Implementation of the GDPR in the Netherlands

Due to its many opening clauses and its dependency on national law, most notably national constitutional and administrative law, the implementation of the General Data Protection Regulation (hereafter: GDPR) gives rise to many choices and difficulties. The article highlights some of those problems the Netherlands encountered while implementing the GDPR in national legislation. The article examines the general structure of the implementation legislation and its underlying policy-neutral approach. The consequences of policy-neutrality are illustrated by some examples, linked to the use of some of the opening clauses of the GDPR. The GDPR has consequences for the level of constitutional protection of the right to protect personal data, since the importance of the national constitution in protecting this constitutional right is being limited. Some notes highlight the material scope of the Implementation Act which does not completely follow the material scope of the GDPR. The interplay between Union and national administrative law is illustrated by various paragraphs on the Data Protection Authority, its organisation and powers. The generous use of the exemptions on special categories of data which already existed in Dutch data protection law has been continued, although within a different legal framework. The important restrictions of the rights of the data subject have been implemented in a very practical way. After some brief notes on the adaptation legislation, some of the many differences between the Dutch and German implementation are highlighted. The article ends with some conclusions.