Logo of the Dutch governmentGo to homepage

Government information for entrepreneurs

General Data Protection Regulation (GDPR)

This information is provided by

Netherlands Chamber of Commerce (KVK) | Netherlands Enterprise Agency (RVO)

The General Data Protection Regulation (GDPR) will come into force on 25 May 2018. It replaces the current privacy legislation. The GDPR consists of a number of rules for the (automatic) processing of personal data. This new EU regulation forces you as an entrepreneur to act more carefully and responsibly when dealing with personal data of customers, personnel or others. The GDPR applies to all independent entrepreneurs, whether they employ staff or not, even if you have only a few customers. You need to take into account the regulation’s conditions every step of the business process: even when sending a quotation, invoice or newsletter. So, in order to prevent a hefty fine from the Dutch Data Protection Authority (DPA), make sure you are GDPR-proof.

Does the GDPR apply to your company?

If your business is located in one of the EU member states or in the EEA, even if only with a subsidiary or branch, or if your customers, suppliers or any other stakeholders are residents of an EU member state, you need to comply with the GDPR.

Raise awareness in yourself and your organisation

Make sure you are aware of the terms and rules set out in the GDPR. Read about themExternal link or attend (or organise) an information session. Does your organization employ staff? Then start by informing relevant employees of the new privacy rules. They can assess the impact of the GDPR on your current processes, services and products. They can also help you determine what you need to do to comply with the GDPR. The DPAExternal link has developed tools to help you comply with the GDPR. Guidelines, for instance, that have been drawn up in collaboration with the other European privacy watchdogs.

Inform your customers of their rights

Explain exhaustively how you process personal data in a privacy statement, that is written in plain language. For instance:
  • What do you use the data for;
  • Why does that matter to your customer;
  • For how long you store the data.
Also, point out your customers’ rights to them. For instance:
  • The right to access, adjust and delete data
  • The right to limit or revoke permission
  • The right to data portabilityExternal link (download to EU guidelines on this page). This enables those involved to easily access and transfer their data to another organisation.
  • The right to file a complaint with the DPA. The DPA is legally obliged to deal with every complaint lodged.
Make sure your privacy statement is easy to find for your customers. One way to do this is to place a link to it in your website footer. And refer to the privacy statement in the ordering process.

Keep track of how you handle data

The GDPR requires that you are able to show what you do with personal data. Therefore, you must keep clear records of your data processing operations. Tell your suppliers and customers clearly which personal data you use, to what end, where you store them and with whom you share them. You’ll need a record of your data processing operations when people involved want to exercise their privacy rights.

When you outsource services that use personal data of a client, you’ll need explicit permission from that customer. For instance: when you make use of the services of an external call center or administrative office.

Make a Data Protection Impact Assessment (DPIA)

The GDPR may require that you perform a ‘Data Protection Impact Assessment (DPIA)External link (follow the link for the pdf download to EU guidelines)’. This is an extensive survey, used to chart the risks of data processing. A DPIA can help you take preventive measures, to eliminate the risks. You will only be required to perform a DPIA if the way in which you process personal data causes a possible high privacy risk. For instance, if you:
  • Analyse personal details systematically and extensively
  • Process special personal data on a large scale
  • Follow the activities of persons in a public access area on a large scale and systematically
Are you unable to take measures to eliminate or decrease this risk? Then confer with the DPA before you start processing data. The DPA will determine if your data processing operations violate the GDPR, and send you a written advice.

Make your products and services privacy-safe

If you develop new products or services, make sure that personal data are taken into account and their protection taken care of in the development process. This is called ‘privacy by design’. Only process those personal data that are absolutely vital for your specific purpose. This is called ‘privacy by default’. Some examples:
  • An app should only register a user’s location if this serves a purpose
  • Don’t pre-check the box ‘yes, I want to receive offers’ on your website
  • Don’t ask for any more details than necessary in your newsletter subscription form.

Find out if you need to employ a data protection officer

The DPA can force you to appoint a data protection officer (DPO)External link (follow the link for the pdf download to EU guidelines) . Does your company process data on a large scale? Then you might require a DPO. A DPO is responsible for:
  • supervision
  • data processing surveys
  • recording data processing reports
  • handling questions and complaints from persons within and outside the organisation
  • developing internal regulations / procedures
  • advising on technology and protection (privacy by design)
  • providing input for a new or amended code of conduct.
If it turns out you need a DPO, start the selection process on time. Of course, your organization is free to appoint a DPO of its own volition.

Document data leaks

The GDPR obliges you to record and document every data leak in your organisation, even the ones you do not need to report. Do you process privacy-sensitive data on behalf of your clients? Then you will have the legal obligation to report any data leaks occurring during those processes to them, so they can notify the DPA.

Draw up a data processor agreement

Draw up a data processor agreement with every organisation that processes personal data on your behalf. Even an external helpdesk viewing the data constitutes processing. And a subsidiary or foreign branch of the company counts as an external data processor. A data processor agreement establishes, for example:
  • that processing must be performed in accordance with the data controller’s instructions
  • secrecy
  • security measures
  • bringing in third parties and subcontractors
  • data location
  • audits or surveys
  • accountability.
Do you have a data processor agreement in place? Then check if it meets the GDPR requirements.

Determine the supervisor for your company

Is your organisation active in several European countries? Or do your data processing activities affect several member states? The GDPR requires you to deal with only one privacy supervisor, for instance the Dutch DPA.

Permission to process data

The GDPR puts strict demands on the permission you need to acquire before you process any personal data. It pays off to analyse the ways in which you request, acquire, and register people’s permission to process data. You must be able to demonstrate that you have acquired permission in a legally correct way. If not, you may face a hefty fine of up to 4% of your annual (global) turnover.

This information is provided by

Netherlands Chamber of Commerce (KVK)
Netherlands Enterprise Agency (RVO)