Page 1

Publications > Official publications

Government.nl

Home Advanced search

My subscriptions

Help

You are here: Home / Official Gazette 2018, 144

Official Gazette of the Kingdom of the Netherlands
Date of publication

Organization

Year and number

column

Date of signature

22-05-2018 09:00

Ministry of Justice and Security

Official Gazette 2018, 144

Law

16-05-2018

Actions

Law of 16 May 2018, laying down rules for the implementation of Regulation (EU) 2016/679 of the
Authentic version (PDF)

European Parliament and of the Council of 27 April 2016 on the protection of natural

Publication information

persons in connection with the processing of personal data and concerning the free movement of

related documents

those data and repealing Directive 95/46/EC (General Regulation
data protection) (OJ 2016, L 119) (General Regulation Implementing Act

To print

data protection)
Share
We Willem-Alexander, by the grace of God, King of the Netherlands, Prince of Orange-Nassau, etc. etc. etc.

Index

Salute to all who will see or hear them read! do know:
As We have considered that it is necessary to provide for legal rules implementing Regulation (EU)

salutation
Body
Signature

Publications about chamber file

2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to
with the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC
(General Data Protection Regulation) (OJEU 2016, L 119);
Having regard to Article 10, paragraphs 2 and 3, of the Constitution;
It is thus that We, having heard the Advisory Division of the Council of State, and in consultation with the States General, have approved
found and understand, as We approve and understand hereby:

Chamber file 34851
Show publications dealing with this file dossier

Consolidated Regulations

CHAPTER 1 GENERAL PROVISIONS
Article 1. Definitions
In this Act and the provisions based on it, the following definitions apply:

General Regulation Implementing Act
data protection

special categories of personal data:

the categories of personal data referred to in Article 9, first paragraph, of the Regulation

Show consolidated version on www.weten.nl

Our Minister: Our Minister for Legal Protection;
personal data of a criminal nature:
personal data concerning criminal convictions and offenses or with it
related security measures as referred to in Article 10 of the Regulation, as well as personal data concerning a
injunction imposed by the court as a result of unlawful or disruptive behaviour;
regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons in connection with the processing of personal data and with regard to the free movement of such data and to revocation
of Directive 95/46/EC (General Data Protection Regulation) (OJEU 2016, L 119).
Article 2. Material scope
1.

This Act and the provisions based on it apply to fully or partially automated
operation of personal data, as well as the processing of personal data that are included in a file or
intended to be included therein.

2.

Notwithstanding the first paragraph, this Act does not apply to the processing of personal data insofar as it
the Act on the Basic Registration of Persons, the Electoral Act or the Advisory Referendum Act applies.

3.

Subject to the provisions of Article 3, this law does not apply to the processing of personal data, referred to
in Article 2, second paragraph, of the Regulation.

Article 2a. Meeting the needs of small, medium and micro-enterprises
When applying the Regulation, the Personal Data Authority takes into account the specific needs of small, medium and
cro companies as referred to in Article 2 of the Annex to Commission Recommendation 2003/361/EC of 6 May 2003 on
the definition of small, medium and micro enterprises (OJEU 2003 L124).

Article 3. Linking provision for processing outside the scope of the regulation
1.

This Act and the provisions based on it also apply to the processing of personal data:
a.

in the context of activities that fall outside the scope of Union law;

b.

by the armed forces in the performance of activities falling within the scope of Title V, Chapter 2, of
the Treaty on European Union.

2.

The Regulation applies mutatis mutandis to the processing of personal data referred to in the first paragraph.

3.

The first and second paragraphs do not apply to:
a.

the processing of personal data by the armed forces, insofar as Our Minister of Defense decides to do so;
with a view to the deployment or making available of the armed forces for the implementation of the duties referred to in Article 97
tasks defined in the Constitution;

b.

the processing of personal data insofar as this is covered by the Intelligence and Security Services Act
2002 applies.

4.

A decision as referred to in subsection 3, under a, shall be notified to the Authorities as soon as possible.
ty personal data.

Article 4. Territorial scope
1.

This law and the provisions based on it apply to the processing of personal data in the context of
of activities of an establishment of a controller or processor in the Netherlands.

2.

This law and the provisions based on it apply to the processing of personal data of data subjects.
that are located in the Netherlands by a controller not established in the European Union or
worker, when the processing is related to:
a.

offering goods or services to these data subjects in the Netherlands, regardless of whether a payment by the
data subjects is required; or

b.

monitoring their behaviour, insofar as this behavior takes place in the Netherlands.

Article 5. Consent of legal representative
1.

If Article 8 of the Regulation does not apply, the data subject's consent shall be replaced by that of
his legal representative is required if the person concerned has not yet reached the age of sixteen.

2.

If the person concerned has been placed under guardianship, or has been placed under guardianship or mentorship for the benefit of the person concerned
has been instituted, in so far as it concerns a matter for which the person concerned is incompetent or incompetent, in
the place of the data subject's consent requires that of his legal representative.

3.

Consent can be withdrawn at any time by the legal representative of the data subject.

4.

The rights of the data subject, referred to in Chapter III of the Regulation, with regard to data subjects who
have not yet reached the age of sixteen, with regard to persons placed under guardianship and with regard to
acquaintances on whose behalf a trusteeship or mentorship has been established, exercised by their legal representatives
gers, insofar as it concerns a matter for which the person concerned is incompetent or incompetent.

