Processing of personal data

Dutch Personal Data Protection Act

The Dutch Personal Data Protection Act (Wet bescherming persoonsgevens or Wbp) (hereinafter referred to as ‘the Wbp’), together with more specific legislation, sets out requirements for the careful processing of personal data.

Personal data may be processed only in accordance with these statutory rules. In addition, sensitive personal data, such as data about a person’s religion, political preference, sexual orientation and race, may be processed only if there is an explicit legal basis for that.

Some key obligations pursuant to the Wbp include the following:

  • defining the purposes of the processing of personal data
  • no further processing that is incompatible with the purposes for which the data were collected
  • no processing of special personal data, unless a statutory exception applies
  • justification for the processing, such as unambiguous consent or the execution of an agreement
  • security and obligation to notify data breaches
  • provision of information to the data subject
  • rights of the data subject, including the right to inspect, the right to correct and the right to object
  • the transfer of data to other countries

Consequences of non-compliance

The failure to comply with the Wbp may have various consequences, such as enforcement actions taken by the Dutch Data Protection Authority, including the imposition of high penalties or liability towards the data subjects.

In 2018, the Wbp will be replaced by the General Data Protection Regulation (see our new GDPR mindmap).