Page 1

Personal Data Protection Act BES
Valid from 01-01-2015 to the present
Law of 17 May 2010, containing rules on the protection of personal data of Bonaire,
Sint Eustatius and Saba (BES Personal Data Protection Act)
We Beatrix, by the grace of God, Queen of the Netherlands, Princess of Oranje-Nassau, etc. etc. etc.
All who will see or hear it read, salute! do to know:
As We have considered that it is necessary that with regard to the
protection of personal data in the public bodies of Bonaire, Sint Eustatius and Saba
Article 10, paragraphs 2 and 3, of the Constitution is implemented;
So it is that We heard the Council of State, and in consultation with the States General
approved and understood, as We approve and understand by this:
Chapter 1. General provisions
Article 1
1. This law applies to the public bodies of Bonaire, Sint Eustatius and Saba.
2. In this Act and the provisions based on it, the following terms have the following meanings:
a. Personal data: any information relating to an identified or identifiable natural
person;
b. processing of personal data: any action or set of actions involving
with regard to personal data, including in any case the collection, recording,
organize, save, update, change, retrieve, consult, use, provide by
by means of forwarding, distribution or any other form of posting,
bringing together, relating to each other, as well as shielding, erasing or
destruction of data;
c. file: any structured set of personal data, regardless of whether this set of
data is centralized or distributed in a functionally or geographically determined manner,
which is accessible according to certain criteria and relates to different persons;
d. responsible: the natural person, legal person or any other person or person
governing body that, alone or in conjunction with others, determines the purposes and means of the
determine the processing of personal data;
e. processor: the person who processes personal data on behalf of the controller,
without being subject to his direct authority;
f. data subject: the person to whom personal data relates;
g. third party: any person, not being the data subject, the controller, the processor, or any person who
is authorized under the direct authority of the controller or processor to
process personal data;
h. recipient: the person to whom the personal data are provided;
i. consent of the data subject: any free, specific and informed expression of will
by which the data subject accepts the processing of personal data concerning him;
j. Our Minister: Our Minister of Justice;
k. provision of personal data: the disclosure or making available of
personal data;
l. collecting personal data: obtaining personal data;
m. public bodies: the public bodies of Bonaire, Sint Eustatius and Saba;
n. court: the Court of First Instance of Bonaire, Sint Eustatius and Saba;
o. committee: the BES Personal Data Protection Supervision Commission, referred to in Article 44
of this law.
Article 2

Page 2

1. This law applies to the fully or partially automated processing of
personal data, as well as the non-automated processing of personal data contained in
contained in or intended to be included in a file.
2. This law does not apply to the processing of personal data:
a.for activities solely for personal or household purposes;
b. by or on behalf of the intelligence and security services referred to in the Act on the
intelligence and security services 2002;
c. for the performance of the police duties, as referred to in Articles 5 and 11 of the
Police Act of Curaçao, Sint Maarten and Bonaire, Sint Eustatius and Saba;
d. for the implementation of the BES Personal Data (Basic Administration) Act;
e. for the implementation of the Judicial Documentation Act and the declarations
regarding the behavior of BES and
f. for the implementation of the Elections Act.
3. This Act does not apply to the processing of personal data by the armed forces if
Our Minister of Defense decides to do so with a view to deployment or making available
of the armed forces to maintain or promote the international legal order.
Article 3
1. This law does not apply to the processing of personal data for sole purpose
journalistic, artistic or literary purposes, subject to the other provisions of this
Chapter, as well as Articles 6 to 11, 13 to 15, and 39.
2. The prohibition to process personal data as referred to in Article 16 does not apply
insofar as this is necessary for the purposes referred to in the first paragraph.
Article 4
1. This law applies to the processing of personal data in the context of activities
of an establishment of a controller in the public bodies.
2. This law applies to the processing of personal data by or on behalf of
a controller who has no establishment in the public bodies, which is used
made from automated or non-automated means located in the public bodies,
unless these means are only used for the transit of personal data.
3. A controller as referred to in the second paragraph is prohibited from personal data
processing, unless he designates a person or body on his behalf in the public body
acts in accordance with the provisions of this law. For the purposes of this law and the
provisions based on this, he is regarded as the controller.
Article 5
1. If the person concerned is a minor and has not yet reached the age of sixteen, or under
has been placed in receivership or a mentorship has been instituted for the benefit of the person concerned, is in the
place of the data subject's consent which requires his legal representative.
2. Consent can be obtained at any time by the data subject or his legal representative
withdrawn.
Chapter 2. Conditions for the lawfulness of the processing of personal data
Section 1. The processing of personal data in general
Article 6

