The Netherlands: Amendment to Dutch Data Protection Act

On February 9th, an amendment to Dutch privacy regulation went into effect. Under the Data Protection Act, companies that use standard Contractual Clauses approved by the European Commission no longer require a permit for the transfer of personal data to countries outside of the European Economic Area (EEA). This is expected to reduce the administrative burden on these companies.

Before these changes, a permit was required for data transfers to countries outside of the EEA, even when standard contractual clauses were used, because those countries were not considered to offer appropriate safeguards for the protection of personal data. Delays could be significant.

Other changes to the Data Protection Act include higher fines for violations (from €7,600 to a maximum of €19,000 for failing to register the processing of personal data with the governing authority or intentional acts of omission), as well as additional obligations for the data controller when data subjects opt-out of direct marketing.

Of Note

In the area of Data Protection, the European Commission has published helpful guidelines and model contract clauses which may ease current restrictions on the flow of personal data from Data Controllers established in any of the 27 EU Member States and three EEA member countries (Norway, Liechtenstein and Iceland) to Data Controllers or data processors established in countries which do not (according to the EC) ensure an adequate level of data protection. The Commission has so far issued two sets of standard contractual clauses for transfers to data controllers established outside the EU/EEA and set of contractual clauses to data processors established outside the EU/EEA.