Home / Insight / GDPR


Back to Data protection

The EU data protection landscape, having remained largely unchanged since 1995, is now on the brink of a radical transformation. After extensive negotiations, the GDPR was formally adopted on 4 May 2016 and is set to replace most EU data protection legislation.

Unlike the current Directive, the GDPR will be directly applicable in all EU Member States without the need for national legislation. It will apply from 25 May 2018.

The GDPR brings new concepts into the regulatory spotlight, including profiling and the right to be forgotten. It imposes extensive new obligations on businesses and transforms the role of the Data Processor. Rights for individuals are significantly strengthened and maximum fines in respect of breaches are increased exponentially to €20,000,000 or 4% of annual worldwide turnover under the GDPR.

If you would like more information on the GDPR or the Directive, please contact one of the members of our Data Protection & Privacy team.

Data Law Nav­ig­at­or | The Neth­er­lands
<link xlink:href="ez­loca­tion://414164" xlink:show="none"><< back to Over­view</link>The con­tent will be peri­od­ic­ally up­dated by our law­yers but, giv­en the con­stantly evolving laws in this area, we can­not guar­an­tee the con­tent is com­plete and ac­cur­ate.Jump dir­ectly to Cy­ber Se­cur­ity >> <an­chor xml:id="re­write_Data_Pro­tec­tion"/>Data Pro­tec­tionLast up­dated May 2020Risk scaleme­di­umLaws Gen­er­al Data Pro­tec­tion Reg­u­la­tion (“GDPR”)Dutch GDPR Im­ple­ment­a­tion Act (“DGIA”, in Dutch: Uit­vo­er­ing­swet Alge­mene ver­or­den­ing gegevens­bes­cherm­ing)Dutch Tele­com­mu­nic­a­tions Act (in Dutch: Tele­com­mu­nic­atiewet)Au­thor­ityDutch Data Pro­tec­tion Au­thor­ity (“DDPA”, in Dutch: Autor­iteit Per­soonsgegevens)If ap­plic­able: stage of le­gis­lat­ive im­ple­ment­a­tion of GDPRThe Dutch Par­lia­ment passed the DGIA that be­came ef­fect­ive on 25 May 2018.If ap­plic­able: loc­al derog­a­tions as per­mit­ted by GDPR The DGIA takes a policy-neut­ral ap­proach to im­ple­ment­a­tion of the GDPR. This means that only ex­ist­ing ex­cep­tions will be main­tained. This ap­plies, for ex­ample, to the reg­u­la­tion on the pro­cessing of a na­tion­al per­son­al iden­ti­fic­a­tion num­ber and the pro­cessing of spe­cial cat­egor­ies of per­son­al data.ScopeThe DGIA ap­plies to the pro­cessing of per­son­al data (wholly or partly by auto­mated means and to the pro­cessing oth­er than by auto­mated means of per­son­al data which form part of a fil­ing sys­tem or are in­ten­ded to form part of a fil­ing sys­tem):in the con­text of activ­it­ies of an es­tab­lish­ment of a con­trol­ler or pro­cessor in the Neth­er­lands; andof data sub­jects in the Neth­er­lands by a con­trol­ler or pro­cessor not es­tab­lished in the European Uni­on, where the pro­cessing activ­it­ies are re­lated to:of­fer­ing goods or ser­vices to such data sub­jects in the Neth­er­lands, ir­re­spect­ive of wheth­er pay­ment is re­quired from them; or the mon­it­or­ing of their be­ha­viour in so far as this be­ha­viour takes place with­in the Neth­er­lands.The DGIA does not ap­ply to the pro­cessing of data:in the course of a purely per­son­al or house­hold activ­ity;by or on be­half of the in­tel­li­gence and se­cur­ity ser­vices;which is gov­erned by or