On 27 January, the data protection authority in the Netherlands (“Dutch DPA”) published its main policy priorities (so called “themes”) for the year 2017. Apart from the GDPR, the themes include: profiling, special / sensitive personal data and data security. For companies doing business in the Netherlands, the Dutch DPA’s enforcement agenda is relevant, as it is one of the very few sources to rely on when trying to assess enforcement risks and exposure. Here is a summary of the key areas of attention of the Dutch DPA.

M&A and post-merger integration related compliance issues

The DPA has become increasingly interested in data processing in the private sector. It notes that mergers and acquisitions often result in large data collections becoming available to companies and warns of the risk of scope creep. This is an important indication that the Dutch DPA may well pay particular attention to companies in their post-merger integration phase. As the Dutch DPA is known for responding to press coverage, news on M&A transactions may very well attract the Dutch DPA’s attention as to the parties involved in said transactions.

FinTech: regulators may go ‘hunting in packs’

The Dutch DPA has realised that technological and business innovations in the finance sector in the Netherlands are on the rise. This year, the DPA plans to agree on cooperation in FinTech-related matters /protocols with several financial supervisory and consumer protection authorities.

For established financial institutions and start-ups and scale-ups in the FinTech industry, this might mean that data protection compliance will be considered by sector regulators in addition to the Dutch DPA, and that various regulators might more actively exchange and pursue indications that personal data is not processed in a compliant manner.

Customer portal sites: data security & Access- and Identity Management

The Dutch DPA is aware that more and more companies launch ‘customer portals’ and underlines data security risks that are typical to such portals. Most notably, it warns of the risk that users unintentionally obtain access to personal data of other users if data security is not correctly implemented. In practice, this underlines the necessity for controllers to implement proper Access- and Identity Management in order to demonstrate that measures were taken to avoid unauthorised access to customer data and to provide users with sufficient opportunity to exercise their rights.

Information requirements for those who profile data

For ‘profiling’ as a policy priority for the year, the emphasis of the Dutch DPA is on transparency. The DPA stresses the importance of citizens being informed of what personal data is collected, what happens with such data and for what purposes are they being collected.

Sensitive and ‘special’ personal data – spotlight on additional safeguards

For “special persona data” as a policy priority in 2017, the Dutch DPA will focus on the prohibition to process special personal data and whether the conditions that apply to the statutory exemptions to this prohibition are applied correctly.

Focus on data breach notification requirement and clear data security issues

For “data security” as another policy priority for this year, data breaches and the data breach notification duty will remain high on the DPA’s enforcement agenda. It will enforce the notification duty, but will also investigate if data security is clearly not up to standard in other situations.

Contributor: Andre Walter


Wouter is a partner in the Firm's IP/IT & Commercial Practice Group in Amsterdam. He has significant experience in assisting national and international clients with respect to issues concerning ownership and protection of electronic data. Wouter has a particular interest in all internet-related issues on the subject of intellectual property rights.