Publication
Publication
Contacts
Linklaters LLP
Mariken van Esch
Tom Reker
Lilianne Bunk
+(31) 20 799 6200
www.linklaters.com
Supervisory Authority
National Legislation
(Please note these links are provided for information only. Any translations may not be accurate and the text may not include amendments to that legislation).
Last updated June 2026
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
General data protection laws
The General Data Protection Regulation (EU) (2016/679) (“GDPR”).
The EU is currently considering the Digital Omnibus (2025/0360 (COD)). This proposes a number of amendments to the GDPR including: (a) protection from abusive subject access requests; (b) extending the deadline to notify breaches to a supervisory authority to 96 hours and only applying that notification to high risk breaches; (c) codifying the “relative” approach to the concept of personal data; (d) ensuring a consistent approach to DPIAs; and (e) providing an express legal basis for the training of AI systems. However, some changes are controversial, and it is not clear if they will all be adopted.
The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) has applied in the Netherlands since 25 May 2018. The former Personal Data Protection Act (Wet bescherming persoonsgegevens) has ceased to apply. The UAVG is to a large extent identical to the old Dutch Personal Data Protection Act.
Entry into force
The GDPR has applied since 25 May 2018.
A legislative proposal has been pending for some time to revise the UAVG and various other laws, touching upon 16 key points. Since the UAVG's inception, several ambiguities have emerged, outdated references have been identified, and even a court ruling has contested the breadth of one provision. Notable proposed amendments include bolstering the rights of minors between the ages of 12 and 16. While Dutch law currently requires parental consent for data processing for those under 16, the proposed changes aim to empower children aged 12 and above to make data privacy requests independently. The definition of criminal personal data is also under review to narrow its scope following a contrasting court decision. For accountants, the bill offers a new exception enabling them to handle special personal data during statutory audits. Other revisions address the handling of special personal data by curators and guidelines for the use of biometric data and file transfers when care providers retire or pass away. Input for these reforms was collected from employers’ organizations, the VNG, and the Dutch Data Protection Authority, indicating a collaborative approach to the legislative updates. The proposal is scheduled to be discussed in the Dutch Senate (Eerste Kamer) in June 2026.
Details of the competent national supervisory authority
Dutch Data Protection Authority (Autoriteit Persoonsgegevens) ("DPA").
Mailing address:
Autoriteit Persoonsgegevens
PO Box 93374
2509 AJ Den Haag
The Netherlands
Visiting address:
Hoge Nieuwstraat 8
2514 EL DEN HAAG
The Netherlands
https://autoriteitpersoonsgegevens.nl/en
The DPA represents the Netherlands on the European Data Protection Board.
Notification or registration scheme and timing
There is no obligation to notify regulators of any processing under the GDPR. However, controllers and processors must keep a record of their processing and make it available to their supervisory authority on request (subject to limited exemptions).
Exemptions to notification
Not applicable.
What is the territorial scope of application?
The GDPR applies to the processing of personal data in the context of the establishment of a controller or processor in the EU.
It also contains express extra-territorial provisions and applies to controllers or processors based outside the EU that: (i) offer goods or services to individuals in the EU; or (ii) monitor individuals within the EU. Controllers and processors caught by these provisions will need to appoint a representative in the EU, subject to certain limited exemptions.
The European Data Protection Board has issued Guidelines on the territorial scope of the GDPR (3/2018).
As regards its territorial scope, the UAVG primarily applies to the processing of personal data in the context of the activities of the establishment of a controller or a processor in the Netherlands.
It will also apply to the processing by a controller or processor not established in the Netherlands of the personal data of data subjects who are in the Netherlands, where the processing activities are related to: (i) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Netherlands; or (ii) the monitoring of their behaviour to the extent that their behaviour takes place within the Netherlands.
Is there a concept of a controller and processor?
Yes. The GDPR contains the concept of a controller, who determines the purpose and means of processing, and a processor, who processes personal data on behalf of the controller.
The European Data Protection Board has issued Guidelines on the concepts of controller and processor in the GDPR (7/2020).
Both controllers and processors are subject to the rules in the GDPR, but the obligations on processors are more limited.
Are both manual and electronic records subject to data protection legislation?
Yes. The GDPR applies to both electronic records and structured hard copy records.
Are there any national derogations?
The GDPR does not apply to law enforcement activities, national security, or purely personal or household activity.
The UAVG provides for additional national derogations, including extensions to automated decision-making rules and exclusions for criminal investigations and journalistic, academic, artistic or literary purposes.
