On this page
The General Data Protection Regulation (GDPR or Algemene Verordening Gegevensbescherming (AVG) in Dutch) has replaced the Dutch Data Protection Act (Wet bescherming persoonsgegevens, Wbp). The new European privacy law tightens rules and regulations pertaining to the automatic processing of personal data. Under the GDPR, entrepreneurs are obliged to take extra measures when storing data on customers, staff and other persons. Read more about key changes in the GDPR.
Protection of personal data
You must take suitable measures to protect data pertaining to your customers and employees. You may not, for example, collect and further utilise more personal data than absolutely necessary. You must also limit access to personal data. Under the GDPR, you may be obliged to carry out a Data Protection Impact Assessment (DPIA) (in Dutch), in which the risks of data processing are analysed in depth. This enables you as entrepreneur to take prompt measures to avoid these risks as much as possible.
Duty to disclose information
The GDPR stipulates that you must justify the registration and use of data in your possession. You must tell your customers or employees which personal data you intend to use and what for. You must also provide them with your own details (company name and address) and inform them if you intend to share their personal data with other organisations. It is mandatory to include a privacy statement on your website. This can be done using the privacy declaration generator (verklaringgenerator) (in Dutch).
The Netherlands Enterprise Agency develops business scans to inform you which rules apply to your business by asking a number of questions. Follow the steps in our GDPR guide or do the GDPR scan (Regelhulp AVG) (in Dutch) to you help you meet the GDPR rules.
Report processing of personal data
If you are starting a company in the Netherlands and you intend to process personal data, you must report to the Dutch Data Protection Authority (Dutch DPA, Autoriteit Persoonsgegevens). However, you may be exempt from having to report. Please contact the Dutch DPA for more information. The GDPR stipulates that businesses must register and file all data leaks.
Reporting theft, loss or abuse of personal data
You must notify the DPA (in Dutch) and the persons involved of any theft, loss or abuse of personal data for which you are responsible. If you fail to notify any data breach in time, DPA may impose a fine.
Online procedure via Message Box
If you have to report your use of personal data for a procedure subject to the Services Act (Dienstenwet), you can also do this via Message Box. Message Box is a secure email system that enables you as an entrepreneur to exchange digital messages with Dutch government agencies.