pur­su­ant to the Per­sons Data­base Act;for the im­ple­ment­a­tion of the Ju­di­cial In­form­a­tion and Crim­in­al Re­cords Act;for the im­ple­ment­a­tion of the Elec­tion Act;by the armed forces if the Min­is­ter of De­fence de­cides that the data pro­cessing is for the pur­poses of de­ploy­ing or mak­ing avail­able the armed forces to main­tain or pro­mote the in­ter­na­tion­al leg­al or­der;car­ried out solely for journ­al­ist­ic, artist­ic or lit­er­ary pur­poses.Pen­al­ties/en­force­mentSanc­tions un­der the GDPR:Fin­an­cial pen­al­ties are the primary sanc­tion against the con­trol­ler and the pro­cessor, thus, against the com­pany.Pen­al­ties:Up to EUR10 mil­lion or up to 2% of total glob­al sales for com­pan­ies (in case of in­val­id con­sent of chil­dren, vi­ol­a­tion of pri­vacy by design, etc.);Up to EUR20 mil­lion or up to 4% of total glob­al sales for com­pan­ies (in case of vi­ol­a­tion of prin­ciples (in­clud­ing con­sent), in­ad­miss­ible trans­fer to third coun­tries, etc.).Re­gis­tra­tion/no­ti­fic­a­tion In ac­cord­ance with Art­icle 36 GDPR: the con­trol­ler shall con­sult the su­per­vis­ory au­thor­ity pri­or to pro­cessing where a data pro­tec­tion im­pact as­sess­ment (un­der Art­icle 35 GDPR) in­dic­ates that the pro­cessing would res­ult in a high risk in the ab­sence of meas­ures taken by the con­trol­ler to mit­ig­ate the risk.Main ob­lig­a­tions and pro­cessing re­quire­mentsThe main ob­lig­a­tions and pro­cessing re­quire­ments are identic­al the pro­vi­sions as set out in the GDPR.Data sub­ject rightsIn ac­cord­ance with Chapter III GDPR.Pro­cessing by third partiesIn ac­cord­ance with Art­icle 28 GDPR.Trans­fers out of Coun­tryIn ac­cord­ance with Chapter V GDPR.Data Pro­tec­tion Of­ficerIn ac­cord­ance with Art­icles 37-39 GDPR.The DGIA provides that the data pro­tec­tion of­ficer must main­tain the secrecy of any in­form­a­tion that be­comes known to him or her pur­su­ant to a com­plaint by or re­quest from a data sub­ject, un­less the data sub­ject agrees to dis­clos­ure.Se­cur­ityIn ac­cord­ance with Art­icle 32 GDPR.Breach no­ti­fic­a­tionIn ac­cord­ance with Art­icles 33-34 GDPR.The data breach no­ti­fic­a­tion ob­lig­a­tion to­wards data sub­jects does not ap­ply to fin­an­cial com­pan­ies as re­ferred to in the Fin­an­cial Su­per­vi­sion Act (in Dutch: Wet op het Fin­an­cieel Toe­zicht).Dir­ect Mar­ket­ingIn sum­mary, as re­ferred in art­icle 11.7 of the Tele­com­mu­nic­a­tions Act:By fax, e-mail and SMS: pri­or con­sent re­quired (opt-in);By means of tele­phone or oth­er means: al­lowed un­less someone op­ted-out. Also, be aware of the ex­ist­ence of the "do not call me re­gister" (Bel-me-niet Re­gister) and the "mail fil­ter" (Post­fil­ter).There are a num­ber of spe­cif­ic ex­cep­tions to the re­quire­ment of con­sent:If the user is a leg­al en­tity or a nat­ur­al per­son act­ing in the ex­er­cise of its/his pro­fes­sion or busi­ness, no pri­or con­sent shall be re­quired for the trans­mis­sion by means of elec­tron­ic mail of un­so­li­cited com­mu­nic­a­tions for com­mer­cial, ideal­ist­ic, or char­it­able pur­poses:a. If the sender when trans­mit­ting the com­mu­nic­a­tion makes use of elec­tron­ic con­tact de­tails in­ten­ded and provided by the user and said con­tact de­tails have been used in ac­cord­ance with the pur­poses at­tached to