In addition, consent cannot be withdrawn for journalistic processing once granted (e.g. publication of interviews).
What is personal data?
Personal data is information relating to an identified or identifiable natural person.
This is a broad term and includes a wide range of information. The GDPR expressly states it includes online identifiers such as cookies. This concept has been considered by the CJEU on multiple occasions. This includes deciding that information will not be personal data where the risk of identification appears in reality to be insignificant (OC v Commission, C 479/22 P) and that a “relative” approach should be taken to identification by considering the means reasonably available to the person holding the information (EDPS v SRB, C-413/23 P).
Is information about legal entities personal data?
No. However, information about sole traders and partnerships is likely to be personal data.
What are the rules for processing personal data?
All processing of personal data must comply with all six general data quality principles. Personal data must be: (i) processed fairly, lawfully and transparently; (ii) collected for specific, explicit and legitimate purposes and not processed in a manner incompatible with those purposes; (iii) adequate, relevant and not excessive; (iv) accurate and, where necessary, up to date; (v) kept in an identifiable form for no longer than necessary; and (vi) kept secure.
The processing of personal data must also satisfy at least one condition for processing personal data. These conditions are that the processing is: (a) carried out with the data subject’s consent; (b) necessary for the performance of a contract with the data subject; (c) necessary for compliance with a legal obligation; (d) necessary in order to protect the vital interests of the data subject; (e) necessary for the public interest or in the exercise of official authority; or (f) necessary for the controller’s or a third party's legitimate interests, except where overridden by the interests or fundamental rights and freedoms of the data subject.
The European Data Protection Board has issued Guidelines on the performance of a contract processing condition for online services (2/2019) and Guidelines on processing of personal data based on Article 6(1)(f) (1/2024).
Are there any formalities to obtain consent to process personal data?
The requirements for consent under the GDPR are strict.
To be valid, consent must be in clear and plain language and, where sought in writing, separate from other matters. Consent must be based on affirmative action so pre-ticked boxes are not acceptable. Consent might not be valid if: (i) there is any detriment to the data subject for refusing; (ii) there is an imbalance of power; (iii) consent for multiple purposes is bundled together; or (iv) the consent is a condition of entering into a contract. Finally, consent can be withdrawn at any time.
In practice, other processing conditions should be relied on where possible. Consent will only be an appropriate processing condition if the individual has a genuine choice over the matter, for example, whether to be sent marketing materials.
The European Data Protection Board has issued Guidelines on consent (5/2020).
Under the UAVG, it is not possible to withdraw consent to the processing of personal data for journalistic purposes, for example to withdraw consent to the publication or broadcasting of an interview once given.
Are there any special rules when processing personal data about children?
Consent from a child in relation to online services will only be valid if authorised by a parent. A child is someone under 16 years old, though Member States may reduce this age to 13.
The UAVG does not provide for a different age limit. Thus the age limit remains 16 years old.
Are there any special rules when processing personal data about employees?
The GDPR allows Member States to implement more specific national rules governing the processing of personal data about employees. It may also be possible to process special category personal data where it is necessary for a legal obligation in the field of employment law.
Under the UAVG, health information may be processed by employers insofar as this is necessary for the reintegration and coaching of employees in relation to illness or disability.
Criminal data in relation to employees may only be processed under strict circumstances, including where requested by the applicant or necessary to protect employer interests, and subject to Works Council rules.
Additional legislative measures are being considered for testing employees for alcohol, drugs and medication in hazardous environments.
What is sensitive personal data?
Special category data is personal data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning a natural person’s sex life or sexual orientation. Decisions such as OT (C-184/20) and Lindenapotheke (C-21/23) indicate this should be interpreted broadly to include indirectly revealing information.
Information about criminal offences is treated separately and subject to stricter controls.
Are there additional rules for processing sensitive personal data?
Special category data may only be processed where a specific condition applies, including explicit consent, employment law obligations, vital interests, non-profit processing, publicly disclosed data, legal claims, substantial public interest, healthcare, public health or research purposes.
The UAVG provides for additional national derogations allowing processing in limited circumstances such as research, minority protections, political or religious functions, mental care, and specific genetic data contexts.
Processing of biometric data is allowed only where strictly necessary for authentication or security purposes, and only in limited cases.
Are there additional rules for processing information about criminal offences?
Processing is permitted only under official authority or where authorised by law with appropriate safeguards.
