Public Records Act and GDPR
As a governmental organisation, you use and produce all sorts of information for the performance of your public duties. Certain public sector information is of permanent social and historic value. Pursuant to the Dutch Public Records Act, you are obliged to retain this information permanently. Since this public sector information usually contains personal data, you have to deal not only with the Public Records Act, but also with the General Data Protection Regulation (GDPR).
On this page
Purpose of the Public Records Act
The purpose of the Public Records Act is to preserve important public sector information and make this information accessible in order to ensure that, for example, the government can account for its performance of public duties. The information may also be used for investigations and legal claims. The archives with public sector information are an important part of the cultural heritage of the Netherlands.
Archiving in the public interest
The GDPR acknowledges the importance of archiving. The GDPR and the GDPR Implementation Act contain provisions that specifically pertain to archiving in the public interest. These are, among others:
- Article 5, paragraph 1, points b and e GDPR;
- Article 9, paragraph 2, point j GDPR;
- Article 14, paragraph 5, point b GDPR;
- Article 45 GDPR Implementation Act.
Weighing of interests
The principles underlying the Public Records Act and the GDPR differ. Under the Public Records Act, you are obliged to retain important information, but data minimisation is an important principle in the GDPR. In practice, as a governmental organisation, you may have to weigh up the importance of archiving against the importance of the protection of personal data.
For more practical information about how to apply the GDPR in archiving, read the pages:
New Public Records Act
Currently, a new Public Records Act is being drafted. The Dutch Data Protection Authority (Dutch DPA) has advised to integrate the principles of the GDPR more into this new Public Records Act. This way, governmental organisations that comply with the Public Records Act will also automatically meet the requirements of the GDPR. See: Advice on modernisation of the Public Records Act.