said con­tact de­tails by the user; orb. If the user is based out­side the European Eco­nom­ic Area and the rules re­gard­ing the send­ing of un­so­li­cited com­mu­nic­a­tions in the coun­try con­cerned have been com­plied with.A party that has ac­quired elec­tron­ic con­tact de­tails for elec­tron­ic mes­sages in the con­text of the sale of its product or ser­vice may use said data to trans­mit com­mu­nic­a­tions for com­mer­cial, ideal­ist­ic, or char­it­able pur­poses with re­gard to its own sim­il­ar products or ser­vices if, when the con­tact de­tails were ac­quired, the cus­tom­er was clearly and ex­pli­citly giv­en the op­por­tun­ity to ob­ject, free of charge and in a simple man­ner, to the use of said elec­tron­ic con­tact de­tails and, if the cus­tom­er did not avail him­self of said op­por­tun­ity, he is offered the op­por­tun­ity dur­ing every in­stance of com­mu­nic­a­tion, to ob­ject, on the same con­di­tions, to the fur­ther use of his elec­tron­ic con­tact data.Cook­iesAs re­ferred in art­icle 11.7a of the Tele­com­mu­nic­a­tions Act:Us­ing cook­ies or sim­il­ar tech­niques is only al­lowed if the user has been provided with clear and com­plete in­form­a­tion in ac­cord­ance with the Per­son­al Data Pro­tec­tion Act and has giv­en con­sent for the ac­tion con­cerned. However, this rule does not ap­ply if:the cook­ie is used for the sole pur­pose of car­ry­ing out com­mu­nic­a­tions over an elec­tron­ic com­mu­nic­a­tions net­work;the cook­ie is strictly ne­ces­sary to provide an in­form­a­tion so­ci­ety ser­vice re­ques­ted by the user; orthe cook­ie is used to ob­tain in­form­a­tion about the qual­ity or ef­fect­ive­ness of a ser­vice provided, on the con­di­tion that this has only lim­ited im­pact on the user­'s pri­vacy.Use­ful linksWeb­site Dutch Data Pro­tec­tion Au­thor­ityDutch GDPR Im­ple­ment­a­tion Act textDutch Tele­com­mu­nic­a­tions Act text <an­chor xml:id="re­write_Cy­ber_Se­cur­ity"/>Cy­ber Se­cur­ityLast up­dated April 2020Risk Scaleme­di­um*This as­sess­ment is based on the as­sump­tion that the CA will enter in­to force with sim­il­ar pro­vi­sions as the cur­rent CA con­sulta­tion draft.Laws and reg­u­la­tionsThe Net­work and In­form­a­tion Sys­tems Se­cur­ity Act ("NISSA", Wet be­vei­li­ging netwerk- en in­form­atiesyste­men)The NISSA im­ple­ments NIS Dir­ect­ive (EU) 2016/1148.Ap­plic­a­tion The NISSA ap­plies to:"di­git­al ser­vice pro­viders" (with­in the mean­ing of the NIS Dir­ect­ive) with a main es­tab­lish­ment in the Neth­er­lands, ex­clud­ing small and mi­cro en­ter­prises; anddes­ig­nated "vi­tal op­er­at­ors" in the Neth­er­lands, di­vided in:"op­er­at­ors of es­sen­tial ser­vices" (with­in the mean­ing of the NIS Dir­ect­ive); andop­er­at­ors of oth­er ser­vices of which the con­tinu­ity is of vi­tal im­port­ance for the Dutch so­ci­ety.The des­ig­na­tion of vi­tal op­er­at­ors can be found in the Net­work and In­form­a­tion Sys­tems Se­cur­ity De­cree ("NISSD", Be­sluit be­vei­li­ging netwerk- en in­form­atiesyste­men).Di­git­al ser­vice pro­viders not es­tab­lished in the EU must ap­point a rep­res­ent­at­ive that acts on its be­half. The rep­res­ent­at­ive may be ad­dressed with re­gard to the NISSA based ob­lig­a­tions.Au­thor­ityThe com­pet­ent au­thor­ity for di­git­al ser­vice pro­viders is the Min­is­ter of Eco­nom­ic Af­fairs