Information about your website visit can be stored on your computer, along with your personal details. That information can also be read from your computer by website administrators. This is done by means of cookies, small files that store internet settings on your computer.
Two types of cookies
Some cookies store preferences such as language settings and information you have submitted, including personal details. This makes it possible to fill a shopping cart in an online store. or for a website to “remember” you when you visit again in the future.
There are also cookies that are used to create user profiles and track searches and surfing behaviour. All these personal details can be shared with commercial parties and advertisement networks, with our without payment.
Permission to place cookies
The Dutch Telecommunications Act stipulates that with effect from 5 June 2012, websites must inform you if they wish to place cookies that track the pages you visit for example. They are only permitted to do so with your permission.
Websites do not need your permission in order to place cookies that are necessary for the proper functioning of a service or web shop. These are files that remember what items you have placed in your virtual shopping cart for example.
Permission to process personal details
Whenever cookies are used to process personal details, the Dutch Data Protection Act applies in addition to the Telecommunications Act. The Data Protection Act stipulates that a processor generally requires what is referred to as unambiguous permission in order to process the relevant personal details.
Since 1 January 2013, a legal assumption is applied with regard to cookies that track surfing behaviour. The law assumes that whoever places a cookie to track surfing behaviour does so in order to process personal details. This means that as a rule, unambiguous permission is required for cookies that track surfing behaviour, unless the entity placing the cookies is able to demonstrate that it is not processing any personal details.
Reporting security breaches
Since 5 June 2012, telecommunication companies are subject to an obligation to report security breaches. They are required to report any loss, unintentional disclosure, theft or misuse of personal details immediately to regulator OPTA. The objective is to provide insight into and optimise the quality and security of networks and services, in order to increase the confidence in and the use of IT services.
Companies are also required to inform users of any security breaches if it is anticipated that the breach will have an adverse impact on the user’s privacy (for example, misuse of credit card details). In addition, users must be informed of the precautions they can take to limit any adverse consequences of the security breach.
Source: Dutch national government