Bosselaar Strengers Legal Partners
What law(s) specifically govern personal data / information?
Algemene Verordening Gegevensbescherming (AVG, General Data Protection Regulation or GDPR). The GDPR is applicable since 25th May 2018;
Uitvoeringswet Algemene Verordening Gegevensbescherming (General Data Protection Regulation Implementation Act or UAVG). Where the GDPR leaves room for national choices in the implementation of the GDPR, these have been specified in the UAVG;
Richtlijn gegevensbescherming bij rechtshandhaving (RGR);
Wet politiegegevens (the Police Data Act), regulates the protection of personal data at the police;
Wet justitiele en strafvorderlijke gegevens (the Judicial and Criminal Data Act), regulates the processing of judicial data (in personal files) and the VOG ('Verklaring Omtrent het Gedrag'), which is a certificate of conduct issued by the Dutch Minister of Legal Protection declaring that an applicant has not been convicted for any crime relevant to the performance of their duty;
Kieswet (Elections Act); and
Wet Basisregistratie Personen (BRP), (Personal Records Database), regulates the correct use of personal data of the residents of the Netherlands, such as the actions of municipalities in recording, changing and providing personal data in the BRP.
These are the six (6) main acts supervised by the Autoriteit Persoonsgegevens (AP) (Dutch Data Protection Authority).
What are the key data protection principles in this jurisdiction?:
Lawful basis for processing
The GDPR provides an exhaustive list of legal bases on which personal data may be processed:
- consent of the data subject for one or more specific purposes;
- contractual necessity where the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
- The processing is necessary for compliance with a legal obligation to which the controller is subject;
- protection of the vital interests of the data subject or of another natural person;
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- legitimate interests (i.e. the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller's interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects). There are three conditions: 1) there must be a legitimate interest pursued by the controller or by a third party, 2) the processing of personal data must be necessary for the purposes of that legitimate interest, and 3) the controller must demonstrate that the legitimate interest is not overridden by the interests or fundamental rights and freedoms of the data subject.
The processing of sensitive personal data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and genetic data) requires – in addition to the above - stronger grounds and is only permitted under certain conditions, of which the most relevant are:
- explicit consent of the affected data subject;
- the processing is necessary in the context of employment or social security law; or
- the processing is necessary for the establishment, exercise or in order to defend legal claims.
Transparency
Personal data must be processed lawfully, fairly and in a transparent manner. Regarding the processing of personal data, controllers are obliged to provide certain information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Purpose limitation
Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
Data minimisation
The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.
Accuracy
Personal data must be accurate and, where necessary, kept up to date.
Storage limitation
Personal data must be stored in a form that permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data was initially collected.
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability
The controller is responsible for processing of data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.
What is the supervisory authority / regulator in charge of data protection?
Autoriteit Persoonsgegevens (AP), the Dutch Data Protection Authority.
Is there a requirement to register with a supervisory authority / regulator?
No, not in general.
An organisation does have to register a Data Protection Officer (DPO) online with the Dutch Data Protection Authority - ‘Autoriteit Persoonsgegevens’ - (there is no fee payable), in case of a new registration, an alteration of a previous registration or in case of a cancellation of a previous registration.
This is a requirement irrespective of whether the appointment of the DPO is mandatory or voluntary.
Is there a requirement to notify the supervisory authority / regulator?
No, not in general (contrary to the former data protection law 'Wet bescherming persoonsgegevens').
In the following situations, notification (sometimes within a certain timeframe) can be required (depending on the circumstances):
- breach of personal data ('Meldingsplicht datalekken');
- in case the DPIA has revealed that the intended processing possesses a high risk and an organisation cannot find measures to limit this risk, the AP has to be consulted prior to processing. This is called a preliminary consultation;
- applying for a permit regarding the processing of criminal personal data. According to the GDPR, the processing of criminal personal data is generally prohibited. It is only allowed under government supervision or in cases where the processing is permitted under the UAVG. If this is not the case, then a permit from the AP must be applied for; and
- registration of the DPO, de 'functionaris voor de gegevensbescherming' (FG).
