Do you process personal data? Do you for instance keep, use, or share your customers’ or visitors’’ personal data because you supply goods or services? Under the privacy legislation, the General Data Protection Regulation (GDPR or Algemene Verordening Gegevensbescherming, AVG), you must let your customers know what you do with their data and why. You do so with a privacy statement.
What are personal data?
Personal data are all data (information) that concern a person or that can be traced back to someone. Common personal data are:
- address and place of residence
- telephone numbers
- postal codes with house numbers
Is a privacy statement mandatory?
What must be included in a privacy statement?
You have to draw up your privacy statement in clear language. You have to include at least:
- name and contact details of the organisation that decides why and how the personal data are used (the processor)
- why you want to use the data (the purpose)
- which good reason (the legal grounds) you have to process personal data
- who has access to the personal data
- if you transfer the data outside the EU
- for how long you keep the data
- what your customer’s rights are
- where your customer can file a complaint
- if and why the customer is obligated to give you’re their personal data
- if you make use of automated decision-making and how
- if you obtained the personal data from another organisation
Model privacy statement
If you are interested in a model privacy statement you can use for your Dutch company, you can use the Dutch-language privacy statement generator at Veiliginternetten.nl. They provide you with a basic text you can use for your own privacy statement.
If you process personal data, you must be able to show that you comply with the privacy law (accountability). The AP, the Dutch DPA can check this.