Tasks and powers of the Dutch DPA
The Dutch Data Protection Authority (Dutch DPA) supervises processing of personal data in order to ensure compliance with laws that regulate the use of personal data. The tasks and powers of the Dutch DPA are described in the General Data Protection Regulation (GDPR), supplemented by the Dutch Implementation Act of the GDPR.
The tasks and powers of the Dutch DPA can be roughly divided into four sections:
- providing advice;
- providing information, education and accountability;
- international assignments.
- Undertaking investigations assessing compliance with the law (Art. 55 and 58(1)(e) GDPR). In case of a violation of the law, the Dutch DPA can use its enforcement powers (Art. 58(2), 83 and 84 GDPR). For example by issuing a fine.
- Conducting prior consultations (Art. 36(1) GDPR). Controllers have to consult the Dutch DPA prior to processing where a data protection impact assessment (DPIA) indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
- Assessing codes of conduct (Art. 40 GDPR).
- Certification by encouraging the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with the GDPR of processing operations by controllers and processors (Art. 42(1) GDPR).
- Handling complaints from data subjects who consider that the processing of personal data relating to them infringes the GDPR (Art. 77 GDPR) and mediating in disputes with data controllers (Art. 36 Implementation Act).
- Providing advice on legislative proposals and draft texts of general administrative regulations that wholly or significantly deal with the processing of personal data (Article 36(4) GDPR). The Dutch DPA provides both solicited and unsolicited advice and consults with the legislature.
Providing information, education and accountability
- Providing information on how to interpret privacy legislation.
- Providing general information regarding the protection of personal data on this website and by telephone.
- Publication of annual reports.
- Cooperation with the other supervisory authorities concerned when the Dutch DPA is the lead supervisory authority (Art. 60 GDPR).
- Mutual assistance: rendering all necessary assistance to the supervisory authorities of other EU member states if this is requested (Art. 61 GDPR).
- Joint operations with the supervisory authorities of other member states (Art. 62 GDPR).
- Consistency mechanism: in order to contribute to the consistent application of the GDPR throughout the European Union, the supervisory authorities cooperate with each other and, where relevant, with the European Commission (Art. 63, 64 and 65 GDPR).
- Participating in various international and European fora, such as the European Data Protection Board (EDPB).
- Membership of the joint supervisory bodies for Europol, Eurojust and European information systems.
For more information, see International tasks and activities.
Guarantees regarding the proper performance of its tasks
In the execution of its powers, the Dutch DPA is bound by the standards enshrined in the General Administrative Law Act (Algemene wet bestuursrecht):
- Individuals can object to, and appeal against, decisions of the Dutch DPA with the administrative court.
- Individuals can submit a complaint about the Dutch DPA with the National Ombudsman.
- The Freedom of Information Act (Wet openbaarheid van bestuur) applies to the activities of the Dutch DPA.
- As an administrative body, the Dutch DPA is also bound by the general principles of proper administration.