Is it possible to register with / notify the supervisory authority / regulator online?
Yes, but this is only available online for the following:
Data breach: https://datalekken.autoriteitpersoonsgegevens.nl/# .
Registration of DPO: https://autoriteitpersoonsgegevens.nl/nl/aanmeldingsformulier-functionaris-voor-de-gegevensbescherming-fg
What are the key data subject rights under the data protection laws of this jurisdiction?
Right to information
Pursuant to Articles 13 (personal data directly received from subjects) and 14 GDPR (personal data not directly received from subjects), data subjects have among others the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
Right of access
A data subject has the right to obtain from a controller certain information in respect of the data subject's personal data as listed in Article 15 GDPR.
Additionally, the data subject may request a copy of the personal data being processed.
Right to rectification of errors
Pursuant to Article 16 GDPR, data subjects have the right to rectification of inaccurate personal data and completion of incomplete date.
Right to deletion/right to be forgotten
Data subjects have the right to erasure of their personal data (the 'right to be forgotten') if one of the reasons as listed in Article 17 GDPR apply.
Right to restriction of processing
Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in Article 18 GDPR.
Right to data portability
subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and, under certain circumstances, the right to transfer their personal data from one controller to another or have the data transmitted directly between controllers (Article 20 GDPR).
Right to object to processing (article 21 GDPR)
Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.
Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.
Right to withdraw consent
A data subject has the right to withdraw their consent at any time (Article 7 para 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.
Right to complain to the relevant data protection authority(ies)
Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority.
Right not to be subject to automated individual decision-making
Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significant effects for the data subject (Article 22 GDPR).
If the data controller refuses to cooperate with a request as mentioned in articles 15 - 22 of the GDPR, the data subject may file a petition (“verzoekschrift”) with the court to compel the data controller to cooperate (Article 35 of the Dutch Implementation Act of the GDPR).
This is a summary only and there are some qualifications and limitations to these rights which may be relevant.
Is there a requirement to appoint a data protection officer (or equivalent)?
Under the GDPR (articles 37 to 39), a Data Protection Officer (DPO) must be appointed by organisations that:
- are a public authority or body (except for courts acting in their judicial capacity);
- whose core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- whose core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. Organisations that are not required to appoint a DPO may do so voluntarily. In making a voluntary appointment, organisations should be aware that the same requirements of the position and tasks apply as if the appointment had been mandatory.
If it is unclear whether an organisation is required to appoint a DPO, the decision must be properly justified, explaining the reasons for either appointing or not appointing a DPO.
The DPO must have expert knowledge of data protection law and practices, be independent and report to the highest management level. The DPO may be a person who serves as DPO for multiple organisations simultaneously.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
A DPIA is mandatory if the data processing is likely to pose a high privacy risk for the data subjects. This must be determined by the controller itself before any personal data processing is initiated. In any case a DPIA must also be performed if an organisation:
- systematically and comprehensively evaluates personal aspects based on automated processing, including profiling, and makes decisions which affect people;
- processes special personal data or processes criminal data on a large scale; or
- widely and systematically monitors people in a publicly accessible area (e.g. with camera surveillance).
In the abovementioned situations, processing data may not start before a DPIA has been performed and, if necessary, the AP consulted.
Does this jurisdiction have any specific data breach notification requirements?
In certain circumstances an organisation (controller) is obliged to report a data breach to the AP and the subjects. It depends on the (potential) impact of the data breach on the protection of personal data and the privacy of those involved.
It is not necessary to report a data breach if it is unlikely that the data breach will result in a risk to the rights and freedoms of the data subjects. It is advisable to carefully assess whether a notification is required. Certain types of data, such as email addresses, may not initially appear to pose a risk to the rights and freedoms of individuals. However, even an email address can be exploited for phishing purposes.
The so-called 'Guidelines meldplicht datalekken' (Guidelines notification breach of personal data) help to determine whether or not there is an obligation for the controller to notify the AP.
