In the Netherlands, the collection, use, and disclosure of personal data are primarily regulated by the GDPR, which is directly applicable across the EU, including the Netherlands. In addition, the UAVG implements and supplements the GDPR, providing national rules and exceptions. 

Dutch sector-specific laws include the Dutch Telecommunications Act (Telecommunicatiewet (DTA)) which implements the ePrivacy Directive (Directive 2002/58 (ePD)) and regulates electronic communications data. The Police Data Act (Wet politiegegevens (Wpg)) governs the processing of personal data by law enforcement authorities, in accordance with the Law Enforcement Directive (Directive 2016/680 (LED)). 

Other sector-specific laws include: 

• Open Government Act (Wet open overheid (Woo)), ensuring transparency and access to public data, balancing this with privacy concerns;
• Intelligence and Security Services Act 2017 (Wet op de inlichtingen- en veiligheidsdiensten 2017 (Wiv 2017)), which grants investigatory powers to intelligence agencies with safeguards for personal data protection; and
• Dutch Medical Treatment Contracts Act (Wet op de geneeskundige behandelingsovereenkomst (WGBO)) which covers the processing of personal data in healthcare settings, particularly in doctor–patient relationships.

The following questions are addressed solely within the general GDPR/UAVG framework, except for Question 10, which falls under the ePD/DTA framework.

The GDPR and UAVG apply to both controllers (who determine the purpose and means of processing personal data, Article 4(7), GDPR) and processors (who process personal data on behalf of controllers, Article 4(8), GDPR). These may include public and private entities, as well as natural and legal persons. Exceptions include personal or household activities that are purely private in nature (Article 2(2), GDPR). 

The concept “data subject” is addressed in Question 5, below.

The GDPR applies to the processing of personal data in the context of the activities of a controller or processor established in the EU, regardless of where the processing takes place. The GDPR also applies to non-EU controllers or processors when processing personal data of individuals in the EU, when the processing is related to: a) offering goods or services to individuals in the EU, regardless of whether payment is required; or b) monitoring their behaviour, as far as that behaviour takes place in the EU.

The Dutch UAVG similarly applies to the processing of personal data by a controller or processor established in the Netherlands. It also applies to non-EU controllers or processors when processing data of individuals in the Netherlands, if it involves: a) offering goods or services to those individuals; or b) monitoring their behaviour in the Netherlands.

The GDPR and UAVG regulate all acts and operations related to personal data processing. This includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data (Article 4(2), GDPR).

Please note that the GDPR applies to non-automated processing only if the data forms part of, or is intended to form part of a filing system (Article 2(1), GDPR).

The GDPR and UAVG regulate the processing of personal data, which is broadly defined as any information relating to an identified or identifiable natural person (“data subject”). An identifiable person is one who can be identified directly or indirectly through details such as a name, ID number, location data, online identifier, or factors related to their physical, genetic, mental, economic, cultural, or social identity (Article 4(1), GDPR).

The Court of Justice of the European Union (CJEU) has ruled that the term “any information” in the definition is intended to have a broad meaning. It is not limited to sensitive or personal data but may encompass all types of information, including objective and subjective details such as opinions or assessments, provided the information “relates” to the data subject. This condition is met if the information, by its content, purpose, or effect, is linked to a specific person (CJEU 20 December 2017, C-434/16, ECLI:EU:C:2017:994, see www.eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62016CJ0434). To determine if a person is “identifiable”, all means likely reasonably to be used by the controller or others to identify them must be considered. Information held by a controller is considered personal data if the controller has means likely reasonably to be used to identify the data subject. That would not be the case if identification is prohibited by law or practically impossible due to disproportionate time, cost, and effort, making the risk of identification insignificant in practice. It is not necessary for all identifying information to be held by one entity (CJEU 19 October 2016, C-582/14, ECLI:EU:C:2016:779, see www.eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62014CJ0582).

The Article 29 Data Protection Working Party (WP29) also clarified the concept in its guidelines: Opinion 4/2007 on the notion of personal data (see www.ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf). The WP29 is the predecessor of the European Data Protection Board (EDPB), the association of European data protection authorities.

