Obligation to provide information
The data subject must be able to ascertain how his data is being
used. As such an organisation must inform the data subject
of its name and address and of the reasons underlying the collection of
his data. The Wbp distinguishes two situations:
- Where data is collected directly from a data subject, he must be informed of this beforehand. An organisation will not be required to notify the data subject where the latter is already aware that this data is collected. For example, an organisation obtains personal data from the data subject himself where a personal data form is to be completed when entering into a contract. The organisation can then comply with its obligation to provide information via the form to be completed.
- An organisation must also inform a data subject as described above when data is recorded without the involvement of the data subject, or where data is collected solely in order to disclose it to a third party. In the latter situation, the organisation must inform the data subject of its disclosure of data before or at the same time as this data is first disclosed to the third party in question. This will not apply where notification is not possible, or where this would only be possible with disproportionate effort on the part of the organisation. Disproportionate effort will apply where an organisation is only able to ascertain the address of the data subject by means of extremely time-consuming efforts on its part. However, where this is the case, an organisation must record the origin of the data concerned, enabling the data subject to ascertain the use made of his data in retrospect. Another exception to an organisation’s obligation to notify the data subject applies in situations where an organisation records or discloses the data in question pursuant to a statutory obligation.
More information on the obligation of an organisation to provide information
can be found in the fact sheets Right
to information [Uw recht
op informatie] (this fact sheet is intended for data
subjects) and Obligation to
provide information [Informatieplicht] (this fact sheet is intended
for organisations).
Right to access
A data subject has the right to request access to his data and
its use by an organisation. A data subject can ask an organisation whether
it is using his personal data. Where this proves to be the case, the organisation
will be allowed a period of four weeks in which to provide the data subject
with an overview of the data used. It must also provide information on
the reasons underlying the processing of the data subject’s data,
the recipients of the data and, where available, the source from which
the data was obtained. When providing the above information, the organisation
may request a contribution towards the costs involved, subject to a maximum
of € 4.50.
Where an overview also contains data pertaining to a third party, which third party is likely to object to the provision of the overview to the data subject, the organisation must give the third party in question the opportunity to state its views.
An organisation may refuse a request for access where necessary, for
example where this is in the interest of the prevention,
investigation and prosecution of offences, or in order
to protect the rights and freedoms of others. For more
information on your right to access, please see the
fact sheets entitled Right
to Access to your personal data [Inzage in uw persoonsgegevens] (for
data subjects) and
The provision of Access
to Personal Data [Het geven van inzage in persoonsgegevens] (for
organisations).
Right to correction
Further to his access to his data, the data subject may request that the organisation in question correct, supplement, erase or block his data. This will be possible in situations where the data being used by the organisation is factually inaccurate, incomplete or irrelevant to the purpose or purposes for which processing is intended. The organisation must respond to requests submitted by individual data subjects within a period of four weeks.
Where an organisation complies with a request submitted
to it, the other organisations to which the (incorrect)
data was disclosed during the course of the previous
year must also be informed of the changes made, except
where this is impossible or would require an unreasonable
effort on the part of the organisation. The organisation
must inform the above organisations of the changes
made as soon as possible.
You can find more information on your right to correction in the fact sheets
The Correction
of your Personal Data [Correctie van uw persoonsgegevens]
(for data subjects) and The
Correction of Personal Data [Het bieden van correctie]
(for organisations).
Right
to object
The right to object entails that a data subject
has the right to object (lodge an objection) to certain
forms of use made of his data by an organisation. Two
forms of objection are possible:
- A data subject may lodge an objection against
the use of his data for direct marketing purposes.
The organisation in question must then stop this
use immediately in all cases. The data subject is
not obliged to provide any reasons for his objection
and the organisation will not be permitted to request
payment for dealing with a request of this nature.
Any organisation that uses personal data for direct
marketing purposes must inform the data subjects
in question of their right to object. More information
on this kind of objection can be found in the fact
sheets The
Combating of Unsolicited Advertising [Het tegengaan
van ongevraagde reclame] (for data subjects) and The
Use of Customer Data for Direct Marketing Purposes [Het
gebruik van klantgegevens bij direct marketing] (for
organisations).
- In several cases, a data subject is able to lodge
an objection in connection with special personal
circumstances. For instance a patient has participated
in a medical research programme. The research results
are collected in a central database. Afterwards he
learns that an acquaintance of his works as a researcher
in the place where this central database is situated.
He prefers to hide his illness from his acquaintance
and therefore has every interest in getting his data
removed or kept in a form which no longer permits
identification. In this case he can lodge an objection.
The organisation in question will be allowed a period
of four weeks in which to decide whether to cease
processing the data subject’s data or to continue
processing this data where it feels it has good reason
to do so. The organisation may request an amount
of up to € 4.50 for handling the data subject’s
request. This amount must be returned to the data
subject if the organisation accepts his request
Exercising rights
Data subjects may use the model letters (in
Dutch) developed by Dutch Data Protection Authority (Dutch
DPA) [College bescherming persoonsgegevens (CBP)] when
wishing to exercise their rights. Where an organisation
fails to respond to a request from a data subject within
four weeks, or fails to do so to the data subject’s
satisfaction, see the fact sheet entitled Mediation
by the Dutch DPA in Respect of Your Data [Bemiddeling
door het CBP inzake uw gegevens] for details of the action
open to the data subject in question.
Where a data subject has a complaint that does not
concern his ability to exercise his rights, but the
use being made of his data, he will be able to submit
this complaint to the Dutch DPA. For more information
on the submission of complaints to the Dutch DPA and
the Dutch DPA’s
complaints handling, see the fact sheets entitled Your
Complaint and the Dutch DPA [Uw klacht en het CBP]
(for data subjects) and
Complaints
Handling by the Dutch DPA [Klachtenbehandeling
door het CBP] (for organisations).