The Dutch Minister for Legal Protection, Sander Dekker, recently sent a letter (in Dutch) to the House of Representatives concerning amendments to the Dutch General Data Protection Regulation Implementation Act (Uitvoeringswet AVG) and the evaluation of the General Data Protection Regulation (GDPR).
Three categories are mentioned with respect to the Dutch GDPR Implementation Act:
1. matters for which it has become clear that they require a more explicit legal basis, therefore requiring legislative amendments. Besides a number of technical amendments with respect to the Dutch GDPR Implementation Act, this concerns the following topics:
- the processing of special categories of personal data by accountants in the performance of their statutory auditing duties;
- the use of biometric data to identify individuals in the interests of legitimate access to certain places, buildings, information or work process systems, services, or products;
- the processing of special categories of personal data by the Dutch Whistleblowers Authority (Huis voor Klokkenluiders) in the course of its statutory advisory and investigation duties, such as data concerning health, trade union membership, and discrimination or detrimental treatment due to origin, religion, or sexual orientation; and
- the processing of data concerning health by patient associations for internal use, for example, in their membership database.
2. matters still under discussion between the Dutch Government and the sectors concerned and other parties in order to determine whether legislative amendments are required:
- use of the “BIG number” outside the context of the Individual Healthcare Provision (Professions) Act (Wet BIG), e.g. for continuing education and refresher training purposes;
- an effective basis for profiling by banks to prevent money laundering and fraud;
- an obligation for suppliers of personnel or subcontractors to provide the client with the information necessary to make use of an indemnifying payment into a blocked account (G account);
- cross-sector data-sharing for the purpose of combatting fraud;
- extension of the exceptions applicable to records repositories regarding certain obligations under the GDPR to other socially relevant records as well;
- sharing of data on traffic fines to enable car leasing companies and others to recover these fines from drivers; and
- use of the citizen service number (BSN) by businesses, especially banks, other financial enterprises, and various professionals such as lawyers, civil-law notaries, and accountants, so they can act as gatekeepers in the prevention of money laundering.
3. matters in relation to which consultation with the parties concerned has shown that the issue can be resolved through different means than legislation, and which will be further explored:
- registration of concerns about (mental) health conditions by financial institutions as part of their duty of care for vulnerable groups;
- liability for privacy-related loss/harm and the charging on to processors of fines imposed by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens);
- scientific research whereby large pre-existing data sets are used, as regards the consent requirement;
- more clarity and legal certainty in the case of relatively simple “standard” processing operations for smaller controllers; and
- clarification of the relationship between the Dutch Public Records Act (Archiefwet) and the GDPR.
Finally, the Minister’s letter refers to matters which have been brought to the attention of the European Commission by the Netherlands in the context of the evaluation of the GDPR:
- reduction of the obligation to keep a record of processing activities for small businesses so as to lessen the burden on them;
- avoidance of the extraterritorial effect of national implementation legislation in order to prevent internationally operating companies being subject to another patchwork of legislation;
- uniformization of the minimum age at which children within the EU can consent to processing of their personal data, in order to reduce the complexity of cross-border data traffic in today’s world for businesses as well as parents and children;
- investigation of ways to curb the data power of large technology companies via the GDPR by, for example, extending the possibilities for data portability and possibly introducing new instruments for supervision by the Dutch Data Protection Authority;
- making more explicit the optional character of designating a supervisor when a code of conduct is used;
- promoting certification at EU level where possible and certification at national level only where it offers real added value; and
- promoting development of a single standard form for reporting personal data breaches to the various supervisory authorities of the Member States.
The Annex to the letter provides further explanation of the points raised. In the letter, the Minister also notes that issues are sometimes raised which turn out not to actually be problems, but where unclear communication can lead to confusion. As an example, reference is made to retention by employers of copies of a foreign national’s identity document, work permit, or Employee Insurance Agency (UWV) notification form. The GDPR does not raise any objection to such retention if it arises from a statutory obligation or if there is a legitimate interest and provided that other conditions have been met. The information about this on the website of the Dutch Tax and Customs Administration (Belastingdienst) will be brought more into line with the information on the website of the Labour Inspectorate (Inspectie SZW). The Minister also mentions a number of other points requiring attention in the area of Social Affairs and Employment, including conducting alcohol and drug tests and the use of biometric data to combat fraud involving working hours.
The problems described in the letter are familiar in actual practice. The letter shows that the concerns – which are sometimes very specific – of different stakeholders are taken into consideration by the legislator and that it is therefore valuable to continue to raise them. Problems can also be solved by means of better information, including publications of the Dutch Data Protection Authority. For specific problems encountered by organisations, this could also be effectuated via a low-threshold information desk. We look forward to the announced legislative proposal as well as other follow-up steps to which the letter will lead.