The Authority for Personal Data has the statutory duty to assess whether persons and organizations comply with the Dutch Personal Data Protection Act including government organisations. The AP also supervises compliance with the PoliceData Act, the Municipal Personal Records Database Act and all other statutory regulations concerning the processing of personal data.
Name changes
The organization was called the College bescherming persoonsgegevens until 2016. The CBP followed the Registratiekamer in 2001. With the change of name as per 1 January 2016, the body was granted the power to impose fines for violations of the Personal Data Protection Act. These changes were a result of drastic changes to that law. In fact, the name change of 2016 only applies to 'in society', according to article 51 of the Wbp. That article still gives 'College bescherming persoonsgegevens' as a formal name.
Supervision of compliance with the Personal Data Protection Act
The Personal Data Protection Act means that an organization may only process personal data that is demonstrably necessary for the organization and for which no explicit prohibition exists. Examples of this are medical, sexual, political data and data about membership of a trade union. For governments, the term 'demonstrably necessary' means that there must be a legal basis for the processing of data The supervisory functions mean that the Dutch Data Protection Authority can compel companies and governments to comply with the requirements of the Wbp. The AP can impose periodic penalty payments for this. Furthermore, the AP has a public register of data processing if it deviates from the usual processing. The AP can impose an administrative fine for not registering non-exempt processing. In all cases are supervised by court which makes the final decision. In addition, the AP has the task of advising ministers and the House of Representatives, both solicited and unsolicited, on legislative proposals, in the light of the Wbp or other applicable rules. The obligation to report data leaks by data controllers and processors to the Dutch Data Protection Authority is regulated by the inclusion of additional provisions in the WBP per 1/1/2016.
Members
The first members of the Data Protection Board were Peter Hustinx, Ulco van de Pol and Jan Willem Broekema. Hustinx and Van de Pol came from the Registratiekamer at the establishment of the Dutch DPA. Broekema came from the business sector. Hustinx later became the privacy supervisor for the European Union. At the end of 2004, Jacob Kohnstamm, former politician, became chairman of the Dutch DPA. The chairman is appointed by royal decree for a period of six years, the two members for four years. On 1 August 2016, Kohnstam was succeeded by Aleid Wolfsen.