Legge 23 novembre 1999
Personal Data Protection Act (Wet bescherming persoonsgegevens). Rules for the protection of personal data. REVISED BILL (as approved by the Lower House on 23 November 1999)
(UNOFFICIAL TRANSLATION; source: legislationline.org)
We, Beatrix, by the grace of God, Queen of the Netherlands, Princess of Orange-Nassau,
To all those who read or hear this, We greet you and hereby proclaim as follows:
Whereas it is necessary to implement Directive 95/46/EC of the European Parliament and of the Council of the European Union of 23 November 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of that data (OJ L 28 1);
Having regard to Article 10(2) and (3) of the Constitution;
We, having consulted the State Council, and in joint consultation with Parliament, have approved and understood, as We approve and understand, the following:
CHAPTER 1. GENERAL PROVISIONS
For the purposes of this Act and the provisions based upon it:
a. “personal data” shall mean: any information relating to an identified or identifiable natural person;
b. “processing of personal data” shall mean: any operation or any set of operations concerning personal data, including in any case the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as blocking, erasure or destruction of data;
c. “file” shall mean: any structured set of personal data, regardless of whether or not this data set is centralised or dispersed along functional or geographical lines, that is accessible according to specific criteria and relates to different persons;
d. “responsible party” shall mean: the natural person, legal person, administrative body or any other entity which, alone or in conjunction with others, determines the purpose of and means for processing personal data;
e. “processor” shall mean: the person or body which processes personal data for the responsible party, without coming under the direct authority of that party;
f. “data subject” shall mean: the person to whom personal data relate;
g. “third party” shall mean: any party other than the data subject, the responsible party, the processor, or any person under the direct authority of the responsible party or the processor, who is authorised to process personal data;
h. “recipient” shall mean: the party to whom the personal data are provided;
i. consent of the data subject: any freely-given, specific and informed expression of will whereby data subjects agree to the processing of personal data relating to them;
j. “Our Minister” shall mean: Our Minister of Justice;
k. “Data Protection Commission” or “Commission” shall mean: the body referred to in Article 51;
1. “officer” shall mean: the data protection officer referred to in Article 62;
m. “prior investigation” shall mean: an investigation as referred to in Article 31;
n. “provision of personal data” shall mean: the disclosure or making available of personal data;
o. “collection of personal data” shall mean: the obtaining of personal data.
1 . This Act applies to the fully or partly automated processing of personal data, and the non-automated processing of personal data entered in a file or intended to be entered therein.
2. This Act does not apply to the processing of personal data:
a. in the course of a purely personal or household activity;
b. by or on behalf of the intelligence or security services referred to in the Intelligence and Security Services Act (Wet op de inlichtingen- en veiligheidsdiensten);
c. for the purposes of implementing the police tasks defined in Article 2 of the Police Act 1993 (Politiewet 1993);
d. governed by or under the Municipal Database (Personal Records) Act (Wet gemeentelijke basisadministratie persoonsgegevens);
e. for the purposes of implementing the Judicial Documentation Act (Wet justitiële documentatie) and
f. for the purposes of implementing the Electoral Provisions Act (Kieswet).
3. This Act does not apply to the processing of personal data by the armed forces where Our Defence Minister so decides with a view to deploying or making available the armed forces to maintain or promote the international legal order. Such a decision shall be communicated to the Data Protection Commission as quickly as possible.
1.This Act does not apply to the processing of personal data for exclusively journalistic, artistic or literary purposes, except where otherwise provided in this Chapter and in Articles 6 to 11, 13 to 15, 25 and 49.
2. The prohibition on processing personal data referred to in Article 16 does not apply where this is necessary for the purposes referred to under (1).
1. This Act applies to the processing of personal data carried out in the context of the activities of an establishment of a responsible party in the Netherlands.
2. This Act applies to the processing of personal data by or for responsible parties who are not established in the European Union, whereby use is made of automated or non-automated means situated in the Netherlands, unless these means are used only for forwarding personal data.
3. The responsible parties referred to under (2) are prohibited from processing personal data, unless they designate a person or body in the Netherlands to act on their behalf in accordance with the provisions of this Act. For the purposes of application of this Act and the provisions based upon it, the said person or body shall be deemed to be the responsible party.
1. In the case that the data subjects are minors and have not yet reached the age of sixteen, or have been placed under legal restraint or the care of a mentor, instead of the consent of the data subjects, that of their legal representative is required.
The data subjects or their legal representative may withdraw consent at any time.
CHAPTER 2. CONDITIONS FOR THE LAWFUL PROCESSING OF PERSONAL DATA
Section 1. Processing of personal data in general
Personal data shall be processed in accordance with the law and in a proper and careful manner.
Personal data shall be collected for specific, explicitly defined and legitimate purposes.
