Dutch Data Protection Authority

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) is the data protection authority for the Netherlands and an independent administrative body that has been appointed by law as the supervisory authority for the processing of personal data. The organization is therefore concerned with privacy. The duties of the AP derive from the Data Protection Directive that applies to all countries of the EU. This directive has been replaced by the General Data Protection Regulation. The Implementation Act General Data Protection Regulation has replaced the Personal Data Protection Act and appointed the AP as supervisor. All EU Member States have their own body, similar to the AP.

Legal task
The Authority for Personal Data has the statutory duty to assess whether persons and organizations, including government organisations, comply with the Dutch Personal Data Protection Act. The AP also supervises compliance with the Police Data Act, the Municipal Personal Records Database Act and all other statutory regulations concerning the processing of personal data.

Name changes
The organization was called the College bescherming persoonsgegevens (CBP) until 2016. The CBP followed the Registratiekamer in 2001. With the change of name as per 1 January 2016, the body was granted the power to impose fines for violations of the Personal Data Protection Act (Wbp). These changes were a result of drastic changes to that law. In fact, the name change of 2016 only applies to 'in society', according to article 51 of the Wbp. That article still gives 'College bescherming persoonsgegevens' as a formal name.

Supervision of compliance with the Personal Data Protection Act
The Personal Data Protection Act means that an organization may only process personal data that is demonstrably necessary for the organization and for which no explicit prohibition exists. Examples of this are medical, sexual, political data and data about membership of a trade union. For governments, the term 'demonstrably necessary' means that there must be a legal basis for the processing of data

The supervisory functions mean that the Dutch Data Protection Authority can compel companies and governments to comply with the requirements of the Wbp. The AP can impose periodic penalty payments for this. Furthermore, the AP has a public register of data processing if it deviates from the usual processing. The AP can impose an administrative fine for not registering non-exempt processing. In all cases are supervised by court which makes the final decision.

In addition, the AP has the task of advising ministers and the House of Representatives, both solicited and unsolicited, on legislative proposals, in the light of the Wbp or other applicable rules.

The obligation to report data leaks by data controllers and processors to the Dutch Data Protection Authority is regulated by the inclusion of additional provisions in the WBP per 1/1/2016.

Members
The first members of the Data Protection Board were Peter Hustinx (chairman), Ulco van de Pol and Jan Willem Broekema (both vice-chairman). Hustinx and Van de Pol came from the Registratiekamer at the establishment of the Dutch DPA. Broekema came from the business sector. Hustinx later became the privacy supervisor for the European Union. At the end of 2004, Jacob Kohnstamm, former politician, became chairman of the Dutch DPA. The chairman is appointed by royal decree for a period of six years, the two members for four years. On 1 August 2016, Kohnstam was succeeded by Aleid Wolfsen.