The notifications provide for openness around the processing of personal data in organisations. This enables a person to check how his or her personal data are being handled, so that he or she can exercise his or her rights, if necessary. In addition, the notifications enable an efficient supervision by the Dutch DPA.
What is processing?
Pursuant to the Wbp, the processing of personal data is every action or every aggregate of actions relating to these personal data. Thus, it is a very broad term. The Wbp specifies a number of actions that are indicated as processing: collecting, recording, grouping, keeping, updating, changing, retrieving, consulting, using, transferring, distributing, making available, putting together, linking, screening, deleting, and destroying data.
Processing can consist of one or more of these actions. Processing actions that are considered as a unit are seen as a single data processing operation on the basis of common opinion. For example, client records or complaint registration is considered as a single data processing operation.
Notification obligation and exemptions
To answer the question regarding whether the Dutch DPA must be notified of a specific processing of personal data, the steps below can be helpful.
- Make a list of all processing of personal data in the organisation.
- On the basis of the Checklist Exemption Decree assess whether specific processing has been exempted from the notification obligation. A data controller may be exempted for one specific action of processing personal data, while another action of processing may not be exempted.
- If the processing is not exempted, the Dutch DPA can be notified in three ways:
· download the Wbp Notification Program (in Dutch)
· request a copy of the diskette with the Wbp Notification Program
· request the special Wbp Notification Form
- Make a list of the processing operation(s) of personal data using the Wbp Notification Program or the form. In this respect, it is important that every individual processing must also be reported separately. It is not permitted, for example, to combine personnel records and a client file in one notification.
- A number of data processing operations are subjected to Preliminary Examination. This involves processing that in the opinion of the legislator involves a special risk for the personal privacy of the persons involved. Indicate in the notification program whether a preliminary examination is necessary.
Categories exempted from processing:
Paragraph 1. Commissionership and patronage
1. Associations, foundations and trade associations under public law1
2. Spiritual societies
Paragraph 2. Work and retirement
3. Applicants
4. Temporary workers
5. Personnel administration
6. Salary administration
7. Compensation in case of dismissal
8. Retirement and early retirement
Paragraph 3. Goods and services
9. Subscriptions
10. Debtors and creditors
11. Customers and suppliers
12. Rental and leasing
13. Legal service providers and accountants
Paragraph 4. Health and welfare
14. Individual healthcare
15. Residential care homes and nursing homes
16. Child care facilities
Paragraph 5. Education
17. Pupils, participants and students
18. Compulsory education
19. School transport
Paragraph 6. Government
20. Permits and reports
21. Decentralised taxes
22. Travel documents
23. Grave rights
24. Naturalisation
25. Change of name
26. Compulsory military service
Paragraph 7. Archives and research
27. Archival storage
28. Scientific research and statistics
Paragraph 8. Management and security
29. Document management
30. Network systems
31. Computer systems
32. Communications equipment4
33. Access control
34. Other internal management
35. Registration of visitors
36. CCTV supervision
Paragraph 9. Other forms of processing
37. Notices of objection, complaints and legal proceedings
38. Registers and lists
39. Former members and pupils
40. Communication files
Correct notification
The Dutch DPA can only accept notifications that have been made in the prescribed way. The Dutch DPA will not accept notifications that have been sent on diskette or by e-mail without a completed and signed authentication form and notifications that are not in Dutch. All information must have been included on the diskette or form itself. For this reason, you cannot enclose any appendices with the notification or refer to appendices. Nor is it permitted to send in your 'own' versions of the notification form. More information about the conditions for accepting a notification can be found in the Wbp Notification Program or in the explanation to the Wbp Notification Form.
Validity of the notification
Whether or not the notification is valid is only established at the time the indicated contact has received a confirmation of receipt with the notification number from the Dutch DPA. The notification number will be used in all correspondence on the notification. If the notification has been made on behalf of a data controller, the contact must inform the data controller of this.
Rights
No rights can be derived from a notification, because a notification does not result in approval of a data processing operation. Usually, the Dutch DPA uses a formal test to establish whether the notification is complete and initially acceptable. The party making the notification continues to be responsible for a correct and complete notification and for complying with the other provisions of the Wbp.
Fines
The Dutch DPA must always be notified in advance of new processing and changes of existing processing. If you fail to notify the Dutch DPA of your data processing, the Dutch DPA may impose a fine of EUR 4,500. A fine can also be imposed if you have incorrectly or incompletely reported your data processing and/or if you fail to report changes (in time). Periodically, the Dutch DPA will subject notifications from specific sectors or of specific processing to a further investigation. The Dutch DPA will also do this following complaints from data subjects.
Public register of notifications
The Dutch DPA has the statutory task of keeping a public registry of notifications (Wbp report register). This registry includes the notifications relating to the processing of personal data that have been reported to the Dutch DPA and which have also been approved, with the exception of the information that you must provide regarding the protection of your data processing. The public register gives interested parties the opportunity to inspect the notifications.