Personal data may only be processed where:
a. the data subject has unambiguously given his consent for the processing;
b. the processing is necessary for the performance of a contract to which the data subject is party, or for actions to be carried out at the request of the data subject and which are necessary for the conclusion of a contract;
c. the processing is necessary in order to comply with a legal obligation to which the responsible party is subject;
d. the processing is necessary in order to protect a vital interest of the data subject;
e. the processing is necessary for the proper performance of a public law duty by the administrative body concerned or by the administrative body to which the data are provided, or
f. the processing is necessary for upholding the legitimate interests of the responsible party or of a third party to whom the data are supplied, except where the interests or fundamental rights and freedoms of the data subject, in particular the right to protection of individual privacy, prevail.
1. Personal data shall not be further processed in a way incompatible with the purposes for which they have been obtained.
2. For the purposes of assessing whether processing is incompatible, as referred to under (1), the responsible party shall in any case take account of the following:
a. the relationship between the purpose of the intended processing and the purpose for which the data have been obtained;
b. the nature of the data concerned;
c. the consequences of the intended processing for the data subject;
d. the manner in which the data have been obtained, and
e. the extent to which appropriate guarantees have been put in place with respect to the data subject.
3. The further processing of personal data for historical, statistical or scientific purposes shall not be regarded as incompatible where the responsible party has made the necessary arrangements to ensure that the further processing is carried out solely for these specific purposes.
4. The processing of personal data shall not take place where this is precluded by an obligation of confidentiality by virtue of office, profession or legal provision.
1. Personal data shall not be kept in a form which allows the data subject to be identified for any longer than is necessary for achieving the purposes for which they were collected or subsequently processed.
2. Personal data may be kept for longer than provided under (1), where this is for historical, statistical or scientific purposes, and where the responsible party has made the necessary arrangements to ensure that the data concerned are used solely for these specific purposes.
1. Personal data shall only be processed where, given the purposes for which they are collected or subsequently processed, they are adequate, relevant and not excessive.
2. The responsible party shall take the necessary steps to ensure that personal data, given the purposes for which they are collected or subsequently processed, are correct and accurate.
1. Anyone acting under the authority of the responsible party or the processor, as well as the processor himself, where they have access to personal data, shall only process such data on the orders of the responsible party, except where otherwise required by law.
2. The persons referred to under (1), who are not subject to an obligation of confidentiality by virtue of office, profession or legal provision, are required to treat as confidential the personal data which comes to their knowledge, except where the communication of such data is required by a legal provision or the proper performance of their duties. Article 272(2) of the Penal Code is not applicable.
The responsible party shall implement appropriate technical and organizational measures to secure personal data against loss or against any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, and having regard to the risks associated with the processing and the nature of the data to be protected. These measures shall also aim at preventing unnecessary collection and further processing of personal data.
1. Where responsible parties have personal data processed for their purposes by a processor, these responsible parties shall make sure that the processor provides adequate guarantees concerning the technical and organizational security measures for the processing to be carried out. The responsible parties shall make sure that these measures are complied with.
2. The carrying out of processing by a processor shall be governed by an agreement or another legal act whereby an obligation is created between the processor and the responsible party.
3. The responsible party shall make sure that the processor:
a. processes the personal data in accordance with Article 12(l) and
b. complies with the obligations incumbent upon the responsible party under Article 13.
4. Where the processor is established in another country of the European Union, the responsible party shall make sure that the processor complies with the laws of that other country, notwithstanding the provisions of (3)(b).
5. With a view to the keeping of proof, the parts of the agreement or legal act relating to personal data protection and the security measures referred to in Article 13, shall be set down in writing or in another equivalent form.
The responsible party shall make sure that the obligations referred to in Articles 6 to 12 and 14(2) and (5) of this Chapter are complied with.
Section 2. Processing of special personal data
It is prohibited to process personal data concerning a person’s religion or philosophy of life, race, political persuasion, health and sexual life, or personal data concerning trade union membership, except as otherwise provided in this Section. This prohibition also applies to personal data concerning a person’s criminal behaviour, or unlawful or objectionable conduct connected with a ban imposed with regard to such conduct.
1. The prohibition on processing personal data concerning a person’s religion or philosophy of life, as referred to in Article 16, does not apply where the processing is carried out by:
a. church associations, independent sections thereof or other associations founded on spiritual principles, provided that the data concerns persons belonging thereto;
b. institutions founded on religious or philosophical principles, provided that this is necessary to the aims of the institutions and for the achievement of their principles, or
c. other institutions provided that this is necessary to the spiritual welfare of the data subjects, unless they have indicated their objection thereto in writing.
2. In the cases referred to under (1)(a), the prohibition also does not apply to personal data concerning the religion or philosophy of life of family members of the data subjects, provided that:
a. the association concerned maintains regular contacts with these family members in connection with its aims, and
b. the family members have not indicated any objection thereto in writing.