Notification to the AP has to take place without undue delay and in any event within 72 hours of the organisation first becoming aware of the breach.
Data subjects only have to be informed if a data breach is likely to pose a high risk to their rights and freedoms (can it lead to physical, material or immaterial damage to the data subjects such as discrimination, (identity) fraud, financial damage and reputation damage). If the controller can demonstrate that this is not the case, there is no obligation to report the data breach to the data subjects involved (the organisation may have to notify the AP that the data breach has not been reported to the data subjects and the reason why).
The EDPB (European Data Protection Board) has issued guidelines on the data breach notification, detailing requirements for data breach notifications (Guidelines 9/2022 on personal data breach notification under GDPR and Guidelines 01/2021 on Examples regarding Data Breach Notification).
What restrictions apply to the international transfer of personal data / information?
If a company transfers personal data from the Netherlands to another EU country, that company has to comply with the general requirements of the GDPR. The EU is one jurisdiction in the protection of personal data.
Separate rules apply to the transfer of personal data from the Netherlands to countries outside the EU, so-called third countries, and international organisations. Third countries: all countries outside the EU, with the exception of the countries in the European Economic Area (EEA). These are Norway, Liechtenstein and Iceland; these countries have an equivalent level of protection of personal data. International organisation: an organisation and its subordinate bodies governed by public international law, or other bodies established by or pursuant to an agreement between two or more countries.
Restrictions. The transfer of personal data from the Netherlands to third countries and/or international organisations is only allowed in the following situations:
- the transfer is based on an adequacy decision. The European Commission (EC) can take an adequacy decision which means that the data protection in that country is of a comparable level to the GDPR (see below). Such a decision can be made regarding an entire country but also about a specific sector within that country (e.g. in Canada, where only commercial companies are within the scope of the adequacy decision). In cases where there is an adequacy decision, no additional safeguard is required for transfer to that country or sector.
- the transfer is based on appropriate safeguards, which are:
(a) standard contractual clauses established by the EC (SCCs). The SCCs, which took effect from 27 July 2021, are available for the following transfers:
Module 1: controller to controller
Module 2: controller to processor
Module 3: processor to processor
Module 4: processor to controller
(b) approved codes of conduct and certification, accompanied by binding and enforceable commitments from the party in the third country to apply the appropriate safeguards.
(c) a transfer based on binding corporate rules (BCR), which are global privacy policies that apply within organisations for the transfer of personal data to countries without an adequate level of protection (third countries) worldwide. All employees and entities within the group (including the Dutch and European offices) must adhere to the privacy policy.
- If it is not possible to transfer to third countries based on one of the aforementioned safeguards, then you can invoke one of the exceptions based on article 49 GDPR:
- express consent data subject;
- transfer is necessary for the performance of a contract between the data subject and the controller and another natural or legal person;
- transfer is necessary for the establishment, exercise or defense of legal claims;
- transfer is vital for the data subject or for other persons, if the data subject is physically or legally unable to give his consent;
- transfer was made from a register established by law that is intended to inform the public (e.g. data from the cadastre or trade registers).
To apply Article 49 of the GDPR, the ‘Guidelines 2/2018 on the derogations of Article 49 under Regulation 2016/679 (adopted on 25 May 2018)’ may be used as a reference.
The EU Commission has issued decisions concerning an adequate level of protection on the basis of Article 45 para 3 GDPR for the following countries: Andorra; Argentina; Canada (commercial organisations); Faroe Islands; Guernsey; Isle of Man; Israel; Japan; Jersey; New Zealand;
Republic of Korea, Switzerland; Uruguay; and the European Parent Organisation. Organisations from The United States of America are recognised if they are participating in the EU-US Data Privacy Framework. From these countries only the United Kingdom has been recognised by EU Commission as providing adequate protection under the GDPR and the Law Enforcement Directive. This means that data may be shared for law enforcement purposes under Article 45 only with the United Kingdom.