and Cli­mate (Min­is­ter van Eco­nomis­che Za­ken en Klimaat). The Ra­diocom­mu­nic­a­tions Agency Neth­er­lands (Agentschap Tele­com, part of the Min­istry of Eco­nom­ic Af­fairs and Cli­mate) acts as su­per­visor.With re­gard to en­ergy and di­git­al in­fra­struc­ture, the com­pet­ent au­thor­ity is the Min­is­ter of Eco­nom­ic Af­fairs and Cli­mate. The Ra­diocom­mu­nic­a­tions Agency Neth­er­lands acts as su­per­visor.With re­gard to (i) trans­port and (ii) the sup­ply and dis­tri­bu­tion of drink­ing wa­ter, the com­pet­ent au­thor­ity is the Min­is­ter of In­fra­struc­ture and Wa­ter Man­age­ment (Min­is­ter van In­fra­struc­tuur en Wa­ter­staat). The Hu­man En­vir­on­ment and Trans­port In­spect­or­ate (In­spectie Leefomgev­ing en Trans­port) acts as su­per­visor.For bank­ing and the fin­an­cial in­fra­struc­ture, the com­pet­ent and su­per­vising au­thor­ity is the Dutch Cent­ral Bank (De Neder­land­sche Bank).For the health sec­tor, the com­pet­ent au­thor­ity is the Min­is­ter for Health­care. The Health and Youth Care In­spect­or­ate (In­spectie Gezond­heidszorg en Jeugd) acts as su­per­visor.Key ob­lig­a­tions NISSA:Some spe­cif­ic fin­an­cial in­sti­tu­tions des­ig­nated by the Dutch Cent­ral Bank are ex­emp­ted from part of the ob­lig­a­tions re­ferred to in this sec­tion.foot­noteDi­git­al ser­vice pro­viders and op­er­at­ors of es­sen­tial ser­vices must im­ple­ment ap­pro­pri­ate and pro­por­tion­ate tech­nic­al and or­gan­iz­a­tion­al meas­ures to man­age the risks posed to the se­cur­ity of their net­work and in­form­a­tion sys­tems and the pos­sible im­pacts of se­cur­ity in­cid­ents. They must also im­ple­ment ap­pro­pri­ate meas­ures to pre­vent and mit­ig­ate the im­pact of such se­cur­ity in­cid­ents.Des­ig­nated vi­tal op­er­at­ors must no­ti­fy the Na­tion­al Cy­ber Se­cur­ity Centre ("NC­SC", part of the Min­istry of Se­cur­ity and Justice), act­ing as Com­puter Se­cur­ity In­cid­ent Re­sponse Team "CSIRT") of:(i) any in­cid­ent with a sig­ni­fic­ant im­pact on the con­tinu­ity of the es­sen­tial ser­vices;(ii) any se­cur­ity in­cid­ent in their net­work and in­form­a­tion sys­tems which may have ser­i­ous ad­verse ef­fects on the con­tinu­ity of their ser­vice.If an op­er­at­or of an es­sen­tial ser­vice uses a di­git­al ser­vice pro­vider, an in­cid­ent at such di­git­al ser­vice pro­vider must be no­ti­fied by such op­er­at­or to the com­pet­ent au­thor­ity for the sec­tor of such op­er­at­or if the in­cid­ent has a sig­ni­fic­ant im­pact on the con­tinu­ity of the ser­vice.Di­git­al ser­vice pro­viders must no­ti­fy the Min­is­ter of Eco­nom­ic Af­fairs and Cli­mate (as com­pet­ent CSIRT) and Ra­diocom­mu­nic­a­tions Agency Neth­er­lands (as com­pet­ent au­thor­ity) of any in­cid­ent which may have ser­i­ous ad­verse ef­fects on the pro­vi­sion of their ser­vices.Pen­al­ties/En­force­mentThe com­pet­ent au­thor­it­ies have sev­er­al kinds of gen­er­al in­vest­ig­at­ive powers.Fines can be im­posed with a max­im­um of EUR 1m or EUR 5m de­pend­ing on the vi­ol­a­tion.NISSA based su­per­vi­sion and en­force­ment only ap­plies to op­er­at­ors of es­sen­tial ser­vices and di­git­al ser­vice pro­viders (e.g. not in­cluded are op­er­at­ors of oth­er ser­vices of which the con­tinu­ity is of vi­tal im­port­ance for the Dutch so­ci­ety).Is there a na­tion­al