Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Netherland - Data Protection

History of Data Protection in the NETHERLANDS

The Dutch data protection legislation is the Personal Data Protection Act (Wet Bescherming Persoonsgegevens, or the 'WBP'). The Dutch Parliament adopted this Act on 3 July 2000, and it entered into force on 1 September 2001. The WBP implements Directive 95/46/EC into Dutch law.

The Personal Data Protection Act incorporated the previous Royal Decree on Data Protection, which was in force under the Personal Data Files Act.

One important subsequent piece of legislation under the WBP is the Exemption Decree, which provides exemptions and simplifications to notification for certain categories of data.

Summary of Data Protection in the NETHERLANDS

Title of Data Protection Legislation Personal Data Protection Act 2000 (Wet Bescherming Persoonsgegevens)Unofficial translation
Name of supervisory authority Dutch Data Protection Authority
General Powers of supervisory authority Article 51(1) of the Personal Data Protection Act states that the Data Protection Authority must "oversee the processing of personal data in accordance with the provisions laid down by and under the Act". 51(2) states that the body shall also "be asked to issue an opinion on bills and draft texts of general administrative regulations relating entirely or substantially to the processing of personal data". Article 60(1) states that the Authority, "acting in an official capacity or at the request of an interested party, may initiate an investigation into the manner in which the provisions laid down by or under the Act are being applied with respect to the processing of data".
Who has standing to notify the supervisory authority of breaches? Any "interested party".
What are the penalties for data controllers if they breach the law? According to the 2000 Act, the Commission can apply "administrative measures of constraint" (Article 65) on controllers who breach the law. Fines are also possible (Article 66, 75(1)) as is imprisonment if the offence was committed deliberately (Article 75(2)).
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? Yes; Article 24 of the WBP states that processing of ‘a number that is required by law for the purposes of identifying a person’ may only be used for the processing of personal data in execution of the said law, or for purposes stipulated by law.
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it. However, consent is always required to use medical information in research unless there are exceptional circumstances. See the Medical Treatment Contracts Act.
Does the Data Protection Legislation cover the deceased? No
Who is able to indirectly identify the data subject? Anybody

Laws and Regulations


Guidance and Papers

  • Hooghiemstra, T. . The Implementation of Directive 95/46/EC in the Netherlands, with Special Regard to Medical Data European Journal of Health Law; 2002 Vol. 9 Issue 3, 219–227
  • Westerman, P . Netherlands: Data Protection – Impending Legislation’ European Intellectual Property Review; 2001 Vol. 23 6: 86-87