On this page
The General Data Protection Regulation (GDPR or Algemene Verordening Gegevensbescherming (AVG) in Dutch) has replaced the Dutch Data Protection Act (Wet bescherming persoonsgegevens, Wbp). The new European privacy law tightens rules and regulations pertaining to the automatic processing of personal data. Under the GDPR, entrepreneurs are obliged to take extra measures when storing data on customers, staff and other persons. Read more about key changes in the GDPR.
Protection of personal data
You must take suitable measures to protect data pertaining to your customers and employees. You may not, for example, collect and further utilise more personal data than absolutely necessary. You must also limit access to personal data. Under the GDPR, you may be obliged to carry out a Data Protection Impact Assessment (DPIA) (in Dutch), in which the risks of data processing are analysed in depth. This enables you as entrepreneur to take prompt measures to avoid these risks as much as possible.
Types of personal data
Personal data that identify people can only be used in certain situations. These data include:• name• address• phone number• citizen service number (burgerservicenummer, BSN)You can only use these data when the other person has given their consent. You can also use the information if it is necessary to carry out a service. For example, you need a customer’s address to deliver goods.There are more restrictions around using so-called special personal data. This means data that is sensitive. You are not allowed to use these data, unless you have legal grounds for it. For any data from the special category, additional safeguards must be put in place to protect it.
Keeping personal data safe
You have a duty to protect any personal data you collect and store. You must adhere to the following:• Not collect or keep more personal data than strictly necessary• Only a (very) limited number of people in your company should have access to this data• You should not keep personal data for longer than necessary• You may have to carry out a Data Protection Impact Assessment.There are 10 steps you can take to make your business GDPR compliant.
Duty to disclose information
The GDPR stipulates that you must justify the registration and use of data in your possession. You must tell your customers or employees which personal data you intend to use and what for. You must also provide them with your own details (company name and address) and inform them if you intend to share their personal data with other organisations. It is mandatory to include a privacy statement on your website. This can be done using the privacy declaration generator (verklaringgenerator) (in Dutch).
The Netherlands Enterprise Agency develops business scans to inform you which rules apply to your business by asking a number of questions. Follow the steps in our GDPR guide or do the GDPR scan (Regelhulp AVG) (in Dutch) to you help you meet the GDPR rules.
Report processing of personal data
If you are starting a company in the Netherlands and you intend to process personal data, you must report to the Dutch Data Protection Authority (Dutch DPA, Autoriteit Persoonsgegevens). However, you may be exempt from having to report. Please contact the Dutch DPA for more information. The GDPR stipulates that businesses must register and file all data leaks.
Reporting theft, loss or abuse of personal data
You must notify the DPA (in Dutch) and the persons involved of any theft, loss or abuse of personal data for which you are responsible. If you fail to notify any data breach in time, DPA may impose a fine.
Online procedure via Message Box
If you have to report your use of personal data for a procedure subject to the Services Act (Dienstenwet), you can also do this via Message Box. Message Box is a secure email system that enables you as an entrepreneur to exchange digital messages with Dutch government agencies.