A basis in the Wbp (Dutch Data Protection Act)
In general, the disclosure of personal data must be compatible with the purpose for which it has been collected. Whether or not this is the case will depend on the specific circumstances involved. When seeking to establish whether or not a particular disclosure is compatible, various factors play a role, such as a connection with the purpose underlying the collection of the data in question, the nature of the data, the consequences of disclosure, the safeguards put in place and the expectations of the data subject (i.e. the individual whose data a company or institution (hereinafter: organisation) wishes to disclose). Section 8 of the Wet bescherming persoonsgegevens (Wbp) lays down six grounds on which data disclosure may be based , i.e. consent, the contract, legal obligation, the vital interests of the data subject, the performance of a task carried out in the public interest and a legitimate interest. It must be possible to trace the disclosure in question back to one of the above six grounds.
Consent
Personal data may be disclosed to another organisation with the consent of the data subject in question. Consent will only be considered legally valid where it is clear what the consent relates to and what consequences will result from the consent given. Consent may be withdrawn at any time; where this occurs, the ground applicable for disclosure will lapse. Therefore, it is recommended that data disclosure be based on one of the other grounds, where possible. In the example given, the headmaster will be able to disclose data to the sponsor if you have consented to him doing so.
Performance of a contract
An organisation may disclose your personal data to another organisation where this is necessary for the performance of a contract that you have or will enter into with the first organisation. For example, if you have ordered a mobile phone from a telecom company, it will be permitted to disclose your personal data to TPG, which will deliver the mobile phone to your home address. Please note that this ground may not serve as the basis for the disclosure of pupil data to the sponsor in the example mentioned above.
Legal obligation
It is sometimes necessary to disclose certain personal data that are essential for the performance of a legal obligation. See Section 56 of the Algemene wet bijzondere ziektekosten [Exceptional Medical Expenses Act] for an example.
Pursuant to this Section of the Act, anyone requested to do so will be obliged to provide the Dutch national Health Insurance Funds (amongst other parties) with all information necessary for the implementation of this Act. This obligation to provide information only extends to information necessary to determine an individual’s contribution. Added to the above, under Section 47 of the Algemene wet inzake rijksbelastingen [State Taxes Act], for instance, the tax inspector can demand all data that could be relevant for taxation purposes. In the example given, the headmaster will not be able to base any disclosure of pupil data on this ground.
A vital interest on the part of the data subject
A vital interest on the part of a data subject could be an urgent medical necessity. Incidentally, it is always recommended that the data subject be asked for his consent. His personal data may only be disclosed without his consent where this is no longer possible; this would apply in situations where the data subject is unconscious. Naturally, the disclosure of pupil data may not be based on this ground.
Essential for the proper performance of a task carried out in the public interest
On this ground, a government agency is able to disclose personal data where this is necessary for the proper performance of a task carried out in the public interest, whether by the agency itself or by a government agency to which the data are disclosed. The tasks in question are those placed specifically with the organisation in question. This might be the Public Prosecutions Department’s disclosure of information pertaining to a punishable offence (a fraud case, for example) to insurers in order to facilitate the recovery of the loss sustained from the perpetrator, which disclosures it makes as part of the tasks falling upon it. After all, one of the Public Prosecutions Department’s responsibilities is to serve the interests of the victims of punishable offences. The disclosure of pupil data to a sponsor is not essential for the proper performance of a task carried out in the public interest.
Legitimate interest
In general, a legitimate interest exists in the event of actions in the framework of normal business operations or the day-to-day management of an organisation. The disclosure of data must be necessary for an organisation’s legitimate interest. As such, organisations must consider whether or not they could achieve the same result with less data or via less drastic means. They will also be required to perform privacy assessments, in which they consider the interest and rights of the data subject in relation to their own interest in the disclosure of the data in question. Organisations will be expected to be able to explain their assessment to data subjects and, where necessary, to the Dutch Data Protection Authority (Dutch DPA) [College bescherming persoonsgegevens (CBP)] or a court of law. Although this ground could perhaps serve as the basis for the disclosure of pupil data, this disclosure does not fall under ‘normal business operations’. Following his performance of the privacy assessment, the headmaster may also have valid grounds to conclude that the interests and rights of the pupils in question outweigh the school’s interest in the disclosure of their data. Consent is then the only ground on which the headmaster will be permitted to disclose the data in question.
Disclosure while obliged to maintain official or professional secrecy
The disclosure of data to another organisation is not
permitted where this is precluded by the obligation
to observe official or professional secrecy. Organisations
will only be permitted to disclose information of this
nature with the consent of the data subject in question.
However, there are instances in which exceptions are
permitted by law. For example, under the Wet op de
geneeskundige behandelingsovereenkomst [Medical Treatment
Contracts Act], medical data may be disclosed to individuals
essential to the treatment of a particular patient
(the so-called ‘functional unit’) without
his consent. For more information see the fact sheet
Confidentiality
of Your Medical Data [Geheimhouding
van uw medische gegevens].
Notification and exemptions
Except where an exemption applies, the Dutch DPA must
be notified of all use made of personal data. Pursuant
to the Vrijstellingsbesluit [Dutch Data Protection (Exemptions)
Decree], many situations are exempted from the above
obligation. This decree indicates to whom an organisation
may disclose data in certain situations. However, it
must ensure that the general provisions of the Wbp are
observed at all times. For more information, please see
the fact sheet entitled Melden en vrijstellingen [Notification and Exemptions].
Where can you complain?
You can complain to an organisation where you are of
the opinion that your personal data has been disclosed
to another organisation without good reason. For
more information, please see the fact sheet entitled
Your Complaint
and the Dutch DPA [Uw klacht en het CBP].