The UAVG permits processing in specific cases including law enforcement, public authority functions, and licensed security investigations.
Are there any formalities to obtain consent to process sensitive personal data?
Consent must be explicit and clearly demonstrable. It typically requires a high level of formality, such as a clear affirmative statement of consent, and cannot be inferred from conduct.
When must a data protection officer be appointed?
Both controllers and processors must appoint a data protection officer if: (i) they are a public authority; (ii) their core activities consist of regular and systematic monitoring of data subjects on a large scale; or (iii) their core activities consist of processing special category personal data on a large scale (including processing information about criminal offences).
The UAVG does not provide for additional conditions regarding the appointment of a data protection officer.
What are the duties of the data protection officer?
The data protection officer must be involved in all data protection issues and cannot be dismissed or penalised for performing their role. The data protection officer must report directly to the highest level of management. Details of the data protection officer must be communicated to the relevant supervisory authority.
The Article 29 Working Party has issued Guidelines on Data Protection Officers (WP243).
Is there a general accountability obligation?
The GDPR adds a general accountability obligation under which organisations must not only comply with the rules, but also be able to demonstrate compliance. This includes implementing appropriate policies, audit processes and training.
Are privacy impact assessments mandatory?
A data protection impact assessment must be conducted where “high risk” processing is carried out. This includes: (i) systematic and extensive profiling that produces legal effects or significantly affects individuals; (ii) large-scale processing of special categories of personal data or data relating to criminal convictions and offences; and (iii) systematic monitoring of publicly accessible areas (e.g. CCTV). Where the assessment indicates the risk cannot be mitigated, the controller must consult the relevant supervisory authority.
The Article 29 Working Party has issued Guidelines on Data Protection Impact Assessments (WP248).
The DPA has published a non-exhaustive list of “high risk” processing requiring a data protection impact assessment, including processing involving genetic data and CCTV.
Privacy notices
A controller must provide data subjects with a privacy notice explaining how personal data is processed. The notice must contain enhanced transparency information.
The Article 29 Working Party has issued Guidelines on Transparency (WP260).
In the Netherlands, privacy notices do not have to be in Dutch and may be provided in English.
Rights to access information
Data subjects have a right to access their personal data and information about how it is processed. The response must be provided within one month, extendable by two months for complex requests. The initial request is free, although fees may be charged for excessive requests.
The European Data Protection Board has issued Guidelines on rights of access (1/2022).
Recent CJEU case law confirms that data subjects are entitled to a faithful and intelligible copy of their data, and that requests are only excessive in limited circumstances.
Rights to data portability
Data subjects have a right to data portability where processing is based on consent or contract. This allows them to receive their data in a machine-readable format or have it transferred directly to another controller.
The Article 29 Working Party has issued Guidelines on data portability (WP242).
Right to be forgotten
Data subjects can request erasure of their data in certain circumstances, although the right is limited and subject to legal exemptions.
The European Data Protection Board has issued Guidelines on the Right to be Forgotten (5/2019).
Objection to direct marketing
Data subjects may object at any time to processing of their personal data for direct marketing purposes.
Other rights
The GDPR includes additional rights such as rectification, objection to processing based on public task or legitimate interests, restrictions on automated decision-making, and rights to restrict processing.
The Article 29 Working Party has issued Guidelines on Automated Decision Making and Profiling (WP251).
Security requirements in order to protect personal data
The GDPR requires controllers and processors to implement appropriate technical and organisational measures to protect personal data.
These measures include: (i) pseudonymisation and encryption; (ii) ensuring confidentiality, integrity and availability; (iii) restoring access after incidents; and (iv) regularly testing and evaluating security measures.
Specific rules governing processing by third party agents (processors)
Controllers must ensure that processors provide adequate security and comply with GDPR obligations.
Controllers must enter into written agreements with processors including the enhanced processor clauses.
Notice of breach laws
Personal data breaches must be notified to the supervisory authority unless unlikely to result in risk. Notification should normally occur within 72 hours.
If a breach presents high risk, affected data subjects must also be informed.
Additional breach notification requirements apply in certain sectors, including financial services and under regimes such as NIS II and DORA.
The European Data Protection Board has issued Guidelines on Personal Data Breach Notification (9/2022) and Examples regarding Personal Data Breach Notification (1/2021).
Controllers in regulated sectors may also need to notify bodies such as the Dutch National Bank or the Authority for the Financial Markets.