5.

This article does not apply to assistance and counseling services provided directly and free of charge to a minor or
are placed under guardianship.

CHAPTER 2 THE PERSONAL DATA AUTHORITY
Section 2.1 Establishment and organization of the Dutch Data Protection Authority
Article 6. Establishment and designation as a supervisory authority
1.

There is a Personal Data Authority.

2.

The Dutch Data Protection Authority is the supervisory authority referred to in Article 51, paragraph 1, of the Regulation.

3.

Without prejudice to Article 57 of the Regulation, the Personal Data Authority has the task of supervising the processing
of personal data in accordance with the provisions laid down by and pursuant to the regulation or the law.

4.

In order to implement a binding EU legal act, after hearing the Personal Data Authority, by arrangement of
Our Minister is entrusted with tasks to the Dutch Data Protection Authority.

Article 7. Composition
1.

The Dutch Data Protection Authority consists of a chairman and two other members.

2.

Extraordinary members can also be appointed to the Dutch Data Protection Authority. When appointing outside
For ordinary members, the aim is to be spread across the various sectors of society.

3.

The chairman, the other members and the extraordinary members of the Dutch Data Protection Authority are appointed by royal decree.
shall be appointed on the recommendation of Our Minister.

4.

The chairman complies with the requirements laid down by or pursuant to Article 5 of the Judicial Officers (Legal Status) Act.
for appointment as a judge in a court of law.

5.

The appointment referred to in the third paragraph is valid for a period of five years.

6.

The chairman, the other members and the extraordinary members of the Dutch Data Protection Authority can be appointed once
reappointed for a period of five years.

7.

At their own request, the chairman, the other members and the extraordinary members of the Dutch Data Protection Authority are
dismissed by Our Minister.

8.

Article 12 of the Framework Act for Independent Administrative Bodies does not apply.

9.

There is an Advisory Board that advises the Dutch Data Protection Authority on general aspects of the protection of personal data
personal data. The members come from different sectors of society and are appointed
by Our Minister, on the recommendation of the chairman of the Dutch Data Protection Authority. The members are appointed
for a maximum of four years. Reappointment can take place twice and each time for a maximum of four years. at ministerial
In accordance with a decree, the reimbursement of the costs to the members of the Advisory Council is determined.

Article 8. Disciplinary measures for the chairman and other members
Articles 46c, 46d, second paragraph, 46f, 46g, 46i, with the exception of the first paragraph, part c, 46j, 46l, first and third paragraph, 46m, 46n,
46o and 46p of the Legal Status of Judicial Officers Act apply mutatis mutandis to the chairman and the other members andere
of the Dutch Data Protection Authority, on the understanding that:
a.

the disciplinary measure referred to in Article 46c, first paragraph, with regard to the other members of the Authority for Personal
data is imposed by the chairman of the Dutch Data Protection Authority;

b.

the prohibition referred to in Article 46c, first paragraph, under b, from engaging in an interview or conversation with party
and whether to accept their lawyers or agents or any special information or written document from them, not on the
chairman and the other members of the Dutch Data Protection Authority;

c.

the disciplinary measure referred to in Article 46c, paragraph 1, with regard to the chairman of the Personal Data Authority;
information is imposed by the President of the Court of Appeal in The Hague.

Article 9. Legal position of the chairman, other members and extraordinary members
The legal position of the chairman, the other members and the extraordinary members is regulated by or pursuant to a general order of
governance.

Article 10. Secretariat
1.

The Dutch Data Protection Authority has a secretariat, whose officials are appointed by the Dutch Data Protection Authority
be appointed, promoted, disciplined, suspended and dismissed.

2.

With regard to the officials belonging to the secretariat, the officials appointed by or pursuant to the Civil Servants Act are
powers conferred by the competent authority exercised by the Dutch Data Protection Authority, with the exception of the
authority to lay down rules or further rules.

Article 11. Budget, accountability and powers of representation
1.

Without prejudice to Article 25 of the Framework Act for Independent Administrative Bodies, the Dutch Data Protection Authority shall annually
prepare a draft budget prior to the financial year in question.

2.

In the departmental budget, referred to in Article 2.1, sixth paragraph, of the Accounts Payable Act 2016, Our Minister
annually to the Dutch Data Protection Authority a budget at the expense of the national budget.

3.

The Dutch Data Protection Authority determines the budget in accordance with the budget referred to in the second paragraph.

4.

The Dutch Data Protection Authority is represented in and out of court by the chairman and the other members, then
by one of them.

5.

The members determine a division of tasks and involve the extraordinary members as much as possible.

Article 12. Limitation of the obligation to provide information to the Minister
Article 20 of the Self-Employed Administrative Bodies Framework Act does not apply if the Dutch Data Protection Authority
from third parties under the condition that the secret nature thereof is maintained.

Article 13. Exceptions to powers regarding policy rules, destruction and neglect of duties
1.

Articles 21 and 22 of the Independent Administrative Bodies Framework Act do not apply to the Authority
personal data.

2.

Article 23 of the Framework Act for Independent Administrative Bodies only applies with regard to the
personal data financial management and administrative organization.

Section 2.2 The exercise of the duties and powers of the Dutch Data Protection Authority
Article 14. Duties and powers
1.

The Dutch Data Protection Authority is authorized to perform the tasks and exercise the powers associated with or
assigned to the supervisory authority under the Regulation.

2.