Page 3

Personal data is provided in accordance with the law and in a proper and careful manner
processed.
Article 7
Personal data is for specific, explicitly described and justified
purposes collected.
Article 8
Personal data may only be processed if:
a.the data subject has given his unambiguous consent to the processing;
b. the data processing is necessary for the performance of an agreement whereby the
data subject is a party, or to take pre-contractual measures as a result of
a request from the data subject necessary for the conclusion of an agreement;
c. the data processing is necessary to comply with a legal obligation to which
the controller is subject;
d. the data processing is necessary to protect a vital interest of the data subject;
e. the data processing is necessary for the proper fulfillment of a public law
task by the relevant administrative body or the administrative body to which the
data is provided, or
f. the data processing is necessary for the representation of the legitimate interest
of the controller or of a third party to whom the data are provided, unless the
interest or fundamental rights and freedoms of the data subject, in particular the law
protection of privacy prevails.
Article 9
1. Personal data will not be further processed in a way that is incompatible with the
purposes for which they were obtained.
2. When assessing whether processing is incompatible as referred to in the first paragraph, the
responsible in any case take into account:
the relationship between the purpose of the intended processing and the purpose for which the
data has been obtained;
b. the nature of the data concerned;
c. the consequences of the intended processing for the data subject;
d. the way in which the data was obtained and
e. the extent to which appropriate safeguards are provided for the data subject.
3. Further processing of the data for historical, statistical or scientific purposes
purposes, is not considered incompatible, if the responsible party provides the necessary
has made provisions to ensure that further processing is exclusively
is made for these specific purposes.
4. The processing of personal data will not take place insofar as there is no obligation of confidentiality
prevents this by virtue of office, profession or statutory regulation.
Article 10
1. Personal data is no longer kept in a form that allows the
the data subject, than is necessary for the realization of the purposes
for which they are collected or subsequently processed.
2. Personal data may be kept longer than stipulated in the first paragraph insofar as they are
are retained for historical, statistical or scientific purposes, and the
controller has taken the necessary measures to ensure that the
relevant data are used exclusively for these specific purposes.

Page 4

Article 11
1. Personal data are only processed insofar as they, having regard to the purposes for which they are
collected or further processed, adequate, relevant and not
are excessive.
2. The controller shall take the necessary measures to ensure that personal data, in view of the
purposes for which they are collected or subsequently processed, correct and accurate
to be.
Article 12
1. Anyone who acts under the authority of the controller or processor, as well as the
The processor himself, insofar as they have access to personal data, only processes it
assignment of the responsible person, except for deviating legal obligations.
2. The persons, referred to in the first paragraph, for whom not already by virtue of office, profession or
a duty of confidentiality applies, are obliged to observe secrecy of the
personal data of which they become aware, except insofar as any statutory regulation gives them
is obliged to notify whether their task results in the necessity of notification. Article 285 of
the BES Criminal Code does not apply.
Article 13
The controller implements appropriate technical and organizational measures
protect personal data against loss or any form of unlawful processing.
These measures guarantee, taking into account the state of the art and the costs of the
implementation, an appropriate level of security, given the risks posed by the processing and its nature
of data to be protected. The measures are partly aimed at this
prevent unnecessary collection and further processing of personal data.
Article 14
1. If the controller has personal data processed on his behalf by a
processor, he will ensure that this offers sufficient guarantees with regard to the technical and
organizational security measures with regard to the processing to be carried out. The
The controller supervises compliance with those measures.
2. The execution of processing operations by a processor is regulated in an agreement or
pursuant to another legal act that creates an obligation between the processor and
the responsible.
3. The controller ensures that the processor
processes the personal data in accordance with Article 12, paragraph 1 and
b. complies with the obligations incumbent on the controller pursuant to article 13.
4. If the processor is not established in the public bodies, the responsible party will ensure that
the processor complies with the law of that other country, in deviation from the third paragraph, under b.
5. For the purpose of keeping the evidence, the parts of the agreement or the
legal act relating to the protection of personal data, as well as the
security measures, as referred to in Article 13, in writing or in another, equivalent form
recorded.
Article 15
The responsible party ensures compliance with the obligations referred to in Articles 6 to
and with 12 and 14, second and fifth paragraphs of this chapter.

