Your Right to Information

Fact sheet number 14B, February 2007

This fact sheet is intended for the data subject; i.e. the individual whose personal data is being used.

This fact sheet will answer the following questions:

Which information must be provided to you?
At which point should you be informed?
How should you be informed?
Which exceptions apply to the obligation to provide information?
What can you do if you would like to know more or have a complaint?
Which other rights do you have?

Perhaps your employer submits data pertaining to you to a health and safety executive. Or perhaps your bank informs you of new products. Your employer and your bank are obliged to inform you of the use made of your data. The obligation to provide information arises from the Wet bescherming persoonsgegevens (Wbp) [Dutch Data Protection Act]. On a number of points, this obligation distinguishes between the situation in which a company or institution (hereinafter: organisation or the controller) obtains data from you yourself and the situation in which an organisation obtains data through other means.

read the publication in full (23 KB)

Extent of the obligation to provide information
The controller must inform you of his identity and of the purpose or purposes for which he is collecting your data. In some situations, the controller will be obliged to provide you with additional information on the use of your personal data:

Your expectations. Where the use to be made of the personal data is different to that which you could reasonably expect, this may give reason to provide you with additional information. For example, where you do not expect that your employer will disclose personal data to the police, on an incidental basis and when requested to do so, your employer is obliged to inform you of this specific possibility. For more information on the disclosure of data to the police, please see the fact sheet entitled Als de politie gegevens over u vraagt [If the Police Request Access to Your Personal Data].
The circumstances in which an organisation obtains your data. Where a controller obtains your personal data from another organisation, the controller’s obligation to provide information may be greater than would have applied had he obtained the data directly from you. After all, you are not always aware that the other organisation has disclosed your data to the controller. This would apply, for example, in a situation where the controller obtains data on your creditworthiness from a credit agency.
The purpose or purposes for which the data are to be used. Additional information may be necessary, depending on the consequences resulting for you from the use of your data.
The nature of the data. The more sensitive the nature of the data pertaining to you, the greater the reason to inform you of their intended use in more detail. For example, a doctor may be obliged to provide parents of an underage patient with additional information.

When to provide information
The controller must inform you prior to the time at which he receives the data pertaining to you. Naturally, he will only be able to do this in situations where he obtains the data in question from you. This would apply, for example, when you include personal data in a form and send this form to the controller.

In situations where the controller obtains data from another organisation, he must inform you of this fact when recording the data obtained. Where the controller is only collecting your data for disclosure to a third party, he must inform you accordingly, no later than the time of the first disclosure of your data to the third party in question.

How to provide information
Information must be provided in such a manner that you are actually able to gain access to it. For example, an organisation could include the information in the form in which you are to enter your data. Where you enter your personal data via an organisation’s website, it will be sufficient for the organisation to make a clear reference to its privacy statement, in which it indicates the use made of your personal data.

Where the controller has obtained data via third parties and a limited number of data subjects are involved, he must inform you of the above personally. Where a large group is concerned, the controller may provide the information required via a newspaper or magazine, for example. However, the controller must ensure that each member of the group receives the information in question. Since national newspapers and free local papers are not read by everyone, an advertisement in these forms of media will not always be sufficient.

When providing information to data subjects, the controller could also refer to any notification issued by him to the Dutch Data Protection Authority (Dutch DPA) [College bescherming persoonsgegevens (CBP)] on the use of personal data. Any notification issued to the Dutch DPA must include the purposes for which data are used and the recipients of the data in question. All such notifications are available in the public register.

Exceptions to the obligation to provide information
The controller will not be required to inform you in situations where you are already aware of the information in question. However, it will not be sufficient for the controller to presume your awareness. He must be certain that this is the case. However, the controller may assume your awareness once information has been sent or issued to you. The controller will not be obliged to check whether or not you have actually read the information provided. In situations where your employer provides the health and safety executive with data pertaining to you in the event of your illness, it will not be necessary to inform you of this fact each time you report ill. It will be sufficient for your employer to provide you with a general information brochure, information in the employee handbook or information upon your appointment by the employer.

The controller will not always be obliged to inform you when he obtains data through means other than yourself. It may cost the controller a disproportionate level of effort to contact you. This would apply, for example, where it would be extremely time-consuming to retrieve your address. In this case, the controller will be obliged to record the origin of your data. After all, you may have already been informed of the disclosure of your data by the organisation from which the controller received your data.

In addition to the above, an organisation will not be obliged to comply with the obligation to provide information where, for example, it is essential that it does not do so in the interest of the prevention, investigation and prosecution of criminal offences, or for the protection of the rights and freedoms of others.

If you have any questions or complaints
Your first course of action should always be to contact the organisation itself about your questions or complaints. For information on your rights in the event of a dispute, please s ee the fact sheet entitled Mediation by the Dutch DPA in Respect of Your Data [Bemiddeling door het CBP inzake uw gegevens]. If you believe that your personal data have been used wrongfully and the controller fails to respond to your complaints, or fails to respond to your satisfaction, please refer to the fact sheet entitled Your Complaint and the Dutch DPA [Uw klacht en het CBP] for information on the subsequent action open to you .

Your other rights
In addition to your right to information, you have the right to access your personal data, to ask an organisation to supplement, correct, erase or block your personal data (this is the right to correction) and to lodge an objection. For information on how to exercise these rights, see the fact sheet entitled Data Subjects and their Rights [Rechten van de betrokkene].

By keywords

Quick links