Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


III. Privacy topics

Internet and consumer privacy


In May 2004 the EU Directive on Privacy and Electronic Communications (2002/58/EC) was partly implemented by outlawing spam. Senders of commercial electronic messages will need prior consent from the email address holder. During a hearing in the Dutch Parliament in August 2003, the NGO Bits of Freedom asked for an obligation for senders to prove prior consent. An amendment including this proof of consent was added into the law. The ban on spam does not cover work email addresses, a concession made after fierce industry lobbying to prevent such a proposal. Several persons and companies have since been fined for spamming. More recently, proposals have been announced to include work email addresses in the law after the direct-marketing industry failed to agree on self-regulation regarding business-to-business e-mail marketing. The Dutch Telecom Regulator, OPTA, has been very active in banning spam sent from the Netherlands since May 2004.1 Through the website, OPTA collects over 20,000 consumer complaints annually.2 In 2009 OPTA initiated 68 investigations, issued 51 warnings, and imposed several fines, with the highest of these in  the amount of  €250,000.

In May 2004, the Parliament passed the law on e-commerce (Wet elektronische handel) implementing the EU E-Commerce Directive (2000/31/EC). Under the law, hosting providers risk liability for illegal content posted by their customers. Once service providers have been notified, and the unlawfulness is "apparent," they should take immediate action to block or remove the content. There is no unified notice-and-takedown procedure in the Netherlands that implements these legal obligations.


No specific information has been provided under this section.

Online behavioural marketing and search engine privacy

On 14 July 2008, the European Data Protection Supervisor, Peter Hustinx, awarded the first European Union (EU) Privacy Seal by EuroPriSe to the Dutch search engine Ixquick.3 The European Privacy Seal ensures that Internet technology products and services comply with EU laws and regulations on privacy and data security.

Online social networks and virtual communities

In December 2008, the CBP investigated alleged illegal data collection by Advance Concepts. This company owned multiple online Web quizzes, for example for people to determine their "real age". The agency concluded that Advance Concepts used these tests to obtain personal information such as medical histories, and without the users' consent sold on the data  to third parties for marketing purposes.4 In response to the findings of the CBP, Advance Concepts changed its policies and implemented an opt-in policy.5

Online youth safety

With regard to personal data that is published via the Internet in the Netherlands, the CBP developed and published guidelines in order to clarify what is and is not permitted.6 Regarding minors, "the Dutch DPA takes a proactive stance in providing the rules applicable for social networking and for online marketing."7

In March 2009, the CBP investigated the practices of youth social network site Zikle. In a letter to the site's owner, the CBP concluded that the website did not provide enough information to its users about the purposes of personal data collection and did not have enough security measures in place to restrict the publication of users’ data on the Internet.8

Workplace privacy

The CBP ruled in 2006 that in the event of a transition from one occupational health and safety service provider to another employees' records couldn’t be transferred to the new service provider without a legal framework.9 Further, the CBP did research in 2007 to determine whether a different approach is possible within the existing statutory framework.10 The outcome was to distinguish, "…between data that is not subject to medical professional secrecy and data that is."11 The final determination was that data that is not subject to medical professional secrecy may be transferred and data that is subject to medical professional secrecy may only be transferred under certain conditions.12

Health and genetic privacy

Medical records

The CBP has been tracking the progress of the implementation of an electronic child file (the Elektronisch Kind Dossier or EKD) which will record a child's development and environmental indicators from birth.13 Bringing the EKD online for youth health care was postponed until 1 January 2008 and is not expected to become compulsory until 2010.14 The CBP is particularly concerned about whether the data will be used outside the health care sector, for example to create a national reference index of young people at risk.15

In the health sector, the CBP earlier issued an advisory on the draft legislation that introduces the electronic patient file (EPD). The CBP argues, "Making patient files available to all care providers is far too risky, partly with a view to the protection required for particularly sensitive personal data. With the exception of emergency situations, only care providers with a treatment relationship with a patient ought to have access to the record in question."16 The first parts of the electronic patient file infrastructure are now in place, but actual access to patient files is still beyond only those providers that have a treatment relationship with patients. When balancing the usability of the system and the need to retain the confidentiality of patient records, the former still prevails, although there is a post hoc control mechanism enabling patients to check who accessed their files. (for more information see Guido van 't Noordende, "Security in the Dutch electronic patient record system", ACM 2nd annual workshop on security and privacy in medical and home-care systems (SPIMACS), Chicago, USA, Oct 2010.)

In February 2010, the CBP advised the Minister to regulate health insurers' access to the EPD by taking out the section that let health insurance companies access them as electronic patient file users.17 The Minister responsible for health care implemented this advice.18 Additionally, the CBP investigated two regional private EPD initiatives and concluded that both were in violation of Dutch privacy law.19 The authority found that there were no appropriate access controls to prevent doctors from looking into files of patients they were not treating, that the log files were not used to deter wrong use of personal data, and that the patients were not informed about the use of their data for the EPD.20

In June 2009, the CBP ordered four hospitals to make periodic penalty payments, in order to force them to improve the level of security of their health data.

Genetic identification

In February 2005, the DNA Testing of Convicted Persons Act came into force. The law makes it possible to take DNA samples from all persons who are convicted of crimes carrying a maximum penalty of four years or more. The mouth swab sample will be investigated by the Netherlands Forensic Institute (NFI) in order to determine the DNA profile.21

Financial privacy

In March 2010, the CBP advised the Minister of Finance to include a privacy paragraph in a new legal proposal that would regulate the use of the Burger Service Number within financial institutions to prevent money laundering and terrorism. Because the proposal would govern all bank accounts in the Netherlands, the CBP said the privacy paragraph should enumerate all the specific circumstances under which financial data would be attached to a citizen's BSN.22