On the preparation of a decision on the approval of a code of conduct, or the amendment or extension
thereof, as referred to in Article 40, paragraph 5, of the Regulation, Section 3.4 of the General Administrative Law Act of
application.

3.

In the event of a violation of the provisions of Article 83, fourth, fifth or sixth paragraph, the Dutch Data Protection Authority may:
of the Regulation impose an administrative fine not exceeding the amounts referred to in these paragraphs.

4.

Sections 5:4 to 5:10a of the General Administrative Law Act apply mutatis mutandis to corrective
measures as referred to in Article 58, second paragraph, under b to j of the Regulation.

5.

Without prejudice to Article 4:15 of the General Administrative Law Act, the Dutch Data Protection Authority may limit the period for the
suspend the making of a decision to the extent necessary in connection with compliance with the Authority's
Personal data obligations under Articles 60 to 66 of the Regulation. The third and
fourth paragraph of Article 4:15 of the General Administrative Law Act are subject to this suspension of corresponding
application.

Article 15. Supervision of compliance
1.

With the supervision of compliance with the Regulation and the processing of personal data in accordance with the Annex
or pursuant to the law the members and extraordinary members of the Dutch Data Protection Authority, the official
employees of the secretariat of the Dutch Data Protection Authority, as well as the persons concerned by decision of the Dutch Data Protection Authority.
of designated persons.

2.

The persons referred to in the first paragraph are authorized to enter a dwelling without the consent of the occupant.

3.

The persons referred to in the first paragraph need to exercise the power described in the second paragraph:
the express and special power of attorney of the Dutch Data Protection Authority, without prejudice to the provisions of Article 2
of the General Law on Entry.

4.

It is not possible to invoke a duty of confidentiality, insofar as information or cooperation is required in
connection with its own involvement in the processing of personal data.

5.

This article and title 5.2 of the General Administrative Law Act apply mutatis mutandis to the extent necessary.
is necessary for the proper performance of the tasks performed by the Personal Data Authority in the context of main
part VII of the regulation.

Article 16. Order under administrative coercion
1.

The Dutch Data Protection Authority may impose an administrative enforcement order to enforce the provisions laid down by or pursuant to the
ordinance or this law.

2.

The Dutch Data Protection Authority may impose an administrative enforcement order to enforce Section 5:20(1),
of the General Administrative Law Act, insofar as it concerns the obligation to cooperate with a
claim from a person designated by or pursuant to Article 15, paragraph 1.

Article 17. Penalty for unlawful processing of personal data of a criminal nature
1.

The Dutch Data Protection Authority may, in the event of a violation of the provisions of Article 10 of the Regulation or
Article 31 of this Act impose an administrative fine not exceeding 20,000,000 euros or, for a company, at least
maximum 4% of the total worldwide annual turnover in the previous financial year, if this amount is higher.

2.

Article 83, paragraphs 1 to 3, of the Regulation shall apply mutatis mutandis.

Article 18. Administrative fine to governments
1.

In the event of a violation of the provisions of Article 83, fourth, fifth or sixth paragraph, the Dutch Data Protection Authority may:
of the Regulation impose an administrative fine by a public authority or body of up to
ste the amounts mentioned in these paragraphs.

2.

Article 83, paragraphs 1 to 3, of the Regulation shall apply.

Article 19. Cooperation with other supervisors
1.

The Dutch Data Protection Authority is authorized in the interest of efficient and effective supervision of the processing of
to make agreements with other supervisors and jointly with these supervisors to this end
establish cooperation protocols. A cooperation protocol is published in the Government Gazette.

2.

The Dutch Data Protection Authority and the supervisors referred to in the first paragraph are authorized on their own initiative and
upon request, obliged to provide each other with the data regarding the processing of personal data that
necessary for the performance of their duties or to comply with a legal
commitment.

Article 20. Legal action against infringements of the Regulation on transfer to a third country
1.

If the Dutch Data Protection Authority in an investigation concerning the transfer of personal data to a country
outside the European Union or to an international organization established at the request of an interested party, based on
has reason to believe that a decision issued by the European Commission with regard to the relevant country or
relevant international organization has taken adequacy decision as referred to in Article 45, first paragraph, of the
regulation or a decision taken by the European Commission regarding the adoption or approval of
standard provisions as referred to in Article 46, second paragraph, under c and d, of the Regulation insufficiently guarantee
provides an appropriate level of data protection, the Authority may request personal data from the Division
submit a request to the administrative courts of the Council of State to declare that the relevant decision
is valid.

2.

3.

The petition is signed and contains at least:
a.

the date;

b.

the grounds of the request;

c.

the names of the interested party and the party that is the subject of the investigation referred to in the first paragraph.

A copy of the interested party's request for enforcement of or
rules laid down by law regarding the protection of personal data, to which it referred to in the second paragraph
petition of the Dutch Data Protection Authority and other matters relating to the case are
documents sent.

4.

Without prejudice to Article 4:15 of the General Administrative Law Act, the term for making a decision is
the request for enforcement has been suspended from the day after the day on which the Dutch Data Protection Authority
seeker notifies that the first paragraph has been applied until the day on which the Administrative Jurisdiction Division of the
Council of State has made a decision as referred to in the sixth paragraph.

5.

Titles 8.1 and 8.2 of the General Administrative Law Act apply mutatis mutandis to the handling of the request
applicable, with the exception of Articles 8:1 to 8:10, 8:41, Sections 8.2.2a and 8.2.4a and Articles
8:70, 8:72 and 8:74. The parties referred to in the second paragraph, under c, are regarded as parties to the proceedings.

