Legislation 

Wet bescherming persoonsgegevens (Wbp; Personal Data Protection Act)

The most important rules for recording and using personal data have been set forth in the Wet bescherming persoonsgegevens (Wbp; Personal Data Protection Act). This act was unanimously adopted by the Dutch Lower House on 23 November 1999 and accepted by the Dutch Upper House on 3 July 2000. The act came into force on 1 September 2001.

The Wbp relates to every use - 'processing' - of personal data, from the collection of these data up to and including the destruction of personal data.

The Ministry of Justice published Guidelines for personal data processors.

Notification obligation and exemption from the notification obligation
The supervisory authority, the Dutch DPA must be notified of all processing of personal data. The Dutch DPA keeps a public register of these notifications. However, a large number of socially well known and accepted processing operations have been exempted from the notification obligation. On this web site, the Dutch DPA offers a checklist for the use of the exemption decree.

Technology
The Wbp has a separate section (Section 13) on the use of technology in the protection of personal data.

Supervision of compliance with the Wbp and enforcement of the Wbp
The Wbp also governs the tasks and powers of the supervisor of the act, the Dutch DPA. As a national supervisory authority, the Dutch DPA is the successor of the former Registratiekamer. The Dutch DPA is authorised to impose sanctions.

Data protection officer
Organisations can also appoint their own internal supervisor, the data protection officer.