Page 5

Section 2. The processing of special personal data
Article 16
The processing of personal data concerning a person's religion or belief, race,
political affiliation, health, sexual life, as well as personal data concerning it
Trade union membership is prohibited except as provided in this paragraph.
The same applies to criminal personal data and personal data about unlawful or
annoying behavior in connection with an imposed ban as a result of that behavior.
Article 17
1. The prohibition to transfer personal data concerning a person's religion or belief
processing, as referred to in Article 16, does not apply if the processing is carried out by:
a. denominations, independent parts thereof or other societies
mental basis insofar as it concerns data of persons belonging thereto;
b. institutions based on a religious or ideological basis, insofar as this in view of the
purpose of the institution and is necessary for the realization of its basis, or
c. other institutions insofar as this is necessary with a view to the spiritual care of
the data subject, unless he has objected to this in writing.
2. In the cases referred to in the first paragraph, under a, the prohibition also does not apply to
personal data concerning religion or belief of the family members of the
data subject insofar as:
a.the association concerned with those family members by virtue of its objective
maintains regular contacts and
b. those family members have not objected to this in writing.
3. In the cases referred to in the first and second paragraph, no personal data will be passed on to third parties
provided without the consent of the data subject.
Article 18
The prohibition to process personal data concerning a person's race, referred to in Article 16, is not
applicable if the processing takes place:
with a view to identifying the data subject and only to the extent that this is for this purpose
is unavoidable;
b. with the aim of persons of a particular ethnic or cultural minority group
privileged position in order to grant factual disadvantages related to the
ground variety to be eliminated or reduced and only if:
1 °. this is necessary for that purpose;
2 °. the data only pertain to the country of birth of the person concerned
parents or grandparents, or on other criteria established by law, on the basis of which
it can be objectively determined whether someone belongs to a minority group as
referred to in the opening lines of part b, and
3 °. the person concerned has not objected to this in writing.
Article 19
1. The prohibition to process personal data relating to a person's political affiliation,
referred to in Article 16, does not apply if the processing takes place:
a. by institutions on a political basis concerning their members or their employees or
other persons belonging to the institution, insofar as this is in view of the institution's objective
is necessary for the realization of its basis, or
b. in view of the demands that can reasonably be made with regard to political affiliation
are made in connection with the performance of positions in administrative bodies and

Page 6

advisory colleges.
2. In the case referred to in the first paragraph, under a, no personal data will be passed on to third parties
provided without the consent of the data subject.
Article 20
1. The prohibition of transferring personal data concerning a person's membership of a trade union
processing, referred to in Article 16, does not apply if the processing is carried out by the
the trade union concerned or the trade union federation of which that union forms a part, insofar as that
given the objective of the union or central is necessary.
2. In the case referred to in the first paragraph, no personal data will be provided to third parties
without the consent of the data subject.
Article 21
1. The prohibition to process personal data concerning someone's health, referred to in
Article 16 does not apply if the processing is carried out by:
a. care providers, institutions or facilities for health care or social services
services insofar as this with a view to proper treatment or care of the
data subject, or the management of the institution or professional practice concerned is necessary
is;
b. insurers as referred to in Section 1, subsection 1, under g, of the Supervision Act
insurance company BES, and financial service providers that mediate in insurance such as
referred to in that law, insofar as this is necessary for:
1 °. the assessment of the risk to be insured by the insurer and the person concerned none
objected; or
2 °. the performance of the insurance contract;
c. schools insofar as this with a view to the special supervision of pupils or the meeting
special provisions are necessary in connection with their health condition;
d. a probation service, a special probation officer, and the guardianship council, the
family guardian, or a legal person as referred to in Article 302, first paragraph, of the Dutch Civil Code
BES Code insofar as this is necessary for the implementation of their statutory provisions
assigned duties
e. Our Minister of Justice insofar as this is related to the implementation of
custodial sentences or custodial measures are necessary or
f. administrative bodies, pension funds, employers or institutions acting on their behalf
be active to the extent necessary for:
1 °. proper implementation of statutory regulations, pension schemes or collective
employment contracts that provide for claims that depend on the
health status of the person concerned or
2 °. the reintegration or guidance of employees or benefit recipients in connection with
illness or disability.
2. In the cases referred to in the first paragraph, the data will only be processed by persons who
by virtue of office, profession or statutory regulation, or by virtue of an agreement to
confidentiality are mandatory. If the controller processes data personally and on
he is not already under a duty of confidentiality on account of his office, profession or statutory regulation,
he is obliged to keep the data confidential, except insofar as the law prevents him
information is required whether it is necessary to communicate the data from his task
to others who are authorized to process it pursuant to the first paragraph.
3. The prohibition on processing other personal data as referred to in Article 16 is not applicable
application insofar as this is necessary in addition to the processing of personal data
concerning a person's health as referred to in the first paragraph, under a, with a view to a good one
treatment or care of the data subject.
4. Personal data regarding hereditary characteristics may only be processed for

