Drafting a privacy statement

Published by:

Netherlands Enterprise Agency, RVO

2 min read

Do you process personal data? For example, do you keep, use, or share your customers’ or visitors’ personal data because you supply goods or services? Under the privacy legislation, the General Data Protection Regulation (GDPR or Algemene Verordening Gegevensbescherming, AVG), you must let your customers know what you do with their personal data and why. You do so with a privacy statement.

What are personal data?

Personal data are all data (information) that concern a person or that can be traced back to someone. Personal data include:

name, address, and telephone number
citizen service number (burgerservicenummer, BSN).
camera or audio recordings
health data

Is a privacy statement mandatory?

If you process personal data, a privacy statement is always mandatory. Under the privacy law, you must inform people about your privacy policy (information requirement). You must let your costumer know what you do with their personal data and why. You should generally provide the information in writing, for example with an online privacy statement. You may also inform your customers in another way, as long as they can easily find and understand the information.

What must be included in a privacy statement?

You have to draw up your privacy statement in clear language. You have to include, among other things:

name and contact details of your organisation
contact details of the Data Protection Officer (DPO), if you have one
why you want to use the data (the purpose)
which good reason (the legal grounds) you have to process personal data
who has access to the personal data
for how long you keep the data
if you make use of algorithms for automated decision-making and how you do this

Model privacy statement

If you are interested in a model privacy statement you can use for your Dutch company, you can use the Dutch-language privacy statement generator at Veiliginternetten.nl. They provide you with a basic text you can use for your own privacy statement.

DPA monitors privacy policy

If you process personal data, you must be able to show that you comply with the privacy law (duty of accountability). You must also be able to show that you inform your customers about what you do with their personal data to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP). The Dutch DPA is the supervisory body for privacy legislation.