imposed and collected by the AP in its annual report, even though the underlying investigation report and decision of the AP were not yet published at that time due to appeal proceedings lodged by Menzis. At the end of 2019, the court rejected Menzis’ appeal, and the documentation was published on the website of the AP.

In the Netherlands, the limited capacity of the AP has been much criticised. Capacity constraints have, inter alia, resulted in many complaints not being followed up adequately, or within a reasonable period of time. In December 2021, the Dutch Ombudsman published a critical report on this state of affairs. Due to the limited extra budget given to the AP, it is unlikely these problems will be resolved in the near future.