Page 7

insofar as this processing takes place with regard to the data subject with whom the data subject
data has been obtained unless:
a. an important medical interest prevails or
b. the processing is necessary for scientific research or statistics.
In the case referred to under b, Article 23, subsection 1, under a, and subsection 2 shall apply mutatis mutandis
application.
5. By order in council, regarding the application of the first paragraph, under b and
f, further rules are set.
Article 22
1. The prohibition on the processing of personal data under criminal law, referred to in Article 16, is not applicable
application if the processing is carried out by bodies charged by law with the
application of criminal law, as well as by persons responsible who obtained it from or
pursuant to the Police Act of Curaçao, Sint Maarten and Bonaire, Sint Eustatius and
Saba or the Law on judicial documentation and on declarations of behavior BES.
2. The prohibition does not apply to the controller providing this information on its own behalf
processed for:
a. assessment of a request from the person concerned to make or to a decision about him
to provide him with a performance or
b. protection of his interests insofar as it concerns criminal offenses that are or based on
facts and circumstances are expected to be committed against him or against
persons employed by him.
3. The prohibition on processing other personal data as referred to in Article 16 is not applicable
apply to the extent necessary in addition to criminal processing
data for the purposes for which this data is processed.
4. The second and third paragraphs apply mutatis mutandis to personal data concerning
a prohibition imposed by the court as a result of unlawful or annoying behavior.
Article 23
1. Without prejudice to Articles 17 to 22, the prohibition to transfer personal data as referred to in
Article 16, to be processed not applicable insofar as:
a.this is done with the explicit consent of the data subject;
b. the data has been clearly disclosed by the data subject;
c. this is necessary for the establishment, exercise or defense of a right in
straight;
d. this is necessary to comply with an obligation under international law or
e. this is necessary for an important public interest, appropriate safeguards
are offered for the protection of privacy and this is determined by law
or the committee has granted an exemption. The committee may in the granting of
impose restrictions and regulations on exemption.
2. The prohibition to process personal data as referred to in Article 16 for the purposes of
scientific research or statistics is not applicable insofar as:
a.the research serves a public interest,
b. the processing is necessary for the relevant research or statistics
is,
c. asking for explicit consent proves impossible or a disproportionate effort
cost
d. the implementation provides for such safeguards that the privacy of the

