Drafting a privacy statement

This information is provided by

Netherlands Enterprise Agency, RVO

Do you process personal data? Do you for instance keep, use, or share your customers’ or visitors’’ personal data because you supply goods or services? Under the privacy legislation, the General Data Protection Regulation (GDPR or Algemene Verordening Gegevensbescherming, AVG), you must let your customers know what you do with their data and why. You do so with a privacy statement.

What are personal data?

Personal data are all data (information) that concern a person or that can be traced back to someone. Common personal data are:

  • name
  • address and place of residence
  • telephone numbers
  • postal codes with house numbers

Is a privacy statement mandatory?

Under the privacy law, you must inform people about your privacy policy (information requirement). The Dutch privacy authority (Autoriteit Persoonsgegevens, AP) is the supervisory body for privacy legislation. The Dutch DPA recommends that an online privacy statement is a good way to meet the information requirement. However, you can inform your customers in another manner than via an (online) privacy statement. The important thing is that your customer can easily find and understand the information.

What must be included in a privacy statement?

You have to draw up your privacy statement in clear language. You have to include at least:

  • name and contact details of the organisation that decides why and how the personal data are used (the processor)
  • why you want to use the data (the purpose)
  • which good reason (the legal grounds) you have to process personal data
  • who has access to the personal data
  • if you transfer the data outside the EU
  • for how long you keep the data
  • what your customer’s rights are
  • where your customer can file a complaint
  • if and why the customer is obligated to give you’re their personal data
  • if you make use of automated decision-making and how
  • if you obtained the personal data from another organisation

Model privacy statement

If you are interested in a model privacy statement you can use for your Dutch company, you can use the Dutch-language privacy statement generator at Veiliginternetten.nl. They provide you with a basic text you can use for your own privacy statement.

DPA monitors privacy policy

If you process personal data, you must be able to show that you comply with the privacy law (accountability). The AP, the Dutch DPA can check this.

This article is related to:

This information is provided by

Netherlands Enterprise Agency, RVO