If the data controller is established in the Netherlands, the Wbp applies to all processing of personal data conducted within the scope of the operations of the establishment in question, regardless of where the data are processed or where the data subjects are. If the data controller is established in another Member State, the legislation of this other Member State applies.
According to the European Privacy Directive, the term "establishment" relates to centres of economic activity that may be located in different Member States. In this respect, it is irrelevant whether this involves a branch office or subsidiary with legal personality. The establishment on the territory of a Member State presupposes the effective and actual conduct of operations for an indefinite period. In a specific case, it will have to be established on the basis of the facts whether an establishment within the meaning of the directive is involved and which national law applies.
If a data controller has several branches in the European Union, this party must ensure that each of the branches conforms to the rules of the country where the branch is located.
Establishment of the data controller outside the European Union
If the data controller is not established in the European Union and processes personal data using means in the Netherlands, the Wbp also applies, unless these means are only used for the transfer of personal data. In these cases, the data controller must have a person or body that represents it in the Netherlands.