The transfer is covered by one of the permitted derogations set out in article 49 (in the absence of an adequacy regulation or appropriate safeguard), such as the explicit consent of the data subject after being informed of the risks, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defence of legal claims.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
With regard to its geographic scope, the GDPR combines the principles of establishment, market place and territoriality.
Pursuant to the principle of establishment, the GDPR is applicable for processing activities carried out in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing itself takes place in the EU.
Pursuant to the principle of the market place, the GDPR is applicable for the processing of personal data of data subjects situated in the EU by a controller or processor who is not situated in the EU, where the processing activities are related to (i) the offering of goods or services to such data subjects situated in the EU, irrespective of whether a payment of the data subject is required; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the EU (principle of the territoriality).
Pursuant to the market place principle, the GDPR applies to the processing of personal data by a controller that is not established in the EU but is located in a place where, under public international law, the law of a Member State applies.
What rules specifically deal with marketing?
The Telecommunicatiewet and the GDPR.
Regarding telemarketing, on 1st March 2020 the 'Wet van 10 februari 2021 tot wijziging van de Telecommunicatiewet in verband met het invoeren van een opt-in-systeem voor het overbrengen van ongevraagde communicatie voor commerciële, ideële of charitatieve doeleinden aan natuurlijke personen' ('Act of Law of 10 February 2021 amending the Telecommunications Act in connection with the introduction of an opt-in system for the transmission of unsolicited communications for commercial, idealistic or charitable purposes to natural persons'), was published in the official journal ('Staatsblad'). This act has come into force on 1st July 2021.
This act introduces an opt-in system for telemarketing. The starting point of this new system is that telemarketing to natural persons may not take place unless they have given explicit permission to such marketing or there is a customer relationship between the parties.
The five most important points of the amendment:
- the current opt-out system has been replaced by an opt-in system (the issuing of the opt-in needs to be demonstrated and whether consent has been validly given is subject to the requirements of the GDPR);
- the requirements to establish a customer relationship are aligned with the rules on email marketing. This means that an opt-out must also be offered for telemarketing at the time of collection;
- the definition of a customer relationship is being expanded for charities. This means that there can also be a customer relationship with sympathizers who have done voluntary work or attended an event;
- the maximum customer term is three (3) years after the agreement (or donorship) (Telemarketing Code). This will remain the case, but the new law offers the option of setting a different shorter term later; and
- the start of the customer term will remain regulated in the Telemarketing Code. It starts at the end of a service or donorship or after the last purchase of a product.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes, article 11.7 of the Telecommunications Act (“Telecommunicatiewet”) mentions a number of differences. In the context of unsolicited communications for commercial, charitable, or non-profit purposes directed at businesses (both legal entities and natural persons registered as entrepreneurs), prior consent is generally not required, provided the following conditions are met:
- Publicly disclosed contact details: The business has voluntarily and explicitly made the relevant contact details publicly available with the intention of receiving communications for commercial, charitable, or non-profit purposes.
- Purpose-bound use: The sender uses the contact details strictly in accordance with the purpose for which they were made public. This means the use must be proportionate and relevant, taking into account the nature of the communication and the context in which the data was disclosed.
- Entrepreneurs established outside the EEA: If the entrepreneur is established outside the European Economic Area (EEA), prior consent is likewise not required, provided the transmission of unsolicited communication is carried out in compliance with the applicable national laws governing such communications in the relevant country.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
The 'Telecommunicatiewet' (Telecommunications Act).
The e-Privacy directive has been implemented in the 'Telecommunicatiewet' and currently forms, together with the GDPR, the legal framework and focuses specifically on the processing of personal data for electronic means of communication, including the use of cookies and telemarketing.
Where the GDPR protects personal data when it is gathered and stored, the ePrivacy directive protects personal data when it is transmitted. One of the goals is to regulate how metadata is gathered and used, and to limit how people are tracked online (cookies).
The E-Privacy Regulation was intended to replace the E-Privacy Directive. However, in 2025 the European Commission announced that the proposal would be withdrawn. This decision was due to a lack of agreement among the Member States and the fact that the proposal had become outdated. At this point, it remains unclear whether a new proposal will be introduced.
