Contributed By Vondst Advocaten N V
There is no Dutch law that expressly allows an organisation to invoke a foreign government access request as a legitimate basis to collect and transfer personal data, except that the secret services or other governmental agencies may have certain rights to share data with foreign governmental agencies.
With respect to foreign government access requests, the basic rule is therefore, as follows from Article 6(3) of the GDPR, that an organisation may not invoke such request as a legitimate basis to collect or transfer personal data. However, a foreign government access request may help to assume that processing can be based on the legitimate interests ground of Article 6(1) of the GDPR. In this respect, reference is made to the guidance on the processing of personal data in the context of whistle-blower hotlines that was issued by the ArtWP29 (WP 117). Although this opinion is not explicitly endorsed by the EDPB in Endorsement 1/2018, it may still serve as useful guidance on this matter.