Restrictions on transfers to third countries
The GDPR contains a restriction on transborder dataflows. This restriction does not apply if the transfer is to a whitelisted country (which includes US organisations participating in the EU-U.S. Data Privacy Framework).
Transfers can be made: (i) pursuant to a set of Standard Contractual Clauses; (ii) pursuant to binding corporate rules; (iii) to an importer who has signed up to an approved code or obtained an approved certification; or (iv) where otherwise approved by the relevant supervisory authority. However, following the decision in Schrems II (C-311/18) any transfer made on this basis must be subject to a transfer impact assessment of the laws of the relevant third country and supplemented by supplementary protections where necessary.
The European Data Protection Board has issued Recommendation on European Essential Guarantees for surveillance measures (2/2020) and Recommendation on measures that supplement transfer tools (1/2020) to assist with these assessments. The European Commission has also issued an FAQ on the new Standard Contractual Clauses.
Transfers are also possible if an individual derogation applies. These include transfers based on explicit consent, contractual necessity, public interest, legal claims, vital interests, public registers or the minor transfers exemption.
The European Data Protection Board has issued Guidelines on derogations applicable to international transfers (2/2018) and Guidelines on the interplay between Article 3 and international transfers (2/2018).
Notification and approval of national regulator (including notification of use of Standard Contractual Clauses)
In general, there is no need for prior approval from a supervisory authority. However, this depends on the legal basis relied upon for the transfer.
For example, there is no obligation to obtain approval for Standard Contractual Clauses, while approval is required for binding corporate rules, and supervisory authorities must be informed when relying on the minor transfers exemption.
Use of binding corporate rules
The GDPR places binding corporate rules on a statutory footing. Authorisation from one supervisory authority (subject to the consistency mechanism) covers transfers from across the EU.
In the Netherlands, the DPA has been active in approving binding corporate rules for multinationals.
Fines
The GDPR introduces significant administrative fines of up to 4% of annual worldwide turnover or €20m, whichever is higher. These apply to serious infringements, including breaches of core principles or unlawful processing.
Lesser infringements are subject to fines of up to 2% of annual worldwide turnover or €10m.
CJEU case law confirms that fines require a negligent or intentional infringement (Deutsche Wohnen, C-807/21).
The EDPB has issued Guidelines on the calculation of administrative fines (04/2022).
Imprisonment
The UAVG does not introduce criminal sanctions or imprisonment for GDPR breaches.
Compensation
Data subjects can claim compensation for material and non-material damage. There must be a causal link, but no minimum seriousness threshold applies (Österreichische Post, C-300/21). Even distress or negative feelings may qualify (Quirin Privatbank, C-655/23).
Other powers
Regulators have investigative and corrective powers including audits, warnings, reprimands and processing bans.
Regulation (EU) 2025/2518 introduces additional procedural rules for cross-border enforcement and will apply from April 2027.
In the Netherlands, the DPA has inspection powers including entry into premises and access to relevant data.
Practice
Other enforcement activity shows increasing levels of investigation, compliance work and breach reporting, including over 44,000 breach notifications in 2025 and expanded supervisory focus on data protection officers and enforcement coordination.
ePrivacy laws
The Telecommunications Act implements the Privacy and Electronic Communications Directive and the European Electronic Communications Code. These rules are enforced by the ACM.
Cookie rules are set out in the Cookie Law, which was introduced in 2015 and amended in 2018 to align with the GDPR.
Conditions for use of cookies
Consent is required for cookies, with exceptions for functional cookies and low-impact analytical cookies.
Regulatory guidance on the use of cookies
The DPA issued guidance in 2019 prohibiting cookie walls and setting stricter consent standards.
Conditions for direct marketing by e-mail to individual subscribers
Unsolicited electronic marketing is prohibited without prior consent. Messages must include sender identity, opt-out options and required compliance information.
Conditions for direct marketing by e-mail to corporate subscribers
The same general rules apply to corporate subscribers.
Exemptions and other issues
Exceptions apply where contact details were published for such purposes or where similar products and services are marketed.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
Telemarketing is subject to a strict opt-in regime. Organisations must obtain prior consent before contacting individuals with marketing calls.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
Different rules apply, with fewer restrictions compared to individuals.
Exemptions and other issues
Since 1 July 2021, the opt-in regime applies to telemarketing and the previous “do-not-call” register has been abolished. A legislative amendment effective 1 July 2026 removes the soft opt-in for telephone marketing, requiring consent in all cases, even for existing customer relationships.
Contents