According to Article 8 (a) of the DPA, personal data may only be processed if the data subject has unambiguously given his or her consent for the processing. The consent must be freely given and aimed at a specific processing or processings of data. The consent does not need to be in writing, but there must be no doubts about the data subject’s consent (Ministry of Justice, Guidelines for Personal Data Processors 2001:50). An unambiguous consent can however be given implicitly (Wright and Terstegge 2004:287).
The Act sets up in Article 16 a prohibition to process special (sensitive) personal data, with some exemptions. E.g. the prohibition does not apply where the processing is carried out with the “express consent of the data subject”, cf. Article 23-1 (a). (See also Exemption from consent.)
The guidance to the DPA states that an “[e]xplicit consent means that the data subject must have expressed his will explicitly. This is (even) stronger than the unambiguous consent [required for non-sensitive personal data]” (Ministry of Justice, Guidelines for Personal Data Processors 2001:50). An explicit consent is neither directly required to be in writing (Wright and Terstegge 2004:287).
The legal age of consent
According to Article 5 of the DPA, the legal age for consent is sixteen years of age. If personal data about minors under the age of sixteen are to be processed, it is required with consent from their legal representative.
Obligation to provide information
When personal data are to be obtained from a data subject, the data controller shall provide the data subject with the following information prior to collection of the said personal data, unless the data subject is already familiar with this information (cf. Article 33):
· the identity of the data controller
· the purposes of the processing for which the data are intended
· the type of data, the circumstances in which they are to be obtained or the use to be made thereof
The Act emphasizes that this information is necessary in order to guarantee the data subject that the processing is carried out in a proper and careful manner.
There is a clear distinction between when, as mentioned above, personal data is to be obtained from the data subject, and when personal data is to be obtained in a manner other than directly from the data subject. In the latter case, (the same) information should be provided to the data subject either
a) at the time that the data relating to him/her is recorded or,
b) when it is intended to supply the data to a third party, at the latest on the first occasion that the said data are to be disclosed (cf. Article 34-1).
When obtaining personal data in a manner other than directly from the data subject, the obligation to provide information does not apply if it appears to be impossible or would involve a disproportionate effort to provide the said information to the data subject. In that case, the data controller shall record the origin of the data (cf. Article 34-4).
Exemption from consent
According to Article 23 (b) of the Act, the prohibition to process special (sensitive) personal data does not apply if the data have manifestly been made public by the data subject. This provision would seem to be highly relevant e.g. when harvesting sensitive data from the Internet.
Further, with specific relevance for research, the prohibition to process sensitive personal data for the purpose of scientific research or statistics does not apply where the following cumulative conditions are met (cf. Article 23-2):
· the research serves a public interest,
· the processing is necessary for the research or statistics concerned,
· it appears to be impossible or would involve a disproportionate effort to ask for express consent and,
· sufficient guarantees are provided to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent
This provision implicates that consent has absolutely priority, unless it appears impossible or would involve a disproportionate effort (Wright and Terstegge 2004).
Article 44 of the DPA also states restricted rights of data subjects if personal data is processed by an institution or service for scientific research or statistics. If the necessary arrangements have been made to ensure that the personal data can only be used for statistical or scientific purposes, then e.g. the right to be informed that his or her details are being processed and the right to submit a request to inspect these details do not apply (de Cock Buning et.al: 2009).
Exemption from consent for medical research
Medical professional secrecy is regulated by Book 7 of the Dutch Civil Code. Whereas Article 457 states that disclosure of patients’ health information can only take place with the consent of the patient, Article 458.1 provides exemption from consent for the purpose of statistics or scientific research in the field of public health, if:
· seeking consent is not reasonably possible and if, with respect to the performance of the research, such guarantees have been given that the privacy of the patient is not disproportionately prejudiced; or
· seeking consent, taking into account the nature and object of the research, cannot reasonably be required and if the provider of the care has ensured that the information is given in such manner that tracing to individual natural persons is reasonably prevented.
Such disclosure is only possible if:
· the research serves a public interest;
· the research cannot be carried out without the relevant data; and
· to the extent that the patient involved has not explicitly objected to the information being given (Article 458.2 of Book 7 of the Dutch Civil Code) (Burgerlijk Wetboek Boek 7)
The provision indicates that, it is only possible to rely on non-consent alternatives if the nature and object of the research indicates consent cannot reasonably be required. However, the disclosed information still has to be as anonymised or encoded as possible (Wright and Terstegge 2004:282).
Developing correct random sample
The Code of Conduct for Health Research describes different examples relating to exemptions from consent, e.g. one example in connection with developing a correct random sample for the research purpose. If the above mentioned criteria are fulfilled, it is possible to create the correct sample without consent when obtaining consent from enough individuals would involve sending a request to a much larger number of people than is considered necessary for the research purpose taken into grant that only a small percentage of the sample would respond. In addition the following requirements apply (cf. Articles 6.1 (c) and 6.3 of the Code of Conduct for Health Research):
· the procedure is described in the research protocol;
· access takes place with and under the authority of the care provider involved in the treatment;
· access to more data than needed for the establishment of the random sample will not be granted;
· the researcher signs a pledge of confidentiality;
· when the random sample has been defined, then consent must be requested from those included in the sample in accordance with the regular conditions for consent, before the personal data can be further processed. Until that time the selected files remain under the supervision of the care provider.
Ministry of Justice, 2001. Guidelines for Personal Data Processors (Personal Data Protection Act) [pdf]. Available at: <http://www.privacy.nl/uploads/guide_for_controller_ministry_justice.pdf>. [Accessed 20 August 2014].
Overheid.nl: Burgerlijk Wetboek Boek 7 [online] Available at: <http://wetten.overheid.nl/BWBR0005290/> [Accessed 20 August 2014].
The Dutch higher education and research partnership for network services and information and communication technology (SURF), 2009. The legal status of raw data: a guide for research practice [pdf]. Available at:
<http://www.surf.nl/binaries/content/assets/surf/en/knowledgebase/2009/SU... [Accessed 18 August 2014].
The Council of the Federation of Medical Scientific Societies: Code of Conduct for Medical Research, 2004 [pdf]. Available at: <http://www.federa.org/sites/default/files/bijlagen/coreon/code_of_conduc... [Accessed 22 August 2014].
The Dutch Personal Data Act, 2000 [online] Available at:
<http://www.dutchdpa.nl/Pages/en_wetten_wbp.aspx> [Accessed 20 August 2014].
Wright, J. and B. Gordijn, 2005. Medical Research on Human Subjects and RECs in the Netherlands. In: D. Beyleveld, D. Townend, and J. Wright, ed. 2005. Research Ethics Committees, Data Protection and Medical Research in European Countries. Ashgate. pp. 153-162.