Page 8

data subject is not disproportionately harmed.
Article 24
1. A number prescribed by law to identify a person is assigned to the
processing of personal data is only used for the implementation of the relevant law
determined by law for purposes.
2. Cases other than those referred to in subsection 1 may be imposed by order in council
be designated in which a number to be designated as referred to in the first paragraph can be designated
are used. Further rules can be given about the use of a
such number.
Chapter 3. Provision of information to the data subject
Article 25
1. If personal data are obtained from the data subject, the controller shall share in advance
at the time of obtaining the data subject also the information referred to in the second and third
member, unless the person concerned is already aware of this.
2. The controller will share with the data subject his identity and the purposes of the processing
for which the data are intended, including.
3. The controller will provide further information in so far as this is in view of the nature of the
information, the circumstances under which it is obtained or the use to which it is used
is necessary for proper and careful processing of the data subject
guarantees.
Article 26
1. If personal data is obtained in a manner other than as referred to in Article 25, shares
the controller also provides the data subject with the information referred to in the second and third paragraph, unless
they are already aware of this:
a. at the time of recording of data concerning him, or
b. when the data are intended to be provided to a third party, no later than the
time of first provision.
2. The controller will share with the data subject his identity and the purposes of the processing
also.
3. The controller will provide further information in so far as this is in view of the nature of the
information, the circumstances under which it is obtained or the use to which it is used
is necessary for proper and careful processing of the data subject
guarantees.
4. The first paragraph does not apply if the information is communicated to the data subject
proves impossible or requires a disproportionate effort. In that case, the controller submits the
origin of the data.
5. The first paragraph also does not apply if the recording or the provision by or pursuant to
the law is prescribed. In that case, the controller serves the data subject at his request
to inform about the statutory regulation that governs the recording or provision of the him
concerning data.
Chapter 4. Rights of the data subject
Article 27

Page 9

1. The data subject has the right to contact the controller freely and at reasonable intervals
with the request to inform him whether personal data will be concerning him
processed. The responsible party informs the person concerned in writing within four weeks whether or not
concerning personal data are processed.
2. If such data are processed, the notification shall contain a complete overview thereof
in intelligible form, a description of the purpose or purposes of the processing, the
categories of data to which the processing relates and the recipients or
categories of recipients, as well as the available information on the origin of the
data.
3. Before a controller makes a statement as referred to in the first paragraph, against which a
is expected to have objections to the third party, he will give the third party the opportunity
to express his opinion if the communication contains information concerning him, unless
this proves impossible or requires a disproportionate effort.
4. If requested, the controller will make statements about the underlying logic
to the automated processing of data concerning him.
Article 28
1. The person notified concerning him or her in accordance with Article 26
personal data, the controller may request to correct, supplement, or
remove, or shield if factually inaccurate, for the purpose or purposes of
the processing is incomplete or irrelevant or otherwise in violation of a legal act
prescription. The request contains the changes to be made.
2. The responsible party will inform the applicant within four weeks of receipt of the request
in writing whether or to what extent he complies with this. A refusal is reasoned.
3. The responsible party ensures that a decision to correct, supplement, delete or
foreclosure is carried out as soon as possible.
4. If the personal data are recorded on a data carrier in which no changes
can be fitted, he will make the necessary arrangements for the user of the
to inform data about the impossibility of improvement, addition, deletion or
foreclosure despite the fact that there is grounds for adjusting the data on the basis of this
article.
5. Paragraphs 1 to 4 do not apply to public registers established by law.
if in that law a special procedure for the correction, addition, removal or
data blocking is included.
Article 29
1. If a weighty interest of the applicant so requires, the controller shall comply with a
request referred to in Articles 27 and 28, in a form other than written, which meets that
importance has been adjusted.
2. The controller is responsible for a proper determination of the identity of the
applicant.
3. The requests referred to in Articles 27 and 28 shall be made with regard to minors who receive the
have not yet reached the age of sixteen, and with regard to those placed in receivership
done by their legal representatives. The relevant communication is also made
to legal representatives.
Article 30
1. The controller who, in response to a request under Article 28

