On this page
If you do business in the Netherlands, you must comply with the Dutch Data Protection Act (Wet bescherming persoonsgegevens, Wbp). This act states that you must handle the personal data of your customers and employees carefully. This involves, for example, securing the data against loss or theft. You also have to inform your customers and employees about what happens to their data. In some cases, you must report your data processing to the Dutch Data Protection Authority, DPA (Autoriteit Persoonsgegevens). Please note that the Data Protection Act will be replaced by the General Data Protection Regulation (GDPR) as of 25 May 2018.
Protection of personal data
You must take suitable measures to protect data pertaining to your customers and employees. You may, for example, not collect and further utilise more personal data than that which is truly necessary. You must also limit access to personal data.
Duty to disclose information
You must tell your customers or employees which of their personal data you will use and what for. You must also provide them with your own details (company name and address) and inform them if you share their personal data with other organisations. It is mandatory to include a privacy statement on your website.
Report processing of personal data
If you are starting a company in the Netherlands and you will be processing personal data, you must report to DPA. However, you may be exempt from having to report. Please contact the Dutch DPA for more information.
Reporting theft, loss or abuse of personal data
Online procedure via Message Box
If you have to report your use of personal data for a procedure subject to the Services Act (Dienstenwet), you can also do this via Message Box. Message Box is a secure email system that enables you as an entrepreneur to exchange digital messages with Dutch government agencies.