Note that pseudonymised data is still considered personal data under the GDPR. Anonymised data is not considered personal data and therefore not subject to the GDPR, but the process of anonymisation is still regulated by the GDPR.

The GDPR identifies special categories of personal data subject to stricter rules, including personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for unique identification, health data, or data related to a person’s sex life or sexual orientation. Processing of this data is generally prohibited, except under specific circumstances, such as explicit consent (Article 9, GDPR). In Articles 23 and following, the UAVG elaborates on the scope provided by Article 9(2)(g), GDPR for exceptions to the processing prohibition of special categories of personal data when such processing is necessary for reasons of substantial public interest. 

The CJEU ruled that personal data from which special categories of personal data can be indirectly inferred (such as a spouse’s name, revealing sexual orientation) constitute special category data under the GDPR (CJEU 1 August 2022, C-184/20, ECLI:EU:C:2022:601, see https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62020CJ0184).

In addition, stricter rules apply to the processing of personal data related to criminal convictions, offences or related security measures (Article 10, GDPR). Such processing may only occur under the control of an official authority or when authorised by Union or Member State law, which must include appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions must be maintained solely under the control of an official authority. The UAVG further defines this framework in Articles 31–33.

In general, the GDPR and UAVG require compliance with key principles when processing personal data, including lawfulness, fairness, transparency, purpose limitation, and data minimisation (Article 5, GDPR). Personal data must be processed securely, be relevant, and limited to what is necessary for the specified purposes.

Under the principle of lawfulness, personal data may only be processed if one of the following legal bases is satisfied (Article 6, GDPR; see also CJEU 4 July 2023, C-252/21, ECLI:EU:C:2023:537, at www.eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62021CJ0252):

• Consent of the data subject. Article 7 of the GDPR sets out the requirements for valid consent. The EDPB has also issued guidance: Guidelines 05/2020 (see Guidelines 05/2020 at www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf). In summary, consent must be freely given, specific, informed, and unambiguous, provided through affirmative action. It must be separable from other terms, easily withdrawable, and cannot be made a condition of service if unnecessary for that service. 
• Contractual necessity. Processing is allowed if strictly necessary to enter into or perform obligations under a contract with the data subject. The EDPB has issued guidance on processing personal data under this legal basis in the context of providing online services to data subjects (see Guidelines 2/2019 at www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en).
• Legal obligation. Processing is lawful when required to comply with a legal obligation under EU or national law (e.g., tax or employment regulations).
• Vital interests. Personal data may be processed to protect the vital interests of the data subject or another individual.
• Public interest or official authority. Processing is permissible if necessary for performing a task in the public interest or when acting under the authority of the government.
• Legitimate interests. Processing is allowed if necessary for the legitimate interests of the controller or a third party, provided these interests are not overridden by the data subject’s rights and freedoms (see draft EDPB Guidelines 1/2024 at www.edpb.europa.eu/our-work-tools/documents/public-consultations/2024/guidelines-12024-processing-personal-data-based_en on this matter).

Article 5(b) in conjunction with Article 89 of the GDPR provides that further processing for archiving in the public interest, scientific or historical research, or statistical purposes is lawful and compatible with the original purposes, requiring no new legal basis. 

Under the GDPR and the UAVG, the following obligations apply when processing personal data:

• Principles relating to processing of personal data. Controllers and processors must process personal data in accordance with the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and accountability (Article 5, GDPR). 
• Notice requirements. The GDPR requires data controllers to provide clear, transparent information to data subjects regarding the processing of their personal data, e.g., identity and contact details of the controller and data protection officer (if applicable), the purposes and legal basis for processing, data subject rights, etc. (Articles 12–14, GDPR). Information must be provided at the time of data collection or shortly after if the data is obtained from a third party. Notification may not be required if it is impossible, would involve disproportionate effort, or if the data subject already has the information.
• Data security. Controllers and processors must implement appropriate technical and organisational measures to ensure data security and compliance with Article 5, GDPR (Articles 25 and 32, GDPR). 
• Record of processing activities. Controllers and their representatives, where applicable, must maintain a record of the processing activities for which they are responsible (Article 30, GDPR).
• Data transfers. When transferring personal data outside the EU/European Economic Area (EEA), adequate safeguards must be in place to ensure a level of data protection essentially equivalent to that in the EU (Articles 44–49, GDPR).
• Obligations for processors. When processing data on behalf of another, the processor must act only on documented instructions from the controller (Article 28, GDPR). A data processing agreement is required between the controller and processor (Article 28(3), GDPR).
• Data breach notification. In case of a data breach, controllers must notify the data protection authority within 72 hours, and inform the data subject if the breach poses a high risk to their rights and freedoms (Articles 33–34, GDPR).
• Data protection impact assessment (DPIA). Article 35 of the GDPR requires a DPIA where processing is likely to pose a high risk to individuals’ rights and freedoms. DPIAs are mandatory for activities such as systematic monitoring, large-scale processing of sensitive data, or profiling. If high risks cannot be mitigated, the controller must consult the data protection authority before proceeding.
• Designation of a data protection officer (DPO). Article 37 of the GDPR requires controllers and processors to appoint a DPO if they are a public authority (excluding courts acting judicially), or if their core activities involve large-scale processing requiring regular and systematic monitoring of data subjects, or processing of special categories of data or criminal offence data.

In the Netherlands, data subjects have the following rights in relation to their personal data:

• Right to information. To be informed about how, why, and by whom their personal data is being processed, including details on recipients and retention periods (Articles 12–14, GDPR).
• Right of access. To obtain confirmation whether their data is being processed and access to that data (Article 15, GDPR).
• Right to rectification. To have inaccurate or incomplete data corrected (Article 16, GDPR).
• Right to erasure (“right to be forgotten”). To request the deletion of their data under certain conditions (Article 17, GDPR).
• Right to restriction of processing. To limit the processing of their data in specific situations (Article 18, GDPR).
• Right to data portability. To receive their data in a structured, commonly used format and transfer it to another controller (Article 20, GDPR).
• Right to object. To object to processing based on public interest or legitimate interest, including profiling based on these legal bases, and direct marketing (Article 21, GDPR).
• Right not to be subject to automated decision-making. To not be subject to decisions based solely on automated processing, including profiling, that have legal or similarly impactful effects (Article 22, GDPR).

Article 23 of the GDPR allows restrictions to data subject rights in specific circumstances. This means that, under national law, certain GDPR rights can be limited for reasons of public interest, national security, or other legitimate purposes. In the Netherlands, Article 23 is implemented through Article 41 of the UAVG.

In the Netherlands, the DTA, implementing the ePD, regulates the sending of commercial or direct marketing communications alongside the GDPR/UAVG framework. Under Article 11.7(1) of the DTA, which implements Article 13 of the ePD, the use of automated calling machines without human intervention, faxes, or electronic messages for unsolicited communications — whether commercial, idealistic, or charitable — is prohibited unless the sender can demonstrate prior opt-in consent from the recipient. Under Article 11.7(2), the same rule applies to unsolicited communications other than those referred to in Article 11.7(1), with the additional requirement that each message includes an opt-out option. 

No prior consent is required if the other party has published contact data for marketing purposes or the other party is located outside of the EEA and complies with applicable local laws on direct marketing (Article 11.7(3), DTA). Advertisers can rely on a soft opt-in (i.e., consent is assumed) “if contact details have been acquired in the context of the sale of a product or service” (Article 11.7(4), DTA). There must have been actual sales of products or services. The end user must be allowed to object, at no cost and conveniently, to the use of their contact details: (a) at the time of collection; and (b) if no objection is made then, with each subsequent message.

In the Netherlands, the transfer of personal data outside the EEA is regulated by the GDPR (Article 44, et seq.). These rules aim to maintain the same level of data protection when personal data leaves the EEA. Such transfers are permitted only if a valid transfer mechanism is in place:

• Adequacy decision (Article 45, GDPR): the European Commission has determined that the receiving country ensures an adequate level of data protection.
• Appropriate safeguards (Article 46, GDPR): if there is no adequacy decision, data may be transferred under appropriate safeguards, such as:
  • Standard Contractual Clauses (SCCs);
  • Binding Corporate Rules (BCRs); or
  • approved codes of conduct or certification mechanisms.