Page 10

personal data has improved, supplemented, deleted or protected, is obliged to
to notify third parties to whom the data has been provided in advance as soon as possible
giving the improvement, addition, removal or blocking, unless this proves impossible or
a disproportionate effort.
2. If requested, the responsible party will provide the applicant as referred to in Article 28 with a statement of
those to whom he has made the announcement.
Article 31
1. For a message as referred to in Article 27, the responsible party can submit a by or pursuant to general
require reimbursement of costs to be adopted that amount to a maximum of USD 5
amounts.
2. The compensation will be refunded in the event that the controller, at the request of the data subject,
correction, addition, removal or blocking has been carried out on the order of the court.
Article 32
1. If data is the subject of processing on the basis of Article 8 (e) and (f), the
the data subject at all times object to this with the controller in connection with his
special personal circumstances.
2. The responsible party will assess within four weeks of receipt of the objection or objection
justified. If the objection is justified, he immediately terminates the processing.
3. The responsible party can pay a fee of
require costs that may not be higher than a by or pursuant to order of
board amount to be determined. The compensation will be refunded if the objection is well-founded
is found.
4. This section does not apply to public registers established by law.
Article 33
1. If data are processed in connection with the creation or maintenance of
a direct relationship between the controller or a third party and the data subject for the purpose of
recruitment for commercial or charitable purposes, the data subject may oppose this
responsible person at any time to object free of charge.
2. In the event of an objection, the controller will take measures to prevent this form of processing
to terminate immediately.
3. The controller who intends to provide personal data to or for third parties
account of third parties for the purpose referred to in the first paragraph, takes appropriate
measures to make the parties involved aware of the possibilities to object. The
publication takes place via one or more daily, news, or door-to-door papers or on one
other suitable way. In case of regular provision to third parties or use on behalf of
to third parties, the announcement takes place at least once a year.
4. The controller who processes personal data for the purpose referred to in the first paragraph,
ensures that, if this is done directly, a message is sent to the data subject
will be sent to the client, each time referring to the possibility of objecting.
Article 34
1. No one can be subject to a decision which has legal consequences for him or her
or that affects him significantly, if that decision is taken alone
based on an automated processing of personal data intended to create an image

Page 11

getting certain aspects of his personality.
2. The first paragraph does not apply if the decision referred to there:
a. is taken in the context of the conclusion or performance of an agreement and
1 °. the data subject's request has been fulfilled or
2 °. appropriate measures have been taken to protect its legitimate interest, or
b. is based on a law in which measures are laid down that aim at
protection of the legitimate interest of the data subject.
3. An appropriate measure as referred to in the second paragraph, under a, has been taken if the person concerned
has been given the opportunity regarding the decision as referred to in the first paragraph, according to his opinion
to bring forward.
4. In the case referred to in the second paragraph, the controller informs the person concerned of the logic
which is the basis for the automated processing of data concerning him.
Chapter 5. Exceptions and Limitations
Article 35
The controller may not apply Articles 9, first paragraph, 25, 26 and 27 insofar as this
is necessary in the interest of:
a.the security of the state;
b. the prevention, detection and prosecution of criminal offenses;
c. weighty economic and financial interests of the state and other public bodies;
d. supervising compliance with statutory regulations that have been set for the benefit of the
interests referred to under b and c, or
e. the protection of the data subject or of the rights and freedoms of others.
Article 36
1. If processing is carried out by institutions or services for scientific research
or statistics, and the necessary arrangements have been made to ensure that the
personal data can only be used for statistical and scientific purposes
uses, the controller may omit a notification as referred to in Article 26 and
refuse to comply with a request as referred to in Article 27.
2. If processing takes place of personal data that are part of
archive documents that have been transferred to
a repository, the controller may issue a notification as referred to in Article 26
leave behind.
Chapter 6. Legal protection
Article 37
A decision on a request as referred to in Articles 27, 28 and 30, second paragraph, as well as a
decision as a result of the statement of opposition as referred to in Articles 32 or 33 apply,
insofar as these have been taken by an administrative body, as a decision as referred to in Article 3
of the BES Administrative Justice Act.
Article 38
1. If a decision as referred to in Article 37 has been taken by a person other than one
administrative body, the interested party can apply to the Court of First Instance of Bonaire, Sint
With a written request, Eustatius and Saba still request the responsible person to be ordered
to grant or reject a request as referred to in Articles 27, 28 and 30, second paragraph, or a
whether or not to honor an objection as referred to in Articles 32 or 31.

