The Netherlands: A new act introduces a notification duty for personal data breaches and higher fines


Get an insight into the latest news in Dutch employment law, e.g. The Merger Code, changes to minimum wage rates and The Data Breach Act.

Scope of SER merger expanded

The Merger Code laid down by the Social Economic Council was created in order to protect the interests of employees who are employed within an enterprise in the case of a merger. 

The Merger Code lays down that the merging parties must involve the unions in the merger process, such that they can give their opinion on the merger and exercise influence on the decision making. In addition, the merger must be notified to the SER.

On 1 October 2015, the new Merger Code entered into force. One of the most important amendments is that the scope of application of the Merger Code must be interpreted more broadly. Due to this, government, non-profit organisations and the professions (such as accountants and attorneys-at-law) also fall under the scope of application of the Merger Code from that date. Another important amendment is that a union of a merger party can exercise the possibility for mediation if it is of the opinion that the Merger Code rules are not or not properly being complied with. Previously, the only recourse parties had in such a situation was to initiate proceedings before Merger Code Disputes Committee.


Working beyond state pension age should be made more attractive

As from 1 January 2016, it will become more attractive for employers to retain employees who receive state pension on the basis of the General Old Age Pensions Act.

This is to be regulated in the Working Beyond State Pension Age, which was adopted by the Upper House on 29 September 2015. The following amendments are to be introduced:

  • For old age pensioners (OAPs), the obligation to continue payment of their wages during sickness has been limited to a maximum of 13 weeks (it is currently two years). The intention is to evaluate this amendment in 2018. There is then a possibility that the obligation to continue payment of wages in the case of sickness may well be reduced to six weeks.
  • The obligation for the employer to reintegrate a sick OAP employee is limited to 13 weeks (also instead of two years). In addition, the obligation for the employer to seek suitable work with another employer has been repealed. The obligation to seek suitable work in the company will remain in force. Finally, the obligation to draw up a plan of approach has also been repealed.
  • The notice of termination prohibition in the case of sickness of an OAP employees is to be limited to 13 weeks (instead of two years). Also applicable to this is that, after evaluation of the Act, this period might be reduced to six weeks.
  • The notice period for termination of an employment agreement with OAP employees is to be limited to one month (instead of up to four months, dependent on the length of the employment relationship).
  • An employer may offer an OAP employee a maximum of six employment agreements for a definite period within four years before an agreement for an indefinite period can exist. This is in contrast to employees who have not reached OAP age, where a maximum of three employment agreements over a period of 2 years is applicable. In the determination of whether the period of four years or the number of agreements has been exceeded, only the employment agreements which were entered into after reaching OAP age are to be counted.
  • An employer is not obliged to honour requests for an increase or reduction of the number of working hours of an OAP employee.

Transitory law
The rules regarding the obligation to continue payment of wages and the notice to terminate prohibition during sickness will continue to be applicable for six months after the Act enters into force. Therefore, for an OAP employee who reports sick on 1 January 2016, the old Act will apply until 1 July 2016. The other rules are to enter into force immediately.

Other relevant amendments regarding OAPs
As a consequence of the Fraud (Bogus Schemes) Act, from 1 July 2015 OAP employees, just as other employees, are entitled to the statutory minimum wage. Furthermore, since the introduction of the Work and Social Security Act, an employer may give notice to terminate the employment agreement on account of reaching OAP age without intervention of a court or the Employee Insurance Administration Agency (the ‘UWV’). A severance payment is also not due. The employer is not obliged to exercise this dismissal option on an OAP date; he may exercise this option at a later date. The condition is, however, that the employment agreement was entered into before the employee reached OAP age. As soon as the OAP employee is taken into permanent employment, the regular dismissal rules apply. The OAP employee, however, is still not entitled to severance pay.


Changes in minimum wage rates

The rates of the minimum wage are adjusted twice a year i.e. in January and in July. 

The rates are based on working on a full-time basis.

The gross minimum wage rates as per 1 January 2016 (in Euros):

Age Monthly Weekly Daily 
23 years and over  1.524,60  351,85  70,37 


Working from home and flexible working hours

On 14 April 2015, the Dutch Senate approved the bill on flexible working hours. 

At present, an employee may only request for either more or fewer hours. As of 1 January 2016, an employee may also request different working hours or permission to work from home. The employer may only refuse a request for an adjustment to working hours (i.e. both the number of hours and the times) if there is a compelling business interest that outweighs it. For example, problems with security, work rotas or financial and organisational problems. No compelling business interest is required for the employer to refuse to grant permission to work from home, but reasons must be given for the refusal.


Duty of notification in case of personal data breaches and higher fines

The Data Breach (Notification Obligation) Act and the extension of the power to impose fines comes into force on 1 January 2016. This Act will insert into the Dutch Data Protection Act an obligation to report a data security breach. 

