NETHERLANDS

The Dutch Data Protection Authority website: http://www.dutchdpa.nl/Pages/home.aspx

The Personal Data Protection Act (Wet bescherming persoonsgegevens): http://www.dutchdpa.nl/Pages/en_ind_wetten_wbp.aspx

What needs to be done prior to collection?

CONTACT THE DATA PROTECTION AUTHORITY

CHAPTER 4 - NOTIFICATION AND PRIOR INVESTIGATION

Article 27

1. The fully or partly automated processing of personal data intended to serve a single purpose or different related purposes, must be notified to the Data Protection Commissioner or the officer before the processing is started

2. The non-automated process of personal data intended to serve a single purpose or different related purposes, must be notified where this is subject to a prior investigation

Article 28

1. The notification shall contain the following particulars:
   1. The name and address of the responsible party;
   2. The purpose or purposes of processing;
   3. A description of the categories of data subjects and of the data or categories of data relating thereto;
   4. The recipients or categories of recipients to whom the data may be supplied;
   5. The planned transfers of data to countries outside the European Union;
   6. A general description allowing a preliminary assessment of the suitability of the planned measures to guarantee the security of the processing

2. The notifications shall include the purpose or purposes for which the data or categories of data have been or are being collected

3. Changes in the name or address of the responsible party must be notified within one week. Changes to the notification which concern 1 (b) to (f) shall be notified in each case within one year of the previous notification, where they appear to be of more than incidental importance

4. Any processing which departs from that which has been notified in accordance with the  provisions of 1 (b) to (f) shall be recorded and kept for at least three years

5. More detailed rules can be issued by or under general administrative regulation concerning the procedure for submitting notification

CONTACT THE DATA SUBJECT

CHAPTER 5 – INFORMATION PROVIDED TO THE DATA SUBJECT

Article 33

1. Where personal data are to be obtained from a data subject, the responsible party shall provide the data subject with the information referred to under 2 and 3 prior to obtaining the said personal data, unless the data subject is already acquainted with this information

2. The responsible party shall inform the data subject of its identity and the purposes of the processing for which the data are intended

3. The responsible party shall provide more detailed information, where given the type of data, the circumstances in which they are to be obtained or the use to be made thereof, this is necessary in order to guarantee with respect to the data subject that the processing is carried out in a proper and careful manner

Article 43 – Exceptions

Responsible parties are not required to apply Article 33 where this is necessary in the interests of:

1. State security;
2. The prevention, detection and prosecution of criminal offences;
3. Important economic and financial interests of the State and other public bodies;
4. Supervising compliance with legal provisions established in the interests referred to under (b) or (c); or
5. Protecting the data subject or the rights and freedoms of other persons

What needs to be done prior to shipping?

CHAPTER 11 – TRANSFER OF DATA TO COUNTRIES OUTSIDE THE EUROPEAN UNION

Article 76

1. Personal data which are subject to processing or intended for processing after they have been transferred, shall only be transferred to a company outside the European Union in the case that, without prejudice to compliance with the provisions of this Act, that country guarantees an adequate level of protection

2. An assessment of the adequacy of the level of protection shall take account of the circumstances affecting a data transfer operation or a category of data transfer operations. Account shall be taken in particular of the type of data, the purpose or purposes and the duration of the planned processing or processing operations, the country of origin and country of final destination, the general and sectoral legal provisions applying in the non-member country concerned, as well as the rules governing the business sector and security rules applying in these countries.

Article 77

1. Notwithstanding Article 76, an operation or category of operations to transfer personal data to a non-member country which does not provide guarantees for an adequate level of protection may take place, provided that;
   1. The data subjects have unambiguously given their consent thereto,
   2. The transfer is necessary for the performance of a contract between the data subjects and the responsible parties, or for actions to be carried out at the request of the data subjects and which are necessary for the conclusion of a contract;
   3. The transfer is necessary for the conclusion or performance of a contract concluded or to be concluded between responsible parties and third parties in the interest of data subjects;
   4. The transfer is necessary on account of an important public interest, or for the establishment, exercise or defence in law of any right;
   5. The transfer is necessary to protect a vital interest of data subjects; or
   6. The transfer is carried out from a public register set up by law or from a register which can be consulted by anyone or by any persons who can invoke a legitimate interest, provided that in the case concerned the legal requirements for consultation are met

2. Notwithstanding the provisions under (1), Our Minister, after consulting the Data Protection Commission, may issue a permit for a personal data transfer or category of transfers to a non-member country that does not provide guarantees for an adequate level of protection. Attaching to this permit are the more detailed rules required to protect the individual privacy and fundamental rights and freedoms of persons and to guarantee implementation of the associated rights

Article 78

1. Our Minister shall notify the Commission of the European Communities of:
   1. The cases of which, in his or her opinion, a non-member country does not provide guarantees for an adequate level of protection within the meaning of Article 76 (1), and
   2. A permit as referred to in Article 77 (2)
2. Where this follows from a decision of the Commission of the European Communities or the Council of the European Union, Our Minister shall lay down by ministerial ruling or decision that:

-          The transfer to a country outside the European Union is prohibited;

-          A country outside the Union is considered to guarantee an adequate level of protection; or

-          A permit issued under Article 77 (2) has been withdrawn or modified

3. The notifications referred to under (1) (a) and (b) shall be published in the Official Gazette

What are the sanctions for non-compliance?

CHAPTER 10 – SANCTIONS

Article 66

1. In the event that responsible parties act in contravention of the provisions laid down by or under Article 27 or Article 28, the Commission may require them to pay an administrative fine of a maximum amount of ten thousand Dutch guilders[1].
2. The Commission shall not impose a fine where responsible parties give a reasonable explanation as to why they cannot be regarded as responsible for the infringement
3. When deciding the amount of the fine, the Commission shall in any case take into account the seriousness and duration of the infringement

Please refer to the Dutch Data Protection Authority website for more details on the Statute.