Data traffic to countries outside the EU
The Wbp (Dutch Data Protection Act) contains specific provisions applicable to data traffic to third countries. Third countries are all countries outside the EU, with the exception of Norway, Liechtenstein and Iceland. The main rule is that personal data may only be transferred to third countries with an adequate level of protection. Where this is not the case, transfer will only be permitted on the basis of a statutory exception or with a permit from the Ministry of Justice. In all cases, parties will be expected to comply with the general requirements of the Wbp. One of these general requirements is the obligation to notify the Dutch Data Protection Authority (Dutch DPA) [College bescherming persoonsgegevens (CBP)].
Adequate level of protection
To determine whether a country provides an adequate level of protection, the controller should first establish whether either the Minister of Justice or the European Commission (EC) has passed a ruling concerning the level of protection in the country concerned. You are the controller if you are the party who determines the object and means of processing and if the personal data is used in your interest. In this context, data processing means any procedure involving data, from the collection of data to the destruction of data. Transfer is therefore a form of data processing.
On the Dutch DPA Internet site you will find a list of the countries on which the EC has adopted a decision as indicated above. This list contains all countries considered to have an adequate level of protection. Where no decision has been adopted, you must analyse the situation yourself, on the basis of a number of criteria.
The United States
The United States does not have any general legislation providing for the protection of personal data. For this reason, the EC has adopted a special decision in respect of the United States: an adequate level of protection shall only be deemed to apply for those organisations that have undertaken to comply with the so-called Safe Harbor Principles. These organisations are indicated in a public list, setting out which specific organisations comply with the above Principles. To view the list, please see the website for the U.S. Department of Commerce.
Exceptions and permit from the Minister of Justice
If a third country does not provide an adequate protection, it may nevertheless be possible to transfer personal data to that country; there are two possibilities. The first possibility is a transfer covered by one of the exceptions defined in the Wbp. This would apply, for example, where data subjects have given their unambiguous consent for the transfer of their data to a third country, or where data transfer is necessary for the fulfilment of a contract. These exceptions must be interpreted in a restrictive manner.
The second possibility is transfer on the basis of a permit granted
by the Minister of Justice. These permits are subject
to further conditions, which serve as a guarantee for
the protection of personal data. One way of ensuring
that adequate safeguards are provided is to use one
of the model contracts approved by the EC. To date,
the EC has approved two model contracts: 1) for transfer
between two controllers, one of which is established
in a EU country and the other outside the EU, and 2)
for transfer to a processor in a third country. The
use of a model contract expedites the permit procedure.
Visit the Internet site of the European Commission
for more information on the EC’s model
contracts and the adequacy of personal data protection in third
countries.
Permit applications via the Dutch DPA
Applications for permits granted by the Minister of Justice must be submitted to the Dutch DPA, using the application form at the back of the brochure entitled Third countries. Transfer of Personal Data to Countries outside the European Union [Derde Landen. Doorgifte van persoonsgegevens naar landen buiten de Europese Unie], or via the Dutch DPA website. All applications must be accompanied by documents evidencing sufficient guarantees with regard to the data transfer in question. A permit will only be issued once the Dutch DPA has advised the Minister of Justice on the application. If you are using the model contracts approved by the EC without any additions or changes, the Dutch DPA will normally have processed your application within 2 to 4 weeks. If you are using the model contracts with additions, your application will normally have been processed within 6 weeks. Finally, the processing period will be 13 weeks where you are using the model contracts with changes, or where you have prepared an instrument yourself. The period applicable will also depend on the time that the controller needs to implement any modifications required during the advice period.
Supervision by the Dutch DPA
If a country does not provide an adequate level of protection, any transfer to that country is unlawful unless covered by a statutory exception or a ministerial permit. The Dutch DPA monitors compliance with the Wbp by controllers based in the Netherlands who transfer data to third countries. The Dutch DPA will initiate its supervisory activities itself or in response to complaints received from citizens. In it’s primarily activities the Dutch DPA focuses on categories of transfer that entail special risks. For example:
- transfers involving a (financial) risk, such as credit card transactions via the Internet;
- repetitive transfers of bulk data.
The Wbp [Dutch Data Protection Act] allows the Dutch DPA to apply administrative force or impose an order for periodic penalty payments.
More information
For a more detailed discussion of this subject, please see the Policy paper on third countries.