6.

If the Administrative Jurisdiction Division of the Council of State, whether or not after a preliminary reference under Article grond
267 of the Treaty on the Functioning of the European Union to the Court of Justice of the European Union, for
If the decision of the European Commission submitted to it is valid, it shall declare that to be the case.
Does it consider, following a preliminary reference to the Court of Justice of the European Union, that it is
If the decision made is invalid, it will reject the request.

7.

The Administrative Jurisdiction Division of the Council of State may decide to defer the request if the Court of Appeal
Justice of the European Union already pending a preliminary question regarding the validity of the relevant decision
is.

8.

There is no provision against deferring the request by the Administrative Jurisdiction Division of the Council of State.
opening.

Article 21. Designation of the accrediting body
By ministerial regulation, either the Dutch Data Protection Authority or the Accreditation Council or both are designated as
crediting agency as referred to in Article 43 of the Regulation.

CHAPTER 3 PROVISIONS GOVERNING THE IMPLEMENTATION OF THE REGULATION
Section 3.1 Special categories of personal data
Article 22. Ban on processing special categories of personal data and general exceptions from the regulation
1.

In accordance with Article 9, first paragraph, of the Regulation, processing of personal data revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs, or trade union membership
and processing of genetic data, biometric data for the purpose of uniquely identifying a
person, or data about health, or data related to a person's sexual behavior or sexual orientation
forbidden.

2.

In accordance with Article 9, second paragraph, under a, c, d, e and f, of the Regulation, the prohibition of special categories
processing of personal data does not apply if:
a.

the data subject has given explicit consent to the processing of those personal data for
one or more specified purposes;

b.

the processing is necessary to protect the vital interests of the data subject or of another
natural person, if the data subject is physically or legally incapable of giving consent;

c.

the processing is carried out by a foundation, an association or another non-profit body
who is active in the political, philosophical, religious or trade union field, in the context of its
justified activities and with appropriate safeguards, provided that the processing relates solely to the
members or former members of the agency or to persons who, in connection with its purposes, regularly
maintain contact with her, and do not transfer the personal data without the consent of the data subjects.
be provided to that body;

d.

the processing relates to personal data that have apparently been made public by the data subject;
or

e.

the processing is necessary for the establishment, exercise or defense of legal claims, or
the courts act within the scope of their jurisdiction.

Article 23. General exceptions under national law
In view of Article 9(2)(g) of the Regulation, the prohibition on transferring special categories of personal data is
do not apply if:
a.

the processing is necessary to comply with an international law obligation;

b.

the data is processed by the Dutch Data Protection Authority or an ombudsman as referred to in Article 9:17 of
the General Administrative Law Act, and insofar as the processing is necessary for the execution of their legal obligations.
tasks carried out, provided that such safeguards are provided for in such performance that the personal life and
atmosphere of the person concerned is not disproportionately harmed; or

c.

the processing is necessary in addition to the processing of personal data of a criminal nature for the purposes of
purposes for which this data is processed.

Article 24. Exceptions for scientific or historical research or statistical purposes
In view of Article 9(2)(j) of the Regulation, the prohibition on transferring special categories of personal data is
do not apply if:
a.

the processing is necessary for scientific or historical research or statistical purposes
in accordance with Article 89, first paragraph, of the Regulation;

b.

the investigation, referred to in subsection a, serves a public interest;

c.

requesting explicit permission proves impossible or involves a disproportionate effort; and

d.

during the execution, such safeguards are provided that the privacy of the data subject is not disproportionate
is harmed.

Article 25. Exceptions to the processing of personal data showing racial or ethnic origin
In view of Article 9(2)(g) of the Regulation, the prohibition on processing personal data revealing race or ethnic
origin appears, not applicable if the processing takes place:
a.

for the purpose of identifying the data subject, and only to the extent that the processing is unavoidable for that purpose;
or

b.

with the aim of conferring a privileged position on persons of a particular ethnic or cultural minority group
in order to eliminate or reduce de facto disadvantages related to racial or ethnic origin, and
only insofar as:
1°.

the processing is necessary for that purpose;

2°.

the data relate to the country of birth of the person concerned, his parents or his grandparents,
or on other criteria established by law on the basis of which it can be determined in an objective manner
whether someone belongs to a particular ethnic or cultural minority group; and

3°.

the data subject has not objected in writing to the processing.

Article 26. Exceptions to the processing of personal data showing political views for fulfillment in public
functions
In view of Article 9, second paragraph, part g, of the Regulation, the prohibition on processing personal data from which political
opinions, not applicable, if the processing takes place with a view to the requirements with regard to political opinions
can reasonably be made in connection with the performance of functions in administrative bodies and advisory boards.

Article 27. Exceptions to the processing of personal data showing religious or ideological beliefs
for spiritual care
1.

In view of Article 9(2)(g) of the Regulation, the prohibition on processing personal data is
from religious or ideological convictions, does not apply, if the processing is carried out by
institutions other than the institutions referred to in Article 22, second paragraph, under c, and insofar as the processing
is necessary with a view to the spiritual care of the person concerned, unless he objects to this in writing
has made.

2.

In the cases referred to in the first paragraph, no personal data will be provided to third parties without the consent of
the person concerned.