Page 12

2. The petition must be filed within six weeks of receipt of the reply from
the responsible. If the responsible party does not have it within the set period
replied, the petition must be filed within six weeks of the end of that
term.
3. The court will grant the request if it considers it well-founded. Before taking the dish
decides, if necessary, it gives interested parties the opportunity to express their views
bring.
4. The third section of the fifth title of the Second Book of the Civil Code
Legal action BES applies mutatis mutandis.
5. The court may request parties and others within a term to be determined by it

to provide written information and to submit documents in their possession. The
responsible and interested parties are obliged to comply with this request.
Article 39
1. If someone suffers damage because of acting contrary to him or her with the at or
regulations given pursuant to this Act, the following paragraphs apply, without prejudice
the claims based on other statutory rules.
2. For disadvantage that does not consist of financial loss, the injured party is entitled to a claim
fairness to be determined compensation.
3. The responsible person is liable for damage or loss arising from it
non-compliance with the regulations referred to in the first paragraph. The processor is liable for
that damage or that disadvantage, insofar as it arises as a result of its activity.
4. The controller or processor can be wholly or partially relieved of this
liability, if he proves that the damage cannot be attributed to him.
Article 40
1. If the controller or processor acts contrary to the provisions of or pursuant to this Act
certain and another person suffers or threatens to suffer damage as a result, the court may claim against him
prohibit such behavior by the other and order him to take measures to rectify the
consequences of that behavior.
2. Processing cannot be based on a claim of a legal person
that promote general or collective interests, or a legal person as referred to in Article 305a
of Book 3 of the BES Civil Code, insofar as the person affected by this processing
affected, objects to it.
Article 41
1. The controller who acts contrary to the provisions of or pursuant to Article 4, third paragraph
is punishable by a fine of the second category.
2. The controller who deliberately commits an offense as referred to in the first paragraph will be punished
with imprisonment not exceeding six months or a fine of the third category.
3. The offenses made punishable in the first paragraph are violations. The punishable in paragraph 2
alleged facts are crimes.
Chapter 7. Data traffic with countries outside the European Union
Article 42

Page 13

1. Personal data that is subject to processing or that are intended to be processed after them
transfer to be processed only to a country outside the European Union
passed on if, without prejudice to compliance with the law, that country is appropriate
level of protection.
2. The appropriateness of the level of protection is assessed in the light of the circumstances
affecting the transfer of data or a category of data transfer. In the
special account is taken of the nature of the data, the purpose or the
purposes and with the duration of the intended processing or processing, the country of
origin and country of final destination, the general and sectoral legal rules laid down in the
third country concerned, as well as the rules of professional life and the
security measures adhered to in those countries.
Article 43
1. By way of derogation from Article 42, a transfer or a category of transfers of
personal data to a third country that does not guarantee an appropriate
protection level, take place if:
the data subject has given his unambiguous consent for this;
b. the transfer is necessary for the performance of a contract between the data subject and
the responsible party, or for taking pre-contractual measures in response to
a request from the data subject and necessary for the conclusion of one
agreement;
c. the transfer is necessary for the conclusion or execution of an in the interest of the
data subject agreement concluded or to be concluded between the controller and a third party;
d. the transfer is necessary because of an important public interest, or for the
establishing, enforcing or defending any right in law;
e. the transfer is necessary to protect a vital interest of the data subject, or
f. the transfer takes place from a register that has been established by statutory regulation and that by
any person or by any person who can rely on a legitimate interest,
can be consulted, insofar as the legal requirements are met in the case concerned
conditions for consultation.
2. Notwithstanding the first paragraph, the committee may issue a license for a transfer or a
category of transfers of personal data to a third country that does not guarantee a
provides an adequate level of protection. The further regulations are attached to the permit
covenants necessary to protect privacy and fundamental
rights and freedoms of persons, as well as the exercise of the related
rights.
Chapter 8. Supervision
Article 44
1. There is a BES Personal Data Protection Supervision Commission which has the task of supervising
to the processing of personal data in accordance with the provisions of and pursuant to this Act.
2. The committee also fulfills the tasks assigned to it by law and pursuant to a treaty.
3. The committee performs its duties independently.
Article 45
1. The committee consists of a chairman and two other members.
2. The chairman must comply with the provisions of or pursuant to Article 24 of the Common Kingdom Act
Court of Justice set requirements for appointment as a judge in the Common
Court of Justice.

