Contributed By Vondst Advocaten N V
An organisation collecting and transferring data in violation of the GDPR or Dutch law (eg, the law of contracts if a contract prohibits such collection or transfer), faces the risk of legal action against it (such as penalties from the AP or claims for damages). In practice, this often means an organisation has to choose which law it decides to violate. There is no general ‘golden bullet’ to solve this dilemma. As discussed above, an organisation may argue that a foreign government data request may add weight to argue it has a legitimate interest for the processing as meant in Article 6(1) of the GDPR.