Article 28. Exceptions regarding genetic data
1.

In view of Article 9(2)(g) of the Regulation, the prohibition on processing genetic data is not
applicable, if this processing takes place in relation to the data subject with whom the relevant data
windows have been obtained.

2.

In cases other than those referred to in the first paragraph, the prohibition to process genetic data shall not apply solely to
applicable, if:
a.

a serious medical interest prevails; or

b.

the processing is necessary for the purpose of scientific research that serves a public interest or
for the purpose of statistics, if:
1°.

the data subject has given explicit consent; and

2°.

during the execution, such guarantees are provided that the privacy of the person concerned
is not disproportionately harmed.

3.

Consent as referred to in the second paragraph, under b, is not required if the request for explicit consent is
ing proves impossible or involves a disproportionate effort.

Article 29. Biometric data exceptions
In view of Article 9(2)(g) of the Regulation, the prohibition on using biometric data with a view to the unique
process identification of a person does not apply, if the processing is necessary for authentication or security purposes
purposes.

Article 30. Health data exceptions
1.

In view of Article 9(2)(b) of the Regulation, the prohibition on processing health data is
do not apply if the processing is carried out by administrative bodies, pension funds, employers or institutions.
persons working on their behalf, and insofar as the processing is necessary for:
a.

proper implementation of statutory regulations, pension schemes or collective labor agreements
which provide for entitlements that depend on the health status of the data subject; or

b.

the reintegration or guidance of employees or beneficiaries in connection with illness or
incapacity for work.

2.

In view of Article 9(2)(g) of the Regulation, the prohibition on processing health data is
do not apply if the processing is carried out by:
a.

schools, insofar as the processing with a view to the special supervision of pupils or the taking of additional
special provisions in connection with their state of health are necessary;

b.

a probation institution, a special probation officer, the child protection council, the
certified institution, as referred to in Article 1.1 of the Youth Act, or the legal person, as referred to in Article 256, before
first paragraph, or Article 302, second paragraph, of Book 1 of the Dutch Civil Code, insofar as the processing is necessary
is for the performance of the statutory duties assigned to them; or

c.

Our Minister and Our Minister of Justice and Security insofar as the processing in connection with the
implementation of custodial measures is necessary.

3.

In view of Article 9(2)(h) of the Regulation, the prohibition on processing health data is
do not apply if the processing is carried out by:
a.

care providers, institutions or facilities for health care or social services, for
to the extent that the processing is necessary for the proper treatment or care of the data subject
or the management of the relevant institution or professional practice; or

b.

insurers as referred to in Article 1:1 of the Financial Supervision Act or financial service providers that
resources in insurance as referred to in Article 1:1 of that Act, insofar as the processing is necessary for:
1°.

the assessment of the risk to be insured by the insurer and the person concerned has no objections
made; or

2°.

the execution of the insurance contract or assisting in the management and
ring of insurance.

4.

If the first, second or third paragraph is applied, the data will only be processed by personal
who, by virtue of an office, profession or legal regulation or pursuant to a confidentiality agreement
are obliged. If the controller processes personal data and not already on him by virtue of
of office, profession or legal regulation is subject to a duty of confidentiality, he is obliged to observe secrecy of the
information, except insofar as the law obliges him to notify or the necessity arises from his task that the
data are communicated to others who are authorized to process under the first, second or third paragraph
of that.

5.

The prohibition to process other special categories of personal data does not apply if the
operation is necessary in addition to the processing of health data, referred to in the third paragraph, preamble
and part a, with a view to proper treatment or care of the data subject.

6.

With regard to the application of the first paragraph and the third paragraph, opening words and subsections may be made by order in council:
part b, further rules are laid down.

Section 3.2 Personal data of a criminal nature
Article 31. Exceptions to the obligation to process under government supervision
Without prejudice to Article 10 of the Regulation, personal data of a criminal nature may only be processed in so far as this
permitted under Articles 32 and 33.

Article 32. General grounds for exception with regard to data of a criminal nature
Personal data of a criminal nature may be processed if:
a.

the data subject has given explicit consent to the processing of those personal data for one or more
more specific purposes;

b.

the processing is necessary to protect the vital interests of the data subject or of another natural person
person, if the data subject is physically or legally incapable of giving consent;

c.

the processing relates to personal data that have apparently been made public by the data subject;

d.

the processing is necessary for the establishment, exercise or defense of legal claims, or where
rights act within the scope of their jurisdiction;

e.

the processing is necessary for reasons of important public interest as referred to in Article 23, under a and
b; or

f.

the processing is necessary for scientific or historical research or statistical purposes
in accordance with Article 89, first paragraph, of the Regulation, and the conditions referred to in Article 24, underlen b to d.

Article 33. Other grounds for exception with regard to data of a criminal nature
1.

Personal data of a criminal nature may be processed if:
a.

the processing is carried out by bodies charged by law with the application of criminal law,
or by controllers who have obtained them pursuant to the Police Data Act or
the Judicial and Criminal Data Act;

b.

the processing takes place by and for the benefit of public law partnerships of processing
controllers or groups of controllers, if:
1°.

the processing is necessary for the performance of the task of these controllers
or groups of controllers; and

2°.

during the execution, such guarantees are provided that the privacy of the person concerned
is not disproportionately harmed; or

c.

the processing is necessary in addition to the processing of health data, referred to in Article
30, third paragraph, opening words and part a, with a view to proper treatment or care of the person concerned.