Transfers may occur without a transfer mechanism in place in exceptional circumstances, such as with the data subject’s explicit consent or, in the case of occasional (not repetitive) transfers, if the transfer involves only a limited number of data subjects, is necessary for compelling legitimate interests pursued by the controller that are not outweighed by the data subject’s rights or interests, and the controller has assessed all relevant circumstances of the transfer and, based on that assessment, implemented appropriate safeguards for the protection of personal data (Article 49, GDPR; see EDPB Guidelines 2/2018 at www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf).

Data controllers must ensure that the rights and protections under the GDPR are not undermined by the transfer and may need to implement supplementary measures alongside the chosen transfer mechanism (see EDPB Recommendation 01/2020 at www.edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf and CJEU 16 July 2020, C-311/18, ECLI:EU:C:2020:559, at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62018CJ0311).

In the Netherlands, the AP’s investigative and enforcement powers stem from Article 58 of the GDPR, Articles 14–20 of the UAVG and the Dutch General Administrative Law Act (Algemene Wet Bestuursrecht (Awb)).

Investigatory powers (Article 58(1), GDPR). The AP has the power to, inter alia:

• Request access to all information necessary to assess compliance with the GDPR (Article 58(1)(a) and (e), GDPR).
• Enter and inspect premises and data processing facilities, in accordance with national law (Article 58(1)(f), GDPR, Article 15, UAVG).
• Conduct audits of organisations’ data processing activities, including reviewing systems and interviewing personnel. There is a duty to co-operate (Article 5:20, Awb). However, pursuant to Article 5:10a of the Awb, a person questioned in connection with the imposition of an administrative fine is not required to make statements regarding the offence. Prior to questioning, the individual should be informed of their right to remain silent.

Enforcement powers (Article 58(2), GDPR). The AP has the authority to, inter alia:

• Issue warnings or reprimands where processing is likely to infringe the GDPR (Article 58(2)(a) and (b), GDPR).
• Order compliance with data subject rights (Article 58(2)(c), GDPR).
• Order the controller or processor to bring processing into compliance with the GDPR (Article 58(2)(d), GDPR).
• Require notification of a personal data breach to the data subject (Article 58(2)(e), GDPR).
• Impose temporary or definitive bans on data processing (Article 58(2)(f), GDPR).
• Impose administrative fines in accordance with Article 83 of the GDPR (Article 58(2)(i), GDPR).

In the Netherlands, sanctions and remedies for non-compliance with data protection laws, primarily under the GDPR and the UAVG, include:

• Administrative fines. The AP can impose fines up to EUR 20 million or 4% of global annual turnover, whichever is higher, depending on the severity of the breach (Article 83(4–6), GDPR, Article 14, UAVG). These fines are detailed further in the AP’s fining policy rules (English machine translation available at www.wetten-overheid-nl.translate.goog/BWBR0049034/2023-12-12?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp).
• Corrective measures. The AP may issue warnings, reprimands, or orders to cease unlawful data processing, rectify violations, or restrict processing (Article 58, GDPR, Article 16, UAVG). The AP may also impose an administrative order on pain of penalty payments (Article 16, UAVG, Article 5:32, Awb).
• Temporary or permanent bans. The AP can impose temporary or permanent restrictions on data processing activities (Article 58(2)(f), GDPR).
• Civil sanctions. Individuals may seek compensation through the courts for damages suffered due to unlawful data processing (Article 82, GDPR). While there is some controversy in the Netherlands whether Article 80 of the GDPR allows such claims to be bundled as a class action on an opt-out basis (i.e. without individual mandates), a number of class actions have been filed in Dutch courts under the Dutch regime for collective damage claims. The Rotterdam District Court plans to refer preliminary questions to the CJEU (13 November 2024, ECLI:NL:RBROT:2024:11322, English machine translation of the ruling available at https://uitspraken-rechtspraak-nl.translate.goog/details?id=ECLI%3ANL%3ARBROT%3A2024%3A11322&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp&_x_tr_hist=true).