On this page
If you use or store personal data (from employees, customers or others), you should comply with the General Data Protection Regulation (GDPR or Algemene Verordening Gegevensbescherming, AVG). This European law has replaced the Dutch Data Protection Act (Wet bescherming persoonsgegevens, Wbp). It tightens rules and regulations around the automatic processing of personal data. You must protect the privacy of the people whose data you store.
Types of personal data
Personal data that identify people can only be used in certain situations. These data include:
- phone number
- citizen service number (burgerservicenummer, BSN)
You can only use these data when the other person has given their consent. You can also use the information if it is necessary to carry out a service. For example, you need a customer’s address to deliver goods.
There are more restrictions regarding special categories of personal data. This means data that is sensitive. You are not allowed to use these data, unless you have legal grounds for it. For any data from the special category, additional safeguards must be put in place to protect it.
Keeping personal data safe
You have a duty to protect any personal data you collect and store. This means:
- You may not collect or keep more personal data than strictly necessary
- Only a (very) limited number of people in your company should have access to this data
- You should not keep personal data for longer than necessary
- You may have to carry out a Data Protection Impact Assessment.
Take a look at 10 steps you can take to make your business GDPR compliant.
Duty to disclose information
The GDPR stipulates that you must justify the registration and use of data in your possession. You should also let people know:
- Which personal data you intend to use
- Why you use this data
- If you pass on or sell their personal information to third parties
You must also provide them with your own details (company name and address). It is mandatory to include a privacy statement on your website. This can be done using the privacy declaration generator (verklaringgenerator, in Dutch).
The Netherlands Enterprise Agency develops business scans to inform you which rules apply to your business by asking a number of questions. You can perform the GDPR scan (Regelhulp AVG, in Dutch) to you help you meet the GDPR rules or follow the steps in our GDPR guide.
Report processing of personal data
If you are starting a company in the Netherlands and you intend to process personal data, you must report to the Dutch Data Protection Authority (Dutch DPA, Autoriteit Persoonsgegevens). You may be exempt from this duty to report. Please contact the Dutch DPA for more information.
If you process or pass on personal data without permission or exemption, you may get reprimanded or fined by the DPA (in Dutch).
Reporting theft, loss or abuse of personal data
You must notify the DPA (in Dutch) and the persons involved of any theft, loss or abuse of personal data for which you are responsible. The GDPR demands that businesses must register and file all data leaks. If you fail to notify any data breach in time, DPA may impose a fine.
Online procedure via Message Box
If you have to report your use of personal data for a procedure subject to the Services Act (Dienstenwet), you can also do this via Message Box. Message Box is a secure email system that enables you as an entrepreneur to exchange digital messages with Dutch government agencies.