2.

Personal data of a criminal nature may be processed by the controller who
processed data for its own benefit:
a.

to assess a request from the person concerned to make a decision about him or to give him a performance
tie to deliver; or

Page 2

b.

for the protection of his interests, insofar as it concerns criminal offenses that are or on the basis of facts and
circumstances are likely to be committed against him or against persons employed by him
to be.

3.

Personal data of a criminal nature about personnel employed by the controller may
be processed conclusively, if this is done in accordance with rules established in accordance with the
procedure referred to in the Works Councils Act.

4.

Personal data of a criminal nature may be processed on behalf of third parties:
a.

by controllers acting under a license under the Private Act
security organizations and detective agencies;

b.

if this third party is a legal entity affiliated with the same group as referred to in Article 24b of Book 2
of the Civil Code; or

c.

if the Dutch Data Protection Authority, with due observance of the fifth paragraph, a permit for the processing
has granted.

5.

A license as referred to in the fourth paragraph, under c, can only be granted if the processing is necessary.
with a view to a compelling interest of third parties and such guarantees have been provided during the execution that
the privacy of the data subject is not disproportionately harmed. The permit may be subject to
to be connected.

Section 3.3 Legal protection
Article 34. Applicability of the General Administrative Law Act by decision of administrative authorities
A written decision on a request as referred to in Articles 15 to 22 of the Regulation is taken within the in
periods referred to in Article 12, third paragraph, of the Regulation and, insofar as it has been taken by an administrative authority, shall be regarded as a
decision within the meaning of the General Administrative Law Act.

Article 35. Applicability of civil law to decisions of non-administrative bodies
1.

If the decision on a request as referred to in Article 34 has been taken by a body other than an administrative body, the
interested party apply to the court with a written request to order the controller
to grant or reject the request as referred to in Articles 15 to 22 of the Regulation.

2.

The petition is submitted within six weeks of receipt of the response from the controller.
decent. If the controller does not comply within the referred to in Article 12(3) of the Regulation,
has replied within time limits, the submission of the application is not subject to any time limit.

3.

The court grants the request, in so far as it considers it justified. Before making a decision, the court shall, if necessary,
stakeholders the opportunity to express their views.

4.

The application need not be filed by a lawyer.

5.

The third section of the fifth title of the Second Book of the Code of Civil Procedure is of
corresponding application.

6.

The court may request the parties and others to provide written information within a period to be determined by the court.
to send in documents held by them. The controller and interested party are obliged
to comply with this request. Articles 8:45, paragraphs 2 and 3, and 8:29 of the General Administrative Law Act are of
similar applications.

Article 36. Dispute resolution by the Dutch Data Protection Authority or via code of conduct
1.

The interested party may also object within the term set for lodging an appeal on the basis of the General
Administrative Law Act, or those referred to in Article 35, second paragraph, who apply to the Dutch Data Protection Authority with the
request to mediate or advise in his dispute with the controller, or make use of
a dispute settlement scheme as referred to in Article 40(2)(k) of the Regulation, on the basis of
an approved code of conduct as referred to in Article 40(5) of the Regulation. In that case, the appeal may
deviation from Article 6:7 of the General Administrative Law Act or the procedure pursuant to Article
Article 35 may still be brought before the interested party has notified the Dutch Data Protection Authority
received notice that the case has been closed or has been notified pursuant to the dispute settlement scheme
received that the handling of the case has ended, but no later than six weeks after that time.

2.

During the handling of the appeal and the procedure referred to in the first paragraph, the authorities charged with
with the handling of the dispute, obtain advice from the Dutch Data Protection Authority.

Article 37. Representation of data subjects
Processing cannot be based on a claim as referred to in Section 305a of Book 3 of the Dutch Civil Code.
book or an appeal lodged in administrative proceedings by an interested party within the meaning of Article 1:2, third paragraph, of the
General Administrative Law Act , insofar as the person affected by this processing objects to it.

Article 38. Suspensive effect of objection and appeal
The effect of the decision to impose the administrative fine is suspended until the objection or appeal period has expired.
or, if an objection has been lodged or an appeal has been lodged, until a decision has been made on the objection or appeal.

Section 3.4 The data protection officer
Article 39. Confidentiality
The data protection officer, referred to in Articles 37 to 39 of the Regulation, is obliged to maintain confidentiality.
of what has become known to him on the basis of a complaint or a request from the data subject, unless the data subject
king agrees.

SECTION 4 EXCEPTIONS AND LIMITATIONS
Article 40. Exceptions to the prohibition of automated individual decision-making
1.

Article 22(1) of the Regulation does not apply if the automated individual records referred to in that provision
closure, other than based on profiling, is necessary to comply with a legal obligation that
the controller rests or is necessary for the performance of a task carried out in the public interest.

2.

In the automated individual decision-making referred to in the first paragraph, the controller shall
appropriate measures for the protection of the rights and freedoms and legitimate interests of the
person concerned.

3.

If the controller is not an administrative body, then appropriate measures as referred to in the
second paragraph, in any case affected if the right to human intervention, the right for the person concerned to be
position and the right to challenge the decision are guaranteed.

Article 41. Exceptions to the rights of the data subject and obligations of the controller
1.

