Dutch DPA: general notification obligation no longer enforced

17 November 2017

On 6 November 2017 the Dutch Data Protection Authority ("Dutch DPA") released a press statement in which it announced that it does no longer enforce the general obligation on data controllers under the Dutch Data Protection Act to notify the Dutch DPA before carrying out any processing operation or set of such operations. As a result of the General Data Protection Regulation ("GDPR") that will apply from 25 May 2018, the general notification obligation will cease to exist and will be replaced with an obligation for data controllers and data processors to keep internal records of data processing activities. Until 25 May 2018, data controllers may still submit notifications, however the Dutch DPA will not enforce the notification requirements.

In the event of conducting certain data processing activities, data controllers still have an obligation to notify the Dutch DPA (i.e. relating to systematic observation and the processing of certain types of sensitive data). This system of prior notification will continue to exist under the GDPR, however in a slightly different form. In the event that processing activities are likely to result in a high risk for the rights and freedoms of individuals, under Article 35 of the GDPR data controllers must carry out a data protection impact assessment ("DPIA"). If the DPIA shows that the processing would result in a high risk (in the absence of measures taken by the controller to mitigate the risk), the data controller must consult the supervisory authority prior to processing.