Protection of personal data

Published by:
Netherlands Enterprise Agency, RVO
Netherlands Enterprise Agency, RVO
Checked 27 Mar 2024
3 min read
Nederlandse versie

Do you use or store personal data from employees, customers, or others? Then you must take extra measures to protect the data. This way you ensure the privacy of the people whose data you store. You must keep to the General Data Protection Regulation (GDPR or Algemene Verordening Gegevensbescherming, AVG), the European privacy law.

The GDPR applies if your business:

  • is based in the EU and processes personal data. It does not matter where the actual data processing takes place;
  • is established outside the EU but processes personal data because your company offers goods or services to individuals in the EU, or monitors the behaviour of individuals within the EU.

Non-EU based companies processing EU citizen's data need to appoint a representative in the EU.

What are personal data

Personal data are data that identify people. These data can only be used in certain situations. These data include:

What is processing of personal data?

The GDPR specifies which rules to follow with regard to data processing. Data processing entails every action you conduct with personal data. This includes manual actions and automatic actions. Whether you use all personal data or only a part of the data, does not matter. Both are considered data processing. Processing personal data includes:

  • collecting, recording, organising and structuring
  • saving, updating and editing
  • requesting, consulting and using
  • forwarding and distributing
  • aligning and combining
  • filtering, deleting and destroying.

When can you use personal data?

You need a good reason to use personal data. A good reason is, for example, when your client or employee has given their consent. You can also use the information if it is necessary to carry out a service. For instance if you need a customer’s address to deliver goods.

Special categories of personal data

There are more restrictions regarding special categories of personal data. This means data that is sensitive. This may be data about a person’s health, political opinions or trade-union membership. You are not allowed to use these data, unless you have legal grounds for it. For any data from the special category, additional safeguards must be put in place to protect it.

Keeping personal data safe

You have a duty to protect any personal data you collect and store. This means:

  • You are not allowed to collect or keep more personal data than strictly necessary.
  • Only a (very) limited number of people in your company should have access to this data.
  • You should not keep personal data for longer than necessary.
  • You may have to carry out a Data Protection Impact Assessment. With a DPIA you assess the risks of data processing within your company, so you can take measures to minimise these risks.

Take a look at 10 steps you can take to make your business GDPR compliant.

Duty to disclose information

The GDPR stipulates that you must justify the registration and use of data in your possession. You must provide transparent information. You should also let people know:

  • which personal data you intend to use
  • why you use this data
  • if you pass on or sell their personal information to third parties
  • your own details (company name and address).

For a complete list of information you have to provide, you can consult the official legal text of the GDPR.

It is mandatory to include a privacy statement on your website. The privacy declaration generator (privacyverklaringgenerator, in Dutch) helps you write a text for your privacy statement.

Do I need to report processing of personal data?

Do you process personal data or do you intend to process personal data? You do not need to report this to the Dutch Data Protection Authority (Dutch DPA, Autoriteit Persoonsgegevens). However, in some cases you are required to appoint a Data Protection Officer (DPO or Functionaris gegevensbescherming, FG). A DPO monitors how personal data is processed and informs and advises employees about their obligations regarding data processing. A DPO is also the contact person for the Dutch DPA.

You do need to report to the Dutch DPA and apply for a licence (in Dutch) if you intend to work with a blacklist that you want to share with for instance other businesses in your sector. You also need to do this to work with data related to criminal offences.

Reporting theft, loss or abuse of personal data

In case of a data breach, you must notify the Dutch DPA (in Dutch) within 72 hours. If it concerns a cross-border data breach in general you should notify the DPA of the country where your company’s headquarters is situated. You must also notify the persons involved of any theft, loss or abuse of personal data for which you are responsible. The GDPR demands that businesses register and file all data leaks. If you fail to notify any data breach in time, DPA may impose a fine. You can find more information in the step-by-step plan for a data breach.

This webpage is part of an EU quality network

Questions relating to this article?