3. In the cases referred to under (1) and (2), no personal data may be supplied to third parties without the consent of the data subject.
1. The prohibition on processing personal data concerning a person’s race, as referred to in Article 16, does not apply where the processing is carried out:
a. with a view to identifying data subjects and only where this is essential for that purpose;
b. for the purpose of assigning a preferential status to persons from a particular ethnic or cultural minority group with a view to eradicating or reducing actual inequalities, provided that:
1º. this is necessary for that purpose;
2º. the data only relate to the country of birth of the data subjects, their parents or grandparents, or to other criteria laid down by law, allowing an objective determination whether a person belongs to a minority group as referred to under (b), and
3º. the data subjects have not indicated any objection thereto in writing.
1. The prohibition on processing personal data concerning a person’s political persuasion, as referred to in Article 16, does not apply where the processing is carried out:
a. by institutions founded on political principles with respect to their members or employees or other persons belonging to the institution, provided that this is necessary to the aims of the institutions and for the achievement of their principles, or
b. with a view to the requirements concerning political persuasion which can reasonably be applied in connection with the performance of duties in administrative and advisory bodies.
2. In the cases referred to under (1)(a), no personal data may be supplied to third parties without the consent of the data subject.
1. The prohibition on processing personal data concerning a person’s trade union membership, as referred to in Article 16, does not apply where the processing is carried out by the trade union concerned or the trade union federation to which this trade union belongs, provided that this is necessary to the aims of the trade union or trade union federation;
2. In the cases referred to under (1), no personal data may be supplied to third parties without the consent of the data subject.
1. Without prejudice to Articles 17 to 22, the prohibition on processing personal data referred to in Article 16 does not apply where:
a. this is carried out with the express consent of the data subject;
b. the data have manifestly been made public by the data subject;
c. this is necessary for the establishment, exercise or defence of a right in law;
d. this is necessary to comply with an obligation of international public law, or
e. this is necessary with a view to an important public interest, where appropriate guarantees have been put in place to protect individual privacy and this is provided for by law or else the Data Protection Commission has granted an exemption. When granting an exemption, the Commission can impose rules and restrictions.
2. The prohibition on the processing of personal data referred to in Article 16 for the purpose of scientific research or statistics does not apply where:
a. the research serves a public interest,
b. the processing is necessary for the research or statistics concerned,
c. it appears to be impossible or would involve a disproportionate effort to ask for express consent, and
d. sufficient guarantees are provided to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent.
3. Processing referred to under (1)(e) must be notified to the European Commission. This notification shall be made by Our Minister concerned where the processing is provided for by law. The Data Protection Commission shall make the notification in the case that it has granted an exemption for the processing.
1. A number that is required by law for the purposes of identifying a person may only be used for the processing of personal data in execution of the said law or for purposes stipulated by the law.
2. Cases other than those referred to under (1) can be designated by general administrative regulation in which a number to be indicated in this connection, as referred to under (1), can be used. More detailed rules may be laid down in this connection concerning the use of such a number.
CHAPTER 3. CODES OF CONDUCT
1. An organisation or organisations planning to draw up a code of conduct may request the Data Protection Commssion to declare that, given the particular features of the sector or sectors of society in which these organisations are operating, the rules contained in the said code properly implement this Act or other legal provisions on the processing of personal data. Where a code of conduct provides for the arrangement of disputes about its observance, the Commission may only issue a declaration, if guarantees have been provided for its independent character.
2. The provisions of (1) are likewise applicable to amendments or extensions to existing codes of conduct.
3. The Commission shall only consider requests where, in its opinion, the requester or requesters are sufficiently representative and the sector or sectors concerned are sufficiently precisely defined in the code.
4. A decision on a request referred to under (1) shall be deemed to be equivalent to a decision within the meaning of the General Administrative Regulations Act (Algemene wet bestuursrecht). This decision shall be arrived at in accordance with the procedure laid down by Section 3.4 of that Act. The decision must be taken within a reasonable period of time, it being understood that this period must be no longer than thirteen weeks.
5. The declaration shall apply for the duration of the code of conduct, while not exceeding five years from the date on which the declaration is announced. Where a declaration is requested for an amendment to a code of conduct for which a declaration has already been issued previously, the declaration shall apply for the duration of the declaration issued previously.
6. The Commission is responsible for publishing the declaration, together with the associated code, in the Official Gazette (Staatscourant).
1. More detailed rules may be issued by general administrative regulation with regard to a particular sector concerning the matters covered in Articles 6 to 11 and 13.
2. The Data Protection Commission shall indicate in its annual report the extent to which, in its opinion, the provisions of (1) should be applied.