The Dutch legislature has made extensive use of the so-called “opening clauses” of the GDPR. Among others, they provide for derogating provisions for data subjects’ rights and public authorities. The Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming) also specifies many provisions in the areas of health and employment.
In the following sections, you will find the additions and derogations to the GDPR on data protection topics most important to companies. If topics are not linked, there are no derogating or specifying provisions in the national data protection law.
- Specific data protection law and official guidelines
- Substantive and territorial scope (no regulations deviating from the GDPR)
- Definitions (no regulations deviating from the GDPR)
- Legal principles (no regulations deviating from the GDPR)
- Legal basis (no regulations deviating from the GDPR)
- Sensitive data
- Informing requirements
- E-marketing (new regulation by ePrivacy Regulation remains to be seen)
- Cookies
- Automated decision-making
- Rights of data subjects
- Processing on behalf of a controller (no regulations deviating from the GDPR)
- Records of processing activities (no regulations deviating from the GDPR)
- Data security (no regulations deviating from the GDPR)
- Data breaches
- Data protection impact assessment (DPIA)
- Data protection officer
- Certification (no regulations deviating from the GDPR)
- Data transfer (no regulations deviating from the GDPR)
- Supervisory authorities
- Sanctions and penalties
- Data protection for employees
- Archiving, scientific and historical research