What rules specifically deal with cookies?
Telecommunicatiewet (Telecommunications Act) see above.
Regarding tracking cookies (in combination with other data collected about the website visit), not only the Telecommunications act is applicable, but the GDPR as well.
- Functional cookies are allowed, provided that their use is properly disclosed to users.
- The use of analytical cookies is limited: cookies to improve a website are permitted, but such cookies may have little or no effect on the privacy of visitors.
- All other cookies are only permitted if prior consent has been obtained from website visitors, after they have been provided with clear and comprehensive information in accordance with the GDPR.
- Cookie walls are not allowed under the GDPR.
What are the consequences of non compliance with data protections laws (including marketing laws)?
There are two categories of violations and corresponding maximum fines:
- If a controller fails to fulfil one of its obligations the AP can impose a fine of up to 10 million euros, or a fine of 2% of the worldwide annual turnover, if that amount is higher.
- If a controller violates the principles or foundations of the GDPR or the privacy rights of the data subjects, then the AP can impose a fine of up to 20 million euros or a fine of 4% of the worldwide annual turnover, if that amount is higher.
Furthermore, the AP can:
- impose that a penalty must be paid if the violation has not stopped after a certain period of time;
- determine that (certain categories of) personal data may not be processed;
- impose a reprimand if that is more appropriate than an administrative fine;
- issue a formal warning about an intended processing.
- name and shame; the names of companies that have been fined may be made public.
Administrative fines for companies are calculated in accordance with the ‘Guidelines 04/2022 on the calculation of administrative fines under the GDPR’. Fines for public authorities and natural persons are calculated based on the ‘2023 Fining Policy Rules of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)’.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
The GDPR has a very wide (territorial) scope.
The GDPR applies to the processing of personal data regarding data subjects located in the EU by a multinational as a controller or processor located outside the EU, if the processing relates to:
- The offering of goods or services to these data subjects regardless whether a payment is required by the data subjects; or
- The monitoring of the behaviour of data subjects insofar as this behaviour takes place in the EU.
Please note, that if in the abovementioned situation(s) the GDPR is applicable, the multinational located outside the EU is obligated to appoint a representative. This is a contact person for EU citizens and authorities regarding questions or complaints.
What upcoming data protection developments should multinational organisations be aware of?
At the European level, the EU is currently discussing the ePrivacy Regulation, which is intended to replace the current Privacy and Electronic Communications Directive (Directive 2002/58/EC). However, at the beginning of 2025, the draft regulation was withdrawn. It is currently unclear whether a new regulation will be proposed.
In 2025 and 2026, several developments have taken place, and more are expected to follow:
- As of February 2, 2025, the first two chapters of the European AI Regulation (Regulation (EU) 2024/1689) have entered into force. These chapters also include privacy-related provisions. The AI Regulation applies to both AI providers and users. For example, certain forms of automated facial recognition are prohibited unless a legitimate legal basis exists;
- Since August 2, 2025, new rules have come into effect for AI systems with potential risks (general-purpose AI), including obligations for risk assessment, documentation, and record-keeping. The provisions regarding penalties also became applicable on that date;
- From September 12, 2025, part of the European Data Act (Regulation (EU) 2023/2854) applies. Among other things, it stipulates that companies offering connected products (internet-connected devices) and related services must design them in such a way that users can easily access their data. Users must also be able to share their usage data easily with other parties. Furthermore, data holders may only use non-personal data if the agreement with the user permits it. Sharing such data with third parties is only allowed under strict conditions;
- As of August 2, 2026, additional transparency and registration requirements for high-risk AI systems will apply within the European AI database;
- From September 12, 2026, further rules from the European Data Act will come into effect, including the requirement that connected products sold and related services provided must comply with the design obligation;
- The Dutch Data Protection Authority (Autoriteit Persoonsgegevens – AP) is increasingly focusing on large tech companies, primarily due to their use of big data and AI.