Legislation

Wet bescherming persoonsgegevens (Wbp; Dutch Data Protection Act)

The most important rules for recording and using personal data have been set forth in the Wet bescherming persoonsgegevens (Wbp; Dutch Data Protection Act). This act was unanimously adopted by the Dutch Lower House on 23 November 1999 and accepted by the Dutch Upper House on 3 July 2000. The act came into force on 1 September 2001.

The Wbp relates to every use - 'processing' - of personal data, from the collection of these data up to and including the destruction of personal data.

Notification obligation and exemption from the notification obligation
The supervisory authority, the Dutch DPA must be notified of all processing of personal data. The Dutch DPA keeps a public register of these notifications. However, a large number of socially well known and accepted processing operations have been exempted from the notification obligation. On this web site, the Dutch DPA offers a checklist for the use of the exemption decree.

Technology
The Wbp has a separate section (Section 13) on the use of technology in the protection of personal data.

Supervision of compliance with the Wbp and enforcement of the Wbp
The Wbp also governs the tasks and powers of the supervisor of the act, the Dutch DPA. As a national supervisory authority, the Dutch DPA is the successor of the former Registratiekamer. The Dutch DPA is authorised to impose sanctions.

Data protection officer
Organisations can also appoint their own internal supervisor, the data protection officer.

International
The international aspects of the Wet bescherming persoonsgegevens (Wbp; Personal Data Protection Act) are discussed under this heading.

The two most important questions from an international perspective are:

1) When does the Wbp apply to companies that operate internationally?
2) When is the transfer of personal data to third countries (outside the European Union and the European Area) permitted?