The BRP and the GDPR
Are you a controller for the Personal Records Database (Dutch abbreviation: BRP)? Then you have to comply with the Personal Records Database Act and the Personal Records Database Decree. In addition, the General Data Protection Regulation (GDPR) contains rules for situations that have not been provided for in the Personal Records Database Act and the Personal Records Database Decree. You therefore have to comply with the Act on the Personal Records Database and the Personal Records Database Decree as well as the GDPR.
On this page
These are the controllers for the BRP
The specific rules from the GDPR regarding the BRP apply directly to the controllers for the BRP. For the BRP:
- the Municipal Executive of every municipality is the controller for the local part of the BRP of that municipality;
- the Minister of the Interior and Kingdom Relations (BZK) is the controller for the central facility of the BRP.
The National Office for Identity Data (Dutch abbreviation: RvIG) manages the BRP on behalf of the Minister of BZK. The RvIG is responsible for the safe storage and exchange of personal data in the BRP.
These are the obligations that you have under the GDPR
As a controller for the BRP, you have - among others - the following obligations under the GDPR:
- following the rules when engaging processors (Article 28 GDPR);
- keeping a processing register (Article 30 GDPR);
- reporting data breaches (Articles 33 and 34 GDPR);
- appointing a Data Protection Officer (DPO) (Articles 37 and 38 GDPR).
This is how you meet the notification obligation
Both the Personal Records Database Act and the GDPR provide for a notification obligation:
- Article 3.23, paragraph 1 of the Personal Records Database Act;
- Article 19 GDPR;
- Article 23 GDPR.
The notification obligation means that you have to inform other organisations if you have rectified or erased personal data in the BRP. You do not have to do this in all cases, though.
Impossible or disproportionate effort
The personal data processing operations in the BRP are complex. Apart from that, personal data from the BRP are provided on a large scale to diverse governmental organisations and third parties. As a result, you cannot always inform every recipient of personal data from the BRP about every rectification or erasure.
This is in line with Article 19 of the GDPR, which says that you do not have to inform recipients if this proves impossible or involves disproportionate effort.
Automatically informed
In practice, certain recipients already receive an automatic notification if there are changes in the personal data they usually receive. These are recipients that have been authorised by a ministerial decree for spontaneous change provisions from the BRP.
Request from data subject
Did you rectify or erase someone's personal data in the BRP at the request of that person (the data subject)? Then you will have to notify all governmental organisations and third parties to which these personal data were provided in the past 20 years. In this case too, you do not have to inform these recipients if this proves impossible or involves disproportionate effort.