Articles 11.2 and 11.3 of the Telecommunications Act state that:
- The provider of a public electronic communications network and the provider of a public electronic communications service shall refrain from collecting, processing or otherwise intercepting or verifying data via a public electronic communications network or public electronic communications service and the related data unless and insofar as:
- the concerned data subject has given his explicit consent for these actions;
- these actions are necessary to ensure the integrity and security of the networks and services of the provider concerned;
- such actions are necessary for the transmission of information via the networks and services of the provider concerned, or
- these actions are necessary to implement a statutory regulation or court order.
- Prior to obtaining permission the data subject has to be provided with the following information:
- its identity of the provider or any third party on which behalf the communications is made;
- the purposes of the processing for which the data are intended (marketing also on behalf of third parties);
- more detailed information such as the type of data obtained, the circumstances in which data are to be obtained and the further use of data which are to be obtained in order to guarantee with respect to the data subject that the processing is carried out in a proper and careful manner;
- the data subject’s right to access and correct data;
- the data subject’s right to object to further processing of his personal data for marketing purposes (opt-out).
- A data subject can withdraw their consent for the processing of their personal data at any time.
Providers of trust services only process personal data obtained from the person concerned or with his explicit consent, and insofar as the processing of these personal data is required for the provision of confidential services. The personal data shall not be collected or processed for other purposes, unless the data subject has given his explicit permission for this. The explicit permission of the person concerned is not required, if the processing of the personal data is necessary for the purpose of detecting fraud, or if the processing is claimed by or pursuant to the law.
The provider of a publicly available electronic communications service shall immediately inform the Dutch Data Protection Authority of a breach of security, which has adverse consequences for the protection of personal data processed in connection with the provision of a public electronic communications service. The provider should immediately inform the person whose personal data is related to a personal data breach if the infringement is likely to have adverse consequences for their private life, unless the Dutch DPA rules this is unnecessary (e.g. the provider has taken protective measures of the data subject’s information by encryption etc.).
The UAVG maintains the current exception in the Data Protection Act for companies in the financial sector to notify data breaches to data subjects. This exception only applies to companies covered by the Financial Supervision Act, like banks, insurance companies and trusts. However, such company must notify the breach to the DPA and the financial regulators.