3 January 2020

The Watchdog of Data Protection in the Netherlands

Category: Privacy law

It is approaching almost a year since the General Data Protection Regulation (‘GDPR’) was introduced in the European Union. Since then, the data watchdogs have had their leashes extended and have hounded every passing organisation, resulting in massive increases in data breach notifications. Here we will look firstly at a brief outline of how the GDPR works in the Netherlands, and secondly, how the GDPR has impacted the Netherlands since its introduction last year.

Protection Framework

The GDPR is a protection scheme of personal data by establishing a framework through supervisory bodies, strict regulations on controllers and processors and an outline of rights that data subjects have over their data. The GDPR is not a directive, and is directly binding on Member States of the European Union.

The protection framework of data protection goes through two bodies – the controller or processor of the personal data and the supervisory authority, administered by the State.

The Supervisory Authority

Under the GDPR, the state must have its own supervisory authority that is responsible for the monitoring and application of the GDPR in that state. In the Netherlands, the supervisory authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (‘AP’). The AP is responsible for complaints by data subjects of any infringement of their rights as a data subject, and will be responsible for taking action against organisations that have suffered data breaches or where the rights of data subjects have been infringed.

The supervisory authority ensures that data controllers and processors collect and use personal data lawfully and in a transparent matter, such that the data is used for the specific, explicit and legitimate purpose that it was processed for. Ultimately, the AP strictly enforces the GDPR and issues penalties to non-compliant controllers and processors. An extra level of protection is given to public authorities or where the controller or processor requires regular and systematic monitoring of data subjects. A Data Protection Officer (DPO) will be involved and informed of all matters relating to the protection of that personal data. The DPO has acute knowledge of data protection laws and is obliged to notify the supervisory authority (the AP in the Netherlands) of any breaches. Any breaches discovered by the controller or by the DPO must be notified to the supervisory authority.

The Status of the GDPR in the Netherlands

A Massive Jump in Notifications in the Netherlands

The Netherlands was an early pioneer in data protection, having introduced its own data protection legislation in 2016, but this was not as strict and the punishments are far harsher under the GDPR. Since 2016, the Netherlands has been jumping massively in terms of data breach reports. 2016 the AP had 5849 data reach reports, and this almost doubled in 2017 to 10 009. However, after the introduction of the GDPR in 2018, AP reported 20 881 data breach notifications – a 109% increase since 2017. Such a crackdown led to social media giant Facebook changing its personal data policy following an investigation by the AP for not informing their users that their data was being used for targeting advertising. In fact, as of the end of 2018, AP assessed 14489 data breaches and took action in 298 cases. In the majority of cases, the data breach was due to the data being sent to the wrong recipient, such as accidentally sending an email with sensitive information to someone else other than the intended recipient. Thus most of the personal data leaked is mainly names, gender and contact details, however medical data is often subject to breaches particularly from hacking or phishing software.

Moving Forward in the Netherlands

A serious issue that the AP noticed in 2018 that many reports were not made by organisations, but rather by a data subject. Thus the AP will focus on data leaks that are left unreported by organisation. This is an important issue as the AP can then adequately check to see if the infringement has been adequately addressed and whether the organisation has put steps in place to ensure that this does not happen again.

GDPR lawyer Netherlands

Would you like to have any more information concerning the GDPR in the Netherlands? You can ask all your questions concerning the GDPR in the Netherlands to our GDPR lawyer in the Netherlands