Yesterday the Dutch Government put the GDPR Implementation Bill before Parliament. The aim of the bill is to supplement the General Data Protection Regulation (GDPR) which will be enforced from 25 May 2018. The GDPR Implementation Bill in the Netherlands refers to the personal data of people living in The Netherlands. It applies to all businesses or organisations that are based within the Netherlands, as well as those that provide goods or services to anyone who resides in the country.
What the Bill says about Article 8 of the GDPR
Article 8 of the GDPR refers to the age of consent being sixteen. The bill emphasises this, and also adds that any person older than sixteen, who has a legal guardian due to mental impairment issues, needs to be represented by the parent or guardian when it comes to providing consent.
What has changed for the Data Protection Authority?
The simple answer to this question is that not much has changed, as a result of the Bill. The authority of the DPA has been re-emphasised and it’s structure is the same. However, the DPA is no longer part of the Ministry of Justice; it now has its own payroll.
The Bill emphasises the fact that the DPA will have the authority to exercise powers of enforcement and sanction, in order to ensure compliance with GDPR. This means that the DPA can terminate illegal processing if it chooses to do so, or it can force businesses to cease processing. It can also impose fines, and other sanctions, when non-compliance is identified.
About Chapter 3 of the Bill
There are certain exceptions concerning the processing of special data which already exist in the Data Protection Act (DPA) of the Netherlands. These exceptions refer to who can process certain items of special data and when it can be processed. The Bill refers to Article 9(2)(g) of the GDPR which refers to substantial public interest, in order to justify the existence of these exceptions.
A further exception, regarding the use of biometric data in the workplace has been added. This is due to the fact that not using biometric data for security purposes could potentially put the secure processing of personal data at risk.