Data traffic to countries outside the EU
The Wbp (Dutch Data Protection Act) contains specific provisions applicable to data traffic to third countries. Third countries are all countries outside the EU, with the exception of Norway, Liechtenstein and Iceland. The main rule is that personal data may only be transferred to third countries with an adequate level of protection. Where this is not the case, transfer will only be permitted on the basis of a statutory exception or with a permit from the Ministry of Justice. In all cases, parties will be expected to comply with the general requirements of the Wbp. One of these general requirements is the obligation to notify the Dutch Data Protection Authority (Dutch DPA) [College bescherming persoonsgegevens (CBP)].
Adequate level of protection
In order to determine whether or not a country has an adequate level of protection, you could first ascertain whether the Minister of Justice or the European Commission (EC) has adopted a decision on the level of protection offered in a third country.
The Dutch DPA Internet site includes a list of the countries on which the EC has adopted a decision as indicated above. This list contains all countries considered to have an adequate level of protection. Where no decision has been adopted, a company can analyse the situation itself, on the basis of a number of criteria.
The United States
The United States does not have any general legislation
providing for the protection of personal data. For
this reason, the European Commission has adopted a
special decision in respect of the United States: an
adequate level of protection shall only be deemed to
apply for those organisations that have undertaken
to comply with the so-called Safe Harbor Principles.
These organisations are indicated in a public list,
setting out which specific organisations comply with
the above Principles. To view the list, please see the Internet site
of the U.S.
Department of Commerce.
Exceptions and permit from the Minister of Justice
If a third country does not provide an adequate protection, it may nevertheless be possible to transfer personal data to that country; there are two possibilities. The first possibility is a transfer covered by one of the exceptions defined in the Wbp. This would apply, for example, where data subjects have given their unambiguous consent for the transfer of their data to a third country, or where data transfer is necessary for the fulfilment of a contract. These exceptions must be interpreted in a restrictive manner.
The second possibility is transfer on the basis of a permit granted
by the Minister of Justice. These permits are subject
to further conditions, which serve as a guarantee for
the protection of personal data. One way of ensuring
that adequate safeguards are provided is to use one
of the model contracts approved by the EC. To date,
the EC has approved two model contracts: 1) for transfer
between two controllers, one of which is established
in a EU country and the other outside the EU, and 2)
for transfer to a processor in a third country. The
use of a model contract expedites the permit procedure.
On the Internet site of the European
Commission you
will find information on the EC’s
model contracts and the adequacy of personal data protection
in third countries.
Permit applications via the Dutch DPA
Applications for permits granted by the Minister of Justice must be submitted to the Dutch DPA, using the application form at the back of the brochure entitled Third countries. Transfer of Personal Data to Countries outside the European Union [Derde Landen. Doorgifte van persoonsgegevens naar landen buiten de Europese Unie], or via the Dutch DPA website. All applications must be accompanied by documents evidencing sufficient guarantees with regard to the data transfer in question. A permit will only be issued once the Dutch DPA has advised the Minister of Justice on the application.
Supervision by the Dutch DPA
If a country does not provide an adequate level of protection, any transfer to that country is unlawful unless covered by a statutory exception or a ministerial permit. The Dutch DPA monitors compliance with the Wbp by controllers based in the Netherlands who transfer data to third countries. The Dutch DPA will initiate its supervisory activities itself or in response to complaints received from citizens. In it’s primarily activities the Dutch DPA focuses on categories of transfer that entail special risks. For example:
- transfers involving a (financial) risk, such as credit card transactions via the Internet;
- repetitive transfers of bulk data.
The Wbp (Dutch Data Protection Act) allows the Dutch DPA to apply administrative force or impose an order for periodic penalty payments.
If you have any questions or complaints
Your first course of action should always be
to contact the organisation itself about your questions
or complaints. For information on your right to access
to your data in the event of a dispute, please s ee the
fact sheet entitled Mediation
by the Dutch DPA in Respect of Your Data [Bemiddeling
door het CBP inzake uw gegevens]. If you believe that
your personal data have been used wrongfully and the
controller fails to respond to your complaints, or fails
to respond to your satisfaction, please refer to the
fact sheet entitled Your
Complaint and the Dutch DPA [Uw klacht en het CBP] for information on the subsequent actions open to you .
Your rights
In addition to your right to access, the provisions of
the Wbp entitle you to request information on your
personal data from an organisation, as well as the
supplementation, correction, erasure or blocking of
such data. You are also entitled to lodge an objection
to certain types of use to which an organisation puts
your data. For information on how to exercise these
rights, please see the fact sheet entitled Data
Subjects and Their Rights [Rechten van de betrokkene].