Page 14

3. The chair and the members are appointed by Royal Decree, on the nomination of Our Minister,
for a period of six years.
Article 46
The members of the committee are dismissed by Royal Decree, on the recommendation of Our Minister
granted:
at the request of the data subject;
b. when the person concerned is permanently unfit for reasons of illness or disability
to fulfill function;
c. in the event of loss of Dutch citizenship;
d. when the person concerned has been given a final judgment due to a criminal offense
convicted, or a measure imposed on him by such a decision
results in deprivation of liberty;
e. when the person concerned is under guardianship due to a final judicial decision
has been declared bankrupt, has been declared bankrupt, has been granted a moratorium or
has been held hostage for debt.
Article 47
Further rules will be set by ministerial regulation about the compensation as well as the other
rights and obligations relating to the legal position of the members of the committee.
Article 48
The committee has a secretariat for its support, of which the officials pass through
Our Minister of the Interior and Kingdom Relations in accordance with Our
Minister, having heard the chairman, be appointed, suspended or dismissed.
Article 49
Our Minister may ask the committee for advice on bills and drafts
general administrative measures that relate wholly or to a significant extent to the
processing of personal data in the public bodies.
Article 50
1. The committee may initiate an investigation ex officio or at the request of an interested party
to the way in which application is given to the
determined by or pursuant to this Act.
2. The committee shall notify its provisional findings to the controller or the
group of controllers involved in the investigation and gives them the opportunity
to give their view on this.
If the preliminary findings are related to the implementation of any law, the
The committee shall also notify these to Our Minister concerned.
3. In the event of an investigation initiated at the request of the interested party, the committee shall do
to the interested party disclosure of its findings, unless such disclosure
is incompatible with the purpose of the data processing or the nature of the personal data,
or important interests of others than the applicant, including the person responsible
understood, would be disproportionately harmed. If the committee gives notice of
omits its findings, it sends the interested party such notice as it advises
occurs.
Article 51
1. The members of the committee are responsible for supervising compliance, as referred to in Article 44

Page 15

the officials of the secretariat. Title 5.2 of the General Administrative Law Act is from
applies mutatis mutandis, with the exception of Articles 5.18 and 5.19.
2. The committee is authorized to impose an order subject to administrative coercion to enforce the
obligations imposed by or pursuant to this Act. Sections 5.3.1 and 5.3.2 of the General
Administrative Law Act shall apply mutatis mutandis, with the exception of Article 5.27, second
member.
3. The persons referred to in the first paragraph are authorized to enter a home without permission
of a resident. Articles 155 to 163 of the BES Code of Criminal Procedure are
shall apply mutatis mutandis, on the understanding that the authorization referred to in Article 155
of the Code of Criminal Procedure BES, is granted by the committee.
4. No appeal is possible on a duty of confidentiality, insofar as information or cooperation
are required in connection with one's own involvement in the processing of
personal data.
Article 52
Before 1 September each year, the committee draws up a report of the activities and the activities carried out
policy in general and the efficiency and effectiveness of its operation in it
especially in the past calendar year. The report is sent to Our Minister and
generally available.
Article 53
On request, the committee will provide Our Minister with the necessary information for the performance of his duties
necessary information. Our Minister may demand access to business data and documents,
insofar as this is necessary for the fulfillment of his task.
Article 54
Rules regarding the supervision of the
processing of personal data in accordance with the provisions of or pursuant to this Act
insofar as not provided for by law.
Final provisions
Article 55
Our Minister will send a letter to the States General within five years of the entry into force of this Act
report on the effectiveness and impact of this law in practice.
Article 56
1. Within one year after the entry into force of this Act, the data processing operations on that
time already took place, brought into line with this law.
2. For adapting the processing of special data to section 2 of chapter 2
a period of three years applies, on the understanding that for processing that has already taken place and
necessary for the execution of agreements concluded before the time of
entry into force of this Act, permission does not have to be requested again if
referred to in Article 23, first paragraph, under a.
Article 57
This Act enters into force at a time to be determined by Royal Decree.
Article 58

Page 16

This act is cited as: BES Personal Data Protection Act.
Burden and order that it will be published in the Official Gazette and that all ministries,
authorities, colleges and officials to whom this may concern, ensure the accurate implementation
will love.

The Hague, 17 May 2010
Beatrix
The Minister of Justice, Minister of the Interior and Kingdom Relations,
EMH Hirsch Ballin
The State Secretary for the Interior and Kingdom Relations,
A. Th. B. Bijleveld-Schouten
Issued the first of September 2010
The Minister of Justice,
EMH Hirsch Ballin