The controller may exercise the obligations and rights referred to in Articles 12 to 21 and Article .
34 of the Regulation, to the extent necessary and proportionate to ensure:
a.

national security;

b.

national defense;

c.

public safety;

d.

the prevention, investigation, detection and prosecution of criminal offenses or the execution of
punishments, including protection against and prevention of dangers to public safety;

e.

other important objectives of general interest of the European Union or of the Netherlands, in particular a
important economic or financial interest of the European Union or of the Netherlands, including monetary
re, budget and tax matters, public health and social security;

f.

the protection of the independence of the judiciary and judicial proceedings;

g.

the prevention, investigation, detection and prosecution of violations of professional codes of conduct
regulated professions;

h.

any supervisory, inspection, or regulatory task associated, even incidentally, with the
exercising public authority in the cases referred to in subparagraphs a, b, c, d, e and g;

2.

i.

the protection of the data subject or the rights and freedoms of others; or

j.

the collection of civil claims.

In applying the first paragraph, the controller shall take into account in any event, to the extent that:
application:
a.

the purposes of the processing or of the categories of processing;

b.

the categories of personal data;

c.

the scope of the introduced restrictions;

d.

the safeguards to prevent misuse or unlawful access or transfer;

e.

the specification of the controller or the categories of controllers;

f.

the storage periods and the applicable safeguards, taking into account the nature, scope and purpose of
the processing or the categories of processing;

g.

the risks to the rights and freedoms of data subjects; and

h.

the right of data subjects to be informed of the restriction, unless this could prejudice
to the purpose of the restriction.

Article 42. Exception to the obligation to report data leaks to the data subject
Article 34 of the Regulation does not apply to financial undertakings as referred to in the Financial Supervision Act.

Article 43. Exceptions for journalistic purposes or academic, artistic or literary expression
1.

This Act, with the exception of Articles 1 to 4 and 5, paragraphs 1 and 2, does not apply to the
operation of personal data for exclusively journalistic purposes and for the purpose of exclusively academic,
artistic or literary expressions.

2.

The following chapters and articles of the Regulation do not apply to the processing of personal data
data for journalistic purposes only and for the benefit of academic, artistic or literary
expressions:

3.

a.

Article 7, paragraph 3, and Article 11, paragraph 2:

b.

chapter III;

c.

Chapter IV, with the exception of Articles 24, 25, 28, 29 and 32;

d.

chapter V;

e.

chapter VI; and

f.

chapter VII.

Articles 9 and 10 of the Regulation shall not apply to the extent that the processing of the data specified in those Articles
the data referred to is necessary for the journalistic purpose or the academic, artistic or literary form of expression.

Article 44. Exceptions regarding scientific research and statistics
If processing is carried out by institutions or services for scientific research or statistics, and the necessary
checks have been made to ensure that the personal data can only be used for statistical or scientific purposes.
When used, the controller may disapply Articles 15, 16 and 18 of the Regulation.

Article 45. Exceptions regarding archiving in the public interest
1.

When processing personal data that are part of archive documents as referred to in Article 1, part c,
of the Archives Act 1995, which are held in an archive repository as referred to in Article 1(f) of that Act, are
Articles 15, 16, 18(1)(a) and 20 of the Regulation do not apply.

2.

The person concerned has the right to inspect the archive documents, unless requests for inspection are
that they cannot reasonably be complied with.

3.

The person concerned has the right, in the event of incorrect personal data, to submit his own reading to the relevant archive
modestly add.

Article 46. Processing national identification number
1.

A number prescribed by law to identify a person is used in the processing of personal data.
vens only used for the implementation of the relevant law or for purposes determined by law.

2.

Cases other than those referred to in subsection 1 may be designated by order in council in which:
a number to be designated as referred to in the first paragraph may be used. Further rules may be
information about the use of such a number.

Article 47. Exceptions to data subject rights in public registers
1.

Articles 15, 16, 18 and 19 of the Regulation do not apply to public registers established by law,
if by or pursuant to that law a special procedure for the improvement, addition, removal or protectionscherm
of data is arranged.

2.

Article 21 of the Regulation does not apply to public registers established by law.

CHAPTER 5 TRANSITIONAL AND FINAL PROVISIONS
Article 48. Transitional law
1.

The person who was appointed as a member of the Board for the Protection of Persons prior to the entry into force of this Act.
personal data, has been legally appointed as a member of the Dutch Data Protection Authority.

2.

The person appointed as chairman of the Board of Protection prior to the entry into force of this Act deze
personal data, has been legally appointed as chairman of the Dutch Data Protection Authority.

3.

For determining the period of appointment referred to in Article 7, fifth paragraph, the period completed as chairman shall apply.
ter of the Personal Data Protection Board, prior to the entry into force of this Act as a period,
fulfilled as chairman of the Dutch Data Protection Authority.

4.

The members of the Personal Data Protection Board who were appointed or reappointed before 1 January 2014,
Article 53, paragraph 3, first, second and third sentence, of the Personal Data Protection Act applies, such as
that was before that time.

5.

The civil servant appointed to the secretariat of the Board of Directors prior to the entry into force of this Act
protection of personal data, has been legally appointed as an official in the secretariat of the Authority
personal data.

6.

Decisions taken prior to the entry into force of this Act by the Personal Protection Board
data automatically count as decisions taken by the Dutch Data Protection Authority.

7.

In legal proceedings and legal proceedings in which the Personal Data Protection Board prior to the
entry into force of this law, the Dutch Data Protection Authority shall automatically replace the
College for the protection of personal data.

8.

