For the government: legislative advice

The Dutch Data Protection Authority (Dutch DPA) must be asked for advice when drawing up legislation and regulations concerning personal data processing.

This obligation follows from Article 36, paragraph 4 of the General Data Protection Regulation (GDPR). The Dutch DPA can also advise on legislation at its own initiative. The aim of legislative advice is to have the intended legislation meet the requirements of the GDPR and to limit the privacy risks for the data subjects.

Do you want to know if you have to ask the Dutch DPA for legislative advice? And how the process works? On this page you can find all the information you need.

On this page

In which case do you ask the Dutch DPA for advice?

You assess for yourself whether you have to ask the Dutch DPA for advice. You do this by testing your case against Article 36, paragraph 4 GDPR. Here it says:

"Member States shall consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing."

Police and judicial authorities
Advice on the processing of police data and judicial data does not usually fall under the GDPR, but under the Data Protection in the Law Enforcement Sector Directive (2016/680).

In that case, advice is provided on the basis of Article 35b, paragraph 1, point b of the Police Data Act or, as the case may be, in conjunction with Article 27, paragraph 3 of the Judicial Data and Criminal Records Act. This does not make any difference for the advisory process.

For legislative proposals as well as subordinate legislation

It follows from the GDPR that you have to ask the Dutch DPA for advice not only for legislative proposals, but also for orders in council and ministerial regulations.

Broad criterion

The criterion 'relating to processing' is fairly broad. You have to ask for advice for intended laws or regulations if they legally change, affect or influence the personal data processing in any way.

This will always be the case for legislation that makes use of the leeway offered by the GDPR to the national legislator. Such as in Article 6 of the GDPR: legislation that aims to offer a new legal basis for data processing (within the meaning of Article 6, paragraph 1, point c or e) or that aims to amend legislation pertaining to this.

It goes without saying that you also have to ask for advice for legislation that, for example, means an exception to the prohibition of processing special categories of personal data (Article 9 GDPR) or criminal data (Article 10 GDPR).

When asking for advice is not necessary

The intended legislation or regulations must pertain to, or be related to, personal data processing operations. It therefore does not concern legislation that does not offer a specific basis for processing operations and does not stipulate anything about processing operations.

Not even if in practice, the legislation could actually lead to new or additional processing operations. For example, if the intended legislation does not stipulate anything about personal data in an application, but will lead to more applications and therefore more processing operations.

Advice is also not necessary if the legislation or regulations do not change anything in the regime that already applies for the processing operations concerned (in terms of scope, type of processing, legal regime, impact, purposes or otherwise). For example, if incorporating existing provisions unaltered into a different or more comprehensive law is the only aim.

Legislation and regulations in the Caribbean Netherlands
Note: Does it concern intended legislation or regulations that (also) cause changes in legislation and regulations in the Caribbean Netherlands? Then the BES Personal Data Protection Supervisory Committee is competent to provide advice.

At what time do you ask the Dutch DPA for advice?

 

At what time you ask the Dutch DPA for advice depends on the question of whether the draft has already been worked out in sufficient detail and – in the case of intended secondary regulations – whether the delegation basis has been established sufficiently.

Advice on legislative proposal

You can ask the Dutch DPA for advice on the draft as soon as the considerations and the provisions relating to personal data processing have been worked out in sufficient detail in this draft. That means in practice that you have to meet the following requirements:

  • you have completed the 'data protection impact assessment' (DPIA), if you have to carry out one;
  • the considerations and the choices regarding the necessary processing operations have been made;
  • a justification of them is available in an explanation.

If necessary for your planning, you may already ask for advice in the period in which an Internet consultation also takes place. Provided that the relevant provisions and considerations have already been worked out in sufficient detail by that time.

Note: A statutorily required advice is, by its nature, different from a response to an Internet consultation.

Advice on secondary regulations without existing delegation basis

  • In the case of an order in council or a regulation, you can make your request for advice as soon as the legislative proposal with the delegation basis has been adopted by the Second Chamber.
  • Does it concern a ministerial regulation based on a delegation provision in an order in council? Then you can make your request for advice as soon as this delegation basis has been submitted for advice to the Advisory Department of the Council of State.

