Today, the Dutch Ministry of Security and Justice published the draft Implementation Bill General Data Protection Regulation ("Implementation Bill"). This bill provides the first insight into the Dutch government's implementation of new data protection principles in the light of the European developments. The bill is highly relevant for our clients since it will replace the current Dutch data protection framework and requires an assessment of overall data protection compliance.
The implementation of the GDPR
The Implementation Bill is the Dutch legislative response
to the European General Data Protection Regulation
("GDPR"). The GDPR was adopted in April
2016 to strengthen existing obligations and to modernise the
current data protection framework. It will apply directly in all
member states as of spring 2018. However, there is some room for
manoeuvre for national authorities to implement and specify
European principles. The bill that is presented today gives the
first insight into this national approach to the new data
protection laws.
National implementation
In general, the Dutch government has tried to maintain the rules
which already exist in the Data Protection Act (Wet bescherming
persoonsgegevens), unless the GDPR requires a change. New
matters include, for example, local law on profiling, special
categories of personal data, rights of data subjects, and the
mandatory notification of a data breach. Other topics where the
bill provides further specification of the GDPR include rules on
health and education related data. The bill also provides
derogative grounds such as criminal investigations and
investigative powers.
Another interesting aspect of the Implementation Bill is its expansion of the role of the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens ("AP"). This enforcement body will interact to a greater extent with international data protection authorities and has stronger enforcement powers.
What is next?
The Implementation Bill is now open for public consultation until
20 January 2017. After this period, both the Dutch Senate and the
Second Chamber must debate and adopt the bill. The exact time of
entry into force is therefore unknown at this time.
We recommend our clients monitor this legislative process and review their internal processes and policies. Whereas the GDPR was the first incentive to evaluate overall data protection, this Bill further clarifies and specifies the new obligations. It is key for our clients to have their revised policies and practices up to date by spring 2018, when the GDPR becomes directly applicable in all EU member states.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.