On legal procedures and lawsuits in which the Personal Data Protection Board prior to the
entry into force of this Act, the law applicable prior to its entry into force shall apply.
thing of this law.

9.

At the time of entry into force of this Act, the Dutch Data Protection Authority will act in cooperation protocols
to take the place of the Personal Data Protection Board by operation of law.

10.

On written requests as referred to in Article 46 of the Personal Data Protection Act, legal proceedings based on
of Article 49 of the Personal Data Protection Act and claims based on Article 50 of the Personal Data Protection Act
ming personal data, which are already pending before the court at the time of entry into force of this law is
applicable law as it applied prior to the entry into force of this Act.

11.

A statement of lawfulness of the data processing made prior to the entry into force of this law
issued on the basis of Article 32(5), in conjunction with Article 22(4)(c) of the Protection Act
personal data, is legally regarded as a license within the meaning of Article 33, fourth paragraph, under c, of this Act.

12.

Insofar as this Act does not provide for this, rules or further rules may be laid down by order in council
regarding the implementation of the Regulation or this Act.

Article 48a. Transitional law II
1.

At the end of Article 6, first paragraph, the following is added: "The Dutch Data Protection Authority has legal personality."

2.

In Article 11, first paragraph, «Without prejudice to Article 25 of the Framework Act for independent administrative bodies, the Authorities
ty of personal data» replaced by «The Authority for personal data sets».

3.

At the time of entry into force of this article, the officials of the secretariat referred to in article 10, first
member, whose name and position are listed on a document issued by Our Minister in consultation with the Dutch Data Protection Authority;
list, dismissed by operation of law and appointed as an official employed by the Dutch Data Protection Authority.

4.

Our Minister determines, in agreement with Our Minister of Finance, which assets of the
State are assigned to the Dutch Data Protection Authority.

5.

At the time of entry into force of this article, the assets referred to in the fourth paragraph shall be subject to
general title to be determined by Our Minister in agreement with Our Minister of Finance
value.

6.

In the event that registered property is transferred pursuant to paragraphs 4 and 5, Our Minister of Finance shall make the transfer
of those registered property without delay in the public registers referred to in Section 2 of Title 1 of Book 3 of
the Civil Code. Article 24, first paragraph, of Book 3 of the Dutch Civil Code does not apply.

7.

In legal proceedings and legal proceedings, in which the Dutch Data Protection Authority is involved, at the time
of the entry into force of this article, the Dutch Data Protection Authority in place of the State or Our Minister.

8.

In cases in which a request has been made to the National Ombudsman before the entry into force of this article,
to make an inquiry or the National Ombudsman has launched an investigation into conduct that may be
attributed to the Dutch Data Protection Authority, the Personal Data Authority will act as administrative authority at that time.
within the meaning of the National Ombudsman Act, take the place of Our Minister.

Article 49. Concurrence
1. If Article 168 of the Intelligence and Security Services Act 2017 has entered into force before the time
on which this Act enters into force, Article 3(3)(b) of this Act shall contain the phrase «the
intelligence and security services 2002» replaced by: the Intelligence and Security Services Act 2017.
2. If Article 168 of the Intelligence and Security Services Act 2017 comes into force on or after the time
on which this Act entered into force, with effect from the date of entry into force of Article 168 of the
The Intelligence and Security Services Act 2017, in Article 3(3)(b) of this Act, the phrase «the Act
on the intelligence and security services 2002» replaced by: the Intelligence and Security Services Act 2017.

Article 50. Evaluation
Within three years after the entry into force of this Act, and thereafter every four years, Our Minister shall send to the States General
a report on the effects of this Act in practice and on the implementation of the Act in practice.

Article 51. Repeal of the Personal Data Protection Act
The Personal Data Protection Act is repealed.

Article 52. Official title of the regulation
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural peron the processing of personal data and on the free movement of such data and repealing Directives
line 95/46/EG (General Data Protection Regulation) (PbEU 2016, L 119) is cited in other legislation as: General
data protection regulation.

Article 53. Entry into force
The Articles of this Act shall come into force at a time to be determined by Royal Decree, which for the various Articles or
parts thereof can be determined differently.

Article 54. Official title of the law
This law is cited as: Implementation Act of the General Data Protection Regulation.
Charges and orders that it be placed in the Official Gazette and that all ministries, authorities, colleges and officials who
hist note

concerned, will adhere to the accurate execution.
Given in Wassenaar, May 16, 2018

Willem Alexander
The Minister for Legal Protection,
S. Dekker

The Minister of the Interior and Kingdom Relations,
KH Ollongren

The State Secretary for the Interior and Kingdom Relations,
RW Knops

Released the twenty-second of May 2018
The Minister of Justice and Security,
FBJ Grapperhaus

hist note
Parliamentary paper 34 851

› About this website

› Reuse information

› Open dates

› MijnOverheid.nl

› Contact

› Privacy and cookies

› Linked Data Government

› Rijksoverheid.nl

› English

› Accessibility

› PUC Open Data

› Entrepreneurs Square

› Help

› Site map

› Werkenbijdeoverheid.nl

› Search

Staatsblad, Staatscourant and Tractatenblad will be published as PDF files with effect from 1 July 2009. The PDF files of these magazines provided here constitute the formal disclosures within the meaning of the
Constitution. For publications from before this date, only the papers published in paper form have formal status; the electronic versions thereof provided herein are provided as a courtesy.

