Disclosing Personal Data 

Fact sheet number 25A, December 2006

This fact sheet is intended for the data controller, i.e. the party that uses other individuals’ personal data for his own purposes.

This fact sheet will answer the following questions:

Suppose that you are a headmaster and would like to have some new computers. You have found a sponsor, but this company is now asking you to disclose your pupils’ contact data to it, so that it can write to your pupils at their home addresses. You discussed this request with the Representative Advisory Body, but no agreement has been reached. You are now wondering whether or not the data requested may be disclosed to the sponsor. You are right to wonder; certain conditions apply.

See the fact sheets entitled Disclosing Employee Data to Third Parties [Verstrekken personeelsgegevens aan derden], Disclosing Data from your Membership Records [Verstrekken gegevens uit uw ledenadministratie] and Als de politie u vraagt persoonsgegevens te verstrekken [If the Police Ask You to Disclose Personal Data] for the practical implementation of the general conditions described in this fact sheet.

pdf documentread the publication in full (22 KB)

A basis in the Wbp (Dutch Data Protection Act)
In general, the disclosure of personal data must be compatible with the purpose for which it has been collected. Whether or not this is the case will depend on the specific circumstances involved. When seeking to establish whether or not a particular disclosure is compatible, various factors play a role, such as a connection with the purpose underlying the collection of the data in question, the nature of the data, the consequences of disclosure, the safeguards put in place and the expectations of the data subject (i.e. the individual whose data you wish to disclose). Section 8 of the Wet bescherming persoonsgegevens (Wbp) lays down six grounds on which data disclosure may be based , i.e. consent, the contract, legal obligation, the vital interests of the data subject, the performance of a task carried out in the public interest and a legitimate interest. It must be possible to trace the disclosure in question back to one of the above six grounds.

Consent
Personal data may be disclosed to a company or institution (hereinafter: organisation) with the consent of the data subject in question. Consent will only be considered legally valid where it is clear what the consent relates to and what consequences will result from the consent given. Consent may be withdrawn at any time; where this occurs, the ground applicable for disclosure will lapse. Therefore, it is recommended that data disclosure be based on one of the other grounds, where possible. In the example given, you could disclose data to the sponsor with the consent of your pupils’ legal representatives.

Performance of a contract
You may disclose personal data to an organisation where this is necessary for the performance of a contract that you have or will enter into with a data subject. For example, if someone orders a mobile phone from a telecom company, it may disclose the personal data pertaining to this individual to TPG Post, which will ensure that the mobile phone is delivered to the data subject’s home address. Please note that this ground may not serve as the basis for the disclosure of pupil data to the sponsor in the example mentioned above.

Legal obligation
It is sometimes necessary to disclose certain personal data that are essential for the performance of a legal obligation. See Section 56 of the Algemene wet bijzondere ziektekosten [Exceptional Medical Expenses Act] for an example.

Pursuant to this Section of the Act, anyone requested to do so will be obliged to provide the Dutch national Health Insurance Funds (amongst other parties) with all information necessary for the implementation of this Act. This obligation to provide information only extends to information necessary to determine an individual’s contribution. Added to the above, under Section 47 of the Algemene wet inzake rijksbelastingen [State Taxes Act], for instance, the tax inspector can demand all data that could be relevant for taxation purposes. In the example given, you will not be able to base any disclosure of pupil data on this ground.

A vital interest on the part of the data subject
A vital interest on the part of a data subject could be an urgent medical necessity. Incidentally, it is always recommended that the data subject be asked for his consent. His personal data may only be disclosed without his consent where this is no longer possible; this would apply in situations where the data subject is unconscious. Naturally, you will not be able to base the disclosure of pupil data on this ground.

Essential for the proper performance of a task carried out in the public interest
On this ground, a government agency is able to disclose personal data where this is necessary for the proper performance of a task carried out in the public interest, whether by this agency itself or by a government agency to which the data are disclosed. The tasks in question are those placed specifically with the organisation in question. This might be the Public Prosecutions Department’s disclosure of information pertaining to a punishable offence (a fraud case, for example) to insurers in order to facilitate the recovery of the loss sustained from the perpetrator, which disclosures it makes as part of the tasks falling upon it. After all, one of the Public Prosecutions Department’s responsibilities is to serve the interests of the victims of punishable offences. The disclosure of pupil data to a sponsor is not essential for the proper performance of a task carried out in the public interest.

Legitimate interest
In general, a legitimate interest exists in the event of actions in the framework of normal business operations or the day-to-day management of your organisation. The disclosure of data must be necessary for your legitimate interest. As such, you must consider whether or not you could achieve the same result with less data or via less drastic means. You will also be required to perform a privacy assessment, in which you consider the interest and rights of the data subject in relation to your interest in the disclosure of the data in question. You will be expected to be able to explain your assessment to the data subject and, where necessary, to the Dutch Data Protection Authority (Dutch DPA) [College bescherming persoonsgegevens (CBP)] or a court of law. Although this ground could perhaps serve as the basis for the disclosure of pupil data, this disclosure does not fall under ‘normal business operations’. Following your performance of the privacy assessment, you may also have valid grounds to conclude that the interests and rights of the pupils in question outweigh your own interest in the disclosure of their data. Consent is then the only ground on which you will be permitted to disclose the data in question.

Disclosure while obliged to maintain official or professional secrecy
The disclosure of data to another organisation is not permitted where this is precluded by the obligation to observe official or professional secrecy. You will only be permitted to disclose information of this nature with the consent of the data subject in question. However, there are instances in which exceptions are permitted by law. For example, under the Wet op de geneeskundige behandelingsovereenkomst [Medical Treatment Contracts Act], medical data may be disclosed to individuals essential to the treatment of a particular patient (the so-called ‘functional unit’) without his consent. For more information see the fact sheet Geheimhouding van medische gegevens [Confidentiality of Medical Data].

Notification and exemptions
Except where an exemption applies, the Dutch DPA must be notified of all use made of personal data. Pursuant to the Vrijstellingsbesluit [Dutch Data Protection (Exemptions) Decree], many situations are exempted from the above obligation. This decree indicates to whom data may be disclosed in certain situations. However, you must ensure that the general provisions of the Wbp are observed at all times. For more information, please see the fact sheet entitled Melden en vrijstellingen [Notification and Exemptions].

Where can data subjects complain?
A data subject can complain to an organisation where he is of the opinion that it has disclosed his personal data to another organisation without good reason. For more information, please see the fact sheet entitled Complaints Handling by the Dutch DPA [Klachtenbehandeling door het CBP].