On this page
If you do business in the Netherlands, you must comply with the Dutch Data Protection Act (Wet bescherming persoonsgegevens, Wbp). This act states that you must handle the personal data of your customers and employees carefully. This involves, for example, securing the data against loss or theft. You also have to inform your customers and employees about what happens to their data. In some cases, you must report your data processing to the Dutch Data Protection Authority, DPA (Autoriteit Persoonsgegevens).
Protection of personal data
You must take suitable measures to protect data pertaining to your customers and employees. You may, for example, not collect and further utilise more personal data than that which is truly necessary. You must also limit access to personal data.
Duty to disclose information
You must tell your customers or employees which of their personal data you will use and what for. You must also provide them with your own details (company name and address) and inform them if you share their personal data with other organisations. It is mandatory to include a privacy statement on your website. This can be done using the privacy declaration generator (verklaringgenerator) (in Dutch).
Report processing of personal data
If you are starting a company in the Netherlands and you will be processing personal data, you must report to DPA. However, you may be exempt from having to report. Please contact the Dutch DPA for more information.
Reporting theft, loss or abuse of personal data
You must notify DPA (in Dutch) and the persons involved of any theft, loss or abuse of personal data for which you are responsible. If you fail to notify any data breach in time, DPA may impose a fine.
Online procedure via Message Box
If you have to report your use of personal data for a procedure subject to the Services Act (Dienstenwet), you can also do this via Message Box. Message Box is a secure email system that enables you as an entrepreneur to exchange digital messages with Dutch government agencies.