Contributed By Vondst Advocaten N V
Under the applicable GDPR framework, international data transfers of personal information to countries outside the EU (or the EEA) are subject to restrictions. Aside from these restrictions, Dutch law does not impose any particular further restrictions on international data transfer. An exception is that data transfer to sanctioned countries or persons may be forbidden or restricted.
International data transfers are subject to the mechanisms set out in the GDPR. For instance, it is permitted to transfer data to a country outside the EU (or EEA) if the transfer is based on Binding Corporate Rules (BCRs) for intra group transfers, standard data protection clauses, approved codes of conduct or approved certification mechanisms.
BCRs are well established in the Netherlands, with some Dutch multinationals being pioneers in this respect. The AP has played an active role and the EDPB has adopted several documents in which guidance is given to companies wishing to implement BCRs.
On its website, AP gives further guidance with respect to data transfers to the UK in light of Brexit.
With the exception of the events set out in Article 46 of the GDPR, Dutch law does not require any government notifications or approvals to transfer data internationally.
Where a company wishes to implement BCRs for the international transfer of data, such BCRs need to be approved by the competent DPAs within the EU and the EDPB. Once BCRs are in place, no further authorisation of the AP is required.
There are no data localisation requirements as such in the Netherlands. However, companies should ensure that the international transfer of data does not restrict supervision by competent regulators, including the AP and financial regulators such as the Dutch National Bank (DNB) and the Financial Market Supervisor (AFM).
The DNB has provided guidance in its 2011 circular on cloud computing, which is available on DNB’s website, as to what (contractual) safeguards should be taken to allow the DNB to adequately supervise in the event of outsourcing to a cloud provider. The DNB has also initiated discussions with major cloud providers such as Microsoft and Amazon in order to make their cloud contracts regulator-friendly.
In the Netherlands, there is no requirement to share software code or algorithms or similar technical detail with the government.
An organisation collecting and transferring data in violation of the GDPR or Dutch law (eg, the law of contracts if a contract prohibits such collection or transfer), faces the risk of legal action against it (such as penalties from the AP or claims for damages). In practice, this often means an organisation has to choose which law it decides to violate. There is no general ‘golden bullet’ to solve this dilemma. As discussed above, an organisation may argue that a foreign government data request may add weight to argue it has a legitimate interest for the processing as meant in Article 6(1) of the GDPR.
The Netherlands does not have a tradition of blocking statutes in which the application of law of other jurisdictions is hindered, and no such blocking statutes are active. On a European level, blocking statutes may be adopted, such as recently with respect to US sanctions in relation to Iran.