The introduction of this obligation anticipates the European General Data Protection Regulation, which is expected to introduce a similar obligation as of 2018. Furthermore, the violation of various provisions that are included in the Dutch Data Protection Act will be fined more heavily. The number of provisions in the Dutch Data Protection Act for which an administrative fine can be imposed will also be increased.

Notification duty
When a breach of the required security measures is discovered that is associated with possible severe negative consequences for the protection of personal data, the data controller will be required to immediately report this to the Dutch Data Protection Authority (as from 1 January 2016 the “Personal Data Authority”: the Authority). In addition, data controllers will be required to notify affected individuals if the personal data breach is likely to adversely affect them, unless the compromised data is encrypted or otherwise unintelligible to third parties. Furthermore, the data controller is required to keep a record of all personal data breaches.

At this moment, the maximum administrative fine for non-compliance with the Dutch Data Protection Act is EUR 4,500, and the Authority has limited power to impose a fine. However, from 1 January 2016, the Authority will be able to impose fines for non-compliance with a substantial amount of provisions of the Dutch Data Protection Act. Also, the maximum amount of the possible fine will increase substantially: non-compliance with the obligation to notify can result in a fine up to a maximum of EUR 810,000 or even 10% of the annual net turnover of a company, per violation. The Authority is generally required to give a binding instruction before imposing a fine.

Action plan
When a data security breach is discovered, your organisation will have to notify this immediately to the Authority and, in certain situations, to the data subjects concerned. As the notification has to be done immediately (as soon as reasonably possible), it will be too late to draw up a plan of action at the moment that a data security breach is discovered. Therefore, as from 1 January 2016, each organisation needs to have an action plan for the unlikely event of a data breach.


VAR statement to be abolished

On 2 July 2015, the House of Representatives passed the ‘Independent Contractor Status Assessment Deregulation Act’ that will abolish the VAR statement (Statement of Employment Relationship issued by the Tax Authorities). 

This statement provides clarity on the fiscal status of the employment relationship between self-employed contractors and clients, so clients know whether they are responsible for the levying and payment of income tax and social insurance contributions. The VAR statement will be replaced by a voluntary approval procedure from April 2016 (target date). There will be no transitional provisions.

Under the new bill, interest groups representing independent contractors or clients, sectoral organisations or individual clients or independent contractors will be able to submit contracts to the tax authorities. These will be assessed in terms of whether or not there is a duty to withhold wage tax and social security contributions. If not, this provides certainty for the parties concerned. If necessary, the contract can be amended in consultation with the tax authorities, in order to obtain approval.

The contracts submitted will be disclosed online by the tax authorities. The tax authorities will also publish cross-sectoral model contracts online. Assuming that no provisions are added that deviate from the content of the model contract and that this contract is actually taken as a basis, the use of this contract will result in exemption from income tax and social security contributions. Approval will be granted for a maximum period of five years. The State Secretary expects that the first (forty) model contracts will be able to be published in October.

It is essential that the contract is followed in practice. The client is responsible for ensuring this. A one-off deviation from the contract does not affect the exemption, provided that it is reasonably argued that this concerns a one-off event or a temporary situation. If the approved (model) contract is not followed, no exemption applies. The tax authorities can then claim income tax and social security contributions from the client. If, following a dispute relating to employment law, the courts rule that a contract of employment exists (or existed in the past), the tax authorities cannot claim payment of the wage tax or social security contributions. The approval is then withdrawn.

Certain types of ‘notional employment’ for wage tax purposes will be covered by the approval procedure and therefore exempt from employer deductions. However, the remuneration of a supervisory director/non-executive board member (deemed employment relationship) will always be subject to wage tax withholding.


Introductory whistleblower protection

On 2 July 2015, the House of Representatives passed the amended bill on whistleblowing. Initially, the initiators of the bill “House for Whistleblowers Act” proposed to place the House for Whistleblowers under the authority of the National Ombudsman (an independent functionary who deals with citizens’ complaints against the government). However, following criticism of the Senate, the initiators have changed the House of Whistleblowers into a special independent administrative body. The bill will probably enter into force somewhere at the start of 2016.

The Act aims to set up an independent House for Whistleblowers which investigates wrongdoings and assists employees in disclosure proceedings. The guiding principle of the Act is that employees first have to report wrongdoings internally, so that the employer has the opportunity to eliminate wrongdoings himself. External disclosure at the House is only possible if internal disclosure was not treated properly (e.g. not within a reasonable term) or if specific circumstances require an immediate external disclosure. For example, if there is an immediate threat involving a serious and urgent public interest or if the management of the company is involved in wrongdoing. External disclosure must be made in an appropriate and proportionate manner. If the disclosure was made in good faith and in accordance with the relevant procedures, the employee is protected from dismissal or other less favourable treatment due to his disclosure. Furthermore, all companies with at least 50 employees are required to put in place an internal whistleblowing procedure.