Protection of personal data

If you use or store personal data (from employees, customers or others), you should comply with the General Data Protection Regulation (GDPR or Algemene Verordening Gegevensbescherming (AVG) in Dutch). This European law has replaced the Dutch Data Protection Act (Wet bescherming persoonsgegevens, Wbp). It tightens rules and regulations around the automatic processing of personal data. You must protect the privacy of the people whose data you store.

Types of personal data

Personal data that identify people can only be used in certain situations. These data include:

name
address
phone number
citizen service number (burgerservicenummer, BSN)

You can only use these data when the other person has given their consent. You can also use the information if it is necessary to carry out a service. For example, you need a customer’s address to deliver goods.

There are more restrictions regarding special categories of personal data. This means data that is sensitive. You are not allowed to use these data, unless you have legal grounds for it. For any data from the special category, additional safeguards must be put in place to protect it.

Keeping personal data safe

You have a duty to protect any personal data you collect and store. This means:

You may not collect or keep more personal data than strictly necessary
Only a (very) limited number of people in your company should have access to this data
You should not keep personal data for longer than necessary
You may have to carry out a Data Protection Impact Assessment.

Take a look at 10 steps you can take to make your business GDPR compliant.

Duty to disclose information

The GDPR stipulates that you must justify the registration and use of data in your possession. You should also let people know:

Which personal data you intend to use
Why you use this data
If you pass on or sell their personal information to third parties

You must also provide them with your own details (company name and address). It is mandatory to include a privacy statement on your website. This can be done using the privacy declaration generator (verklaringgenerator, in Dutch).

The Netherlands Enterprise Agency develops business scans to inform you which rules apply to your business by asking a number of questions. You can perform the GDPR scan (Regelhulp AVG, in Dutch) to you help you meet the GDPR rules or follow the steps in our GDPR guide.

Report processing of personal data

If you are starting a company in the Netherlands and you intend to process personal data, you must report to the Dutch Data Protection Authority (Dutch DPA, Autoriteit Persoonsgegevens). You may be exempt from this duty to report. Please contact the Dutch DPA for more information.

Reporting theft, loss or abuse of personal data

You must notify the DPA (in Dutch) and the persons involved of any theft, loss or abuse of personal data for which you are responsible. The GDPR demands that businesses must register and file all data leaks. If you fail to notify any data breach in time, DPA may impose a fine.

Online procedure via Message Box

If you have to report your use of personal data for a procedure subject to the Services Act (Dienstenwet), you can also do this via Message Box. Message Box is a secure email system that enables you as an entrepreneur to exchange digital messages with Dutch government agencies.