Prior to the advisory process (informal preliminary stage)

 

Do the intended laws or regulations constitute a special breach of the privacy? For example because of:

  • the large scale;
  • the new or innovative nature;
  • the nature of the personal data;
  • the nature of the data subjects.

Then it may be useful to explain your intentions to the Dutch DPA at a meeting prior to the advisory process. We call this the preliminary stage. The purpose of this meeting is not to reach agreement, but to exchange information in an informal setting, about the:

  • problems to be addressed;
  • policy-related context of these problems;
  • relevant aspects of the privacy legislation.

This is in the (mutual) interest of the best possible insight into the problems.

Note: The informal preliminary stage is only possible if you have not yet asked the Dutch DPA for advice.

Treaties leading to transfers

Transfers of personal data to a country outside the EEA are only permitted if that country offers an appropriate level of protection, comparable to that offered by the GDPR. If a country cannot offer this, measures are necessary for ensuring adequate protection of personal data. To this end, the GDPR contains a specific regime in which treaties can also play a part.

In that case, it concerns treaties to which the Kingdom is a party, that aim to apply to the European Netherlands (as well), and that are deemed to offer 'appropriate safeguards' for personal data transfers to countries for which no adequacy decision applies (as yet).

Ask the Dutch DPA for advice on a draft treaty as early as possible, preferably in a stage in which the text of the treaty is still being prepared and/or negotiated. This prevents bottlenecks at the stage of signing and/or parliamentary approval.

It is likely that standard contractual clauses play an important part in the treaty practice, possibly including the protection of personal data. The Dutch DPA can inform you about this and see if advice on standard contractual clauses only is sufficient. The advice may be a mere formality in that case, provided that the draft treaty does not deviate from an acceptable standard.

Which requirements does your request for advice have to meet?

 

Your request for advice must consist of the following parts:

  • The text of the draft.
  • The explanatory notes to the draft. These must contain a separate paragraph with a justification concerning the processing of personal data in light of the GDPR (Implementation Act). Also see:Directions for the regulation 4.43, point d andDirections for the regulation 5.33.
    Is this paragraph missing? Then the Dutch DPA recommends that you add it to the explanatory notes. And then submit the draft for advice to the Dutch DPA again.
  • An accompanying letter with contact person (of the sender) and reference (of the sender).
  • If available: a DPIA.

Note: Is your request for advice not complete? Then the Dutch DPA may decide not to process your request.

How you do you send your request for advice to the Dutch DPA?

 

Preferably send your request for advice to the Dutch DPA by email. You do this via wetgevingsadvies@autoriteitpersoonsgegevens.nl.

Send a letter with a reference, a date, and the concrete request for advice in an attachment to your email. So that it is certain that you meet your statutory obligation to ask for advice on behalf of the minister. And that you ask for advice about the relevant version of the intended legislation or regulations.

By post
You can also send your request by post. You send it to:

Autoriteit Persoonsgegevens
Afdeling Wetgevingsadvisering
Postbus 93374
2509 AJ DEN HAAG.

Within which period will the Dutch DPA provide advice?

The Dutch DPA aims to provide advice within 8 weeks of receipt of the formal request for advice. But due to capacity shortage, we are currently often unable to respond within this period. We are working on a solution for this. In the meantime, we make efforts to limit bottlenecks as far as possible, in consultation with you.

Tip: Make sure that the explanatory notes to your intended legislation or regulations contain a justification (in a separate paragraph) with regard to the personal data processing. If you do this with due care, our advice will usually be completed sooner.

Urgent request for legislative advice
 

You can make an urgent request. We will then assess if there is a sufficiently urgent interest. If so, we will prioritise your request for advice as far as possible.

Note: Contact us as soon as possible if you have an urgent request.

What is in the advice from the Dutch DPA?

 

The Dutch DPA uses an assessment framework to assess the draft. In brief, this means that the Dutch DPA assesses if the draft meets the requirements of the GDPR (Article 6, paragraph 3), and (with it) the principle of proportionality from the Charter of Fundamental Rights of the European Union (Article 52, paragraph 1).

