Data protection implementation act submitted to House of Representatives

The legislative proposal of Minister for Legal Protection Sander Dekker to implement the General Data Protection Regulation (GDPR) was submitted to the House of Representatives today. The aim of the European regulation is the far-reaching harmonisation of the rules governing the protection of personal data and to promote the free movement of data within the European Union. The regulation takes effect on 25 May 2018. The implementation act will need to take effect on the same day. At the same time, the current Personal Data Protection Act (Wbp) will be repealed.

The increased exchange of personal data across the entire European Union has created a need for new legislation. The exchange of data ignores national borders. Moreover, new technologies mean that authorities and businesses can make use of personal data in their activities more than ever before. Minister Dekker: ‘People need to be able to be confident that businesses and authorities treat their personal data with due care. The new legislation creates a level playing field across the entire European Union in terms of personal data protection.’
The implementation act is policy-neutral. This means that where the regulation allows scope for national interpretations, the existing rules based on the Wbp will be adopted as much as possible in their original form. This applies, for example, to the processing of special categories of personal data, such as data about religious beliefs, health or ethnic origin. After all, all existing exceptions to the prohibition against processing such data have been included in the Wbp in order to safeguard important public interests. There is no reason to derogate from these exceptions. Retaining the framework of the current Wbp will also help ensure a smooth transition from the old to the new situation. The smaller the differences, the easier the transition.
All changes to rights and obligations will therefore be a direct result of the regulation. For example, the right of citizens to privacy will be strengthened by, among other things, the adoption of the right to ‘be forgotten’ and the right of citizens to obtain their personal data held by an authority or a business in a standard format (data portability).
Furthermore, organisations that process personal data will need to comply with new, more stringent obligations. A greater degree of transparency and responsibility is required. Controllers will need to demonstrate that they are acting in accordance with the regulation (accountability) and must compile a register to keep track of processing activities that come under their responsibility. In many cases, the regulation also requires the appointment of a data protection officer. Responsibility for supervising compliance with the regulation and the implementation act has been vested with the Dutch Data Protection Authority. The Authority is fully independent in the performance of its supervision tasks.
In addition to the Dutch Data Protection Authority, the European Commission and the Ministry of Justice and Security, organisations such as the Confederation of Netherlands Industry and Employers (VNO-NCW) and the Association of Netherlands Municipalities (VNG) have also launched a range of information activities to familiarise controllers with the new rules. For example, the Ministry will soon be publishing a detailed ‘General Data Protection Regulation handbook’ for businesses, authorities and organisations that process personal data.