On 19 February 2013, the Dutch Data Protection Authority (College Bescherming Persoonsgegevens, the "CBP") published its new guidelines on the protection of personal data. These guidelines will replace earlier guidelines published in 2001.
The guidelines will enter into effect on 1 March 2013. By that date, companies must have complied with a "Plan-Do-Check-Act" cycle, and their processing agreements (if any) must address the subjects specified in the guidelines.
Pursuant to the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens) a company needs to implement appropriate technical and organisational measures to secure personal data against loss or any form of unlawful processing. The measures should guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, and having regard to the risks associated with the processing and the nature of the data to be protected. The measures should also aim at preventing unnecessary collection and further processing of personal data. The CBP guidelines provide further guidance on this.