In concrete terms, this means that the Dutch DPA assesses whether the draft meets the following requirements:

  1. Suitability: the draft is suitable for realising the pursued purpose of general interest or the protection of the rights and freedoms of others.
  2. Subsidiarity: the purpose cannot reasonably be achieved as effectively in another way that affects the fundamental rights of the data subjects to a lesser extent.
  3. Proportionality: the interference is not disproportionate to that purpose. This implies in particular a weighing of the interest of the purpose and the gravity of the interference.
  4. Legal certainty: the draft is sufficiently clear and precise about the scope and is predictable in its application.
  5. Substantive and procedural safeguards: the draft indicates sufficiently in which circumstances and on which conditions personal data may be processed. In this way, the draft ensures that the interference is limited to what is strictly necessary.
  6. Binding nature under national law: the draft is binding under national law.

Does your draft not meet the assessment framework? Then the Dutch DPA will indicate in the advice which points fail to meet the requirements. In that case, adjustment of the legislative text and/or explanatory notes is necessary. In exceptional cases, you can only follow the advice by withdrawing the draft.

Workload for the Dutch DPA
 

In the advice, the Dutch DPA also makes an estimate of whether the intended legislation or regulations will lead to a greater workload for the Dutch DPA, because more intensive supervision is required. For example because of:

  • the large number of data subjects;
  • the high impact of the draft;
  • the special complexity, as a result of which possibly many and/or complex complaints will be submitted to the Dutch DPA;
  • the necessity of intensive cooperation with other supervisory authorities.

Note: Is a significantly greater workload for the Dutch DPA already foreseen during the preparation of the draft? Then the Dutch DPA assumes that it will already be involved at that stage. Just like it is the case when the Dutch DPA is given a new task based on the intended legislation or regulations.

When does the Dutch DPA publish the advice?

 

The Dutch DPA publishes the advice no later than within 2 weeks after the date of the advice. This is in line with the general standard as currently laid down in Article 3.3, paragraphs 1 and 2 of the Open Government Act (Dutch abbreviation: Woo). Publication is effected by publishing the advice on the website of the Dutch DPA.

Exception in the case of negative effects


There is 1 exception to this rule. Would publication of the advice negatively affect the envisaged purpose of the intended legislation or regulations within 2 weeks, for example because persons to whom it is addressed will anticipate it? Then you can indicate this in your request for advice. Also indicate why this would be the case. The Dutch DPA may then decide to publish the advice earlier or later. This is also in accordance with the regime of the Woo.

Overview of legislative advice


View Legislative advice for an overview of all legislative advice of the Dutch DPA that has been published since 25 May 2018.

What happens after the advice (follow-up phase)?

 

Did the Dutch DPA in its advice express objections against the draft on major points? And did you adjust the draft to remove these objections, but does your government member attach great importance to the question of whether the Dutch DPA thinks this sufficient? Then you can contact the Dutch DPA. We will then see if we can help you and if so, in what manner.

Include the Dutch DPA's advice in the explanatory notes


Do you derogate from the Dutch DPA's advice on principal points? Then you have to state this in the explanatory notes to the draft, including the reason for your derogation. Do this by discussing the Dutch DPA's advice in a separate paragraph and paying attention to each of the (principal) points of this advice.

Want to know more?
 

You can find the extended version of this information in the Circular letter from the Dutch DPA about legislative advice. This is a letter sent by the Dutch DPA to all ministries, with information about changes and developments in the area of legislative advice as of 1 September 2023.

Quick answers

For organisations

1 question and answer

Moet ik als ministerie bij nieuwe wetgeving een voorafgaande raadpleging aanvragen?

No, this is usually not necessary. The obligation to ask the Dutch DPA for a test always applies to legislation on personal data processing, regardless of whether or not there is a high risk (Article 36, paragraph 4 GDPR).

In this legislative test, the Dutch DPA checks the privacy aspects of the intended processing operation. In the methodology of the Dutch DPA, a separate prior consultation would be redundant.

Note: A legislative test from the Dutch DPA is mainly about the legislative text itself. Are there any aspects of the processing operation(s) that have not logically been dealt with already in the legislative text or the explanatory notes? Then these are not part of the test.

There may be issues of a factual nature in the implementation or the implementing systems to which the (national) legislation does not apply. For example, because the regulation is not needed for it or has a different level of abstraction. Or because the subject has fully been covered in the GDPR in principle (such as security of processing in Article 32 GDPR).

Do such subjects result in a high risk? Then you can apply to the Dutch DPA for a prior consultation about them. Did you apply for such prior consultation? Then state this in your request for a legislative test.