com­puter emer­gency re­sponse team (CERT) or com­puter se­cur­ity in­cid­ent re­sponse team (CSIRT)?Yes. NC­SC is the CSIRT for vi­tal op­er­at­ors. NC­SC is also the Point of Con­tact re­spons­ible for co­ordin­at­ing is­sues re­lated to the se­cur­ity of net­work and in­form­a­tion sys­tems and cross-bor­der co­oper­a­tion at EU level.The Dutch Min­istry of Eco­nom­ic Af­fairs is the CSIRT for di­git­al ser­vices.Is there a na­tion­al in­cid­ent man­age­ment struc­ture for re­spond­ing to cy­ber se­cur­ity in­cid­ents?Yes. Dur­ing a cy­ber crisis, the Na­tion­al Manu­al on De­cision-mak­ing in Crisis Situ­ation is ap­plied (hy­per­link in­cluded be­low). NC­SC plays a key role in such cy­ber crises.The Na­tion­al Di­git­al Crisis Plan (hy­per­link in­cluded be­low) is a cy­ber-spe­cif­ic elab­or­a­tion of the Na­tion­al Manu­al on De­cision-mak­ing in Crisis Situ­ation.Use­ful linksNC­SC : ht­tps://eng­lish.nc­sc.nlNISSA text: ht­tps://wetten.over­heid.nl/BW­BR0041515/2019-01-01NISSD text:  ht­tps://wetten.over­heid.nl/BW­BR0041520/2019-01-01Web­site for di­git­al ser­vice pro­viders to no­ti­fy com­pet­ent au­thor­ity: ht­tps://www.agentschaptele­com.nl/doc­u­menten/for­mu­lier­en/2018/novem­ber/8/melden-van-in­cid­ent-on­der-de-wet-be­vei­li­ging-netwerk--en-in­form­atiedi­en­sten The Neth­er­lands Na­tion­al Hand­book on De­cision-Mak­ing in Crisis Situ­ations: ht­tps://www.rijk­sov­er­heid.nl/doc­u­menten/bro­chures/2013/04/26/na­tion­aal-hand­boek-crisis­besluit­vorm­ingNa­tion­al Di­git­al Crisis Plan ht­tps://www.nc­tv.nl/doc­u­menten/pub­lic­aties/2020/02/21/nc­tv-na­tion­aal-crisisplan-di­git­aal-_-web­ver­sie << back to Over­view
Sub­scribe to Data Pro­tec­tion & Pri­vacy Top­ics
Pri­vacy, Data Pro­tec­tion and Cy­ber­se­cur­ity Bro­chure
Leg­al pre­ci­sion in pri­vacy, data se­cur­ity and data pro­tec­tion


Show only
08 May 2020
Data Law Nav­ig­at­or | Over­view
Find here in­form­a­tion about data pro­tec­tion and cy­ber se­cur­ity laws in vari­ous coun­tries world­wide: Al­bania, Aus­tria, Bel­gi­um, Bos­nia and Herzegov­ina, Bul­garia, Croa­tia, Czech Re­pub­lic, France, Ger­many, Hong Kong, Hun­gary, Italy, Lux­em­bourg, Mex­ico, Monte
5 mis­con­cep­tions about the GDPR data breach no­ti­fic­a­tion
Em­ploy­ment and com­mer­cial as­pects of Coronavir­us
05 March 2020
Coronavir­us: em­ploy­er meas­ures and policies
Dutch busi­ness faces new chal­lenges on em­ploy­ee meas­ures in face of COV­ID-19 out­break
CMS is re­leas­ing its ‘Shar­ing is (S)caring’ Pod­cast Series
Shar­ing is (S)caring: Your face is a weapon
Token­ized As­sets: De­vel­op­ing an Eco­sys­tem for Di­git­al Real Es­tate As­sets
Token­ized As­sets: An In­vestor’s Per­spect­ive
Token­ized As­sets: Reg­u­la­tion and Gov­ernance - A Dutch Per­spect­ive
'Data pro­tec­tion au­thor­it­ies are aware of the is­sues, reg­u­lat­ory ac­tion...
EDPO founder Jane Murphy on the GDPR and non-EEA or­gan­iz­a­tions
25 June 2019
AI in Life Sci­ences
At CMS, we have many law­yers in many coun­tries think­ing about the in­creas­ing im­pact of AI on the life sci­ences leg­al land­scape. Rather than keep these thoughts to ourselves, we thought we would share some of them with you. Get in touch!
Spot­light on com­pli­ance with work­ing time re­gis­tra­tion sys­tem
CJEU de­cision tight­ens work­ing time reg­u­la­tions