Data & Privacy · Netherlands
Data protection & GDPR compliance in Netherlands (2026)
Netherlands shaded by its data & privacy status
Data protection in Netherlands: comprehensive law, under EU General Data Protection Regulation (GDPR / 'AVG', Regulation 2016/679), directly applicable since 25 May 2018, supplemented nationally by the Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming, UAVG). Supervised and enforced by the Autoriteit Persoonsgegevens (AP)..
As an EU member state, the Netherlands has a comprehensive personal-data protection regime based on the directly applicable GDPR, supplemented by the national UAVG which entered into force on 25 May 2018. The independent supervisory authority is the Autoriteit Persoonsgegevens (AP), which enforces the GDPR, the UAVG and ePrivacy/cookie rules and can impose administrative fines up to the GDPR maximum of €20 million or 4% of global annual turnover.
GDPR & data protection in Netherlands
In Netherlands, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
- Applies to
- any organisation processing the personal data of people in Netherlands, wherever the organisation is based
- Maximum fine
- €20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Netherlands supplements it with a national data-protection act and its own supervisory authority.
GDPR in Netherlands: FAQ
Yes. As an EU/EEA member, Netherlands applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Up to €20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
The GDPR applies directly and is supplemented by the UAVG (BWBR0040940), which entered into force on 25 May 2018, replacing the former Wet bescherming persoonsgegevens (Wbp). The UAVG sets national specifics, exceptions and elaborations and establishes the supervisory authority's powers.
The Autoriteit Persoonsgegevens (AP), the independent Dutch Data Protection Authority (formerly the College bescherming persoonsgegevens), supervises and enforces the GDPR and UAVG, handles complaints, conducts investigations and issues guidance.
Processing must rest on one of the six GDPR legal bases (consent, contract, legal obligation, vital interests, public task, legitimate interests). Controllers must meet the accountability principle, and data subjects hold rights of access, rectification, erasure, data portability and objection.
Cookie placement is governed by Article 11.7a of the Telecommunicatiewet (the Dutch implementation of the EU ePrivacy Directive), while the GDPR governs use of the resulting data. Non-essential cookies require prior, freely given consent; cookie walls are prohibited, and the AP enforces these rules.
Using the GDPR's margin for member states, the UAVG sets the age of valid digital consent for information-society services at 16, the maximum permitted; below that age parental/guardian consent is required.
The AP can impose administrative fines up to €20 million or 4% of worldwide annual turnover. Recent actions include a €290 million fine against Uber in 2024 over EU-to-US driver-data transfers and a 2025 enforcement campaign warning 200+ websites over non-compliant cookie banners.
Timeline - major decisions & events
The Dutch DPA sent warning letters to more than 200 websites for cookie banners lacking a genuine 'reject' option or loading tracking scripts before user consent. A dedicated annual budget of €500,000 funds a target of 500 warnings per year, signalling systematic enforcement of ePrivacy/GDPR consent rules.
Autoriteit Persoonsgegevens ↗From 2 February 2025, Chapter II of the EU AI Act, banning social scoring, real-time remote biometric surveillance, and other high-risk AI uses, became enforceable. The AP, already acting as the national AI-supervision coordinator since 2023, warned Dutch organisations using prohibited systems to expect substantial fines.
Autoriteit Persoonsgegevens ↗The AP fined Clearview AI €30.5 million for scraping billions of photos from the internet to build a facial-recognition database without a lawful basis under GDPR. The AP simultaneously warned Dutch organisations that any use of Clearview's services is itself unlawful.
European Data Protection Board ↗The AP imposed a €290 million fine on Uber for transferring sensitive personal data of European taxi drivers to US servers for over two years without any approved transfer mechanism after Standard Contractual Clauses lapsed in August 2021, violating GDPR Chapter V. This remains the largest fine ever issued by the Dutch DPA.
Autoriteit Persoonsgegevens ↗The AP fined the Belastingdienst €3.7 million for operating the FSV fraud blacklist in breach of GDPR, and separately €2.75 million for unlawfully processing applicants' nationality data as a discriminatory fraud indicator for years. The scandal, which wrongly accused tens of thousands of families, became a landmark case for algorithmic discrimination and data-protection enforcement against the state.
Autoriteit Persoonsgegevens ↗The AP fined TikTok for presenting its privacy policy solely in English to Dutch users, including young children, between May 2018 and July 2020, preventing meaningful informed consent. The case reinforced that children's data requires accessible, language-appropriate disclosures under GDPR.
Autoriteit Persoonsgegevens ↗The court ruled that the SyRI legislation, a big-data welfare-fraud profiling system, violated Article 8 ECHR due to lack of transparency and disproportionate interference with private life. One of the world's first rulings on human-rights limits of AI in public administration, it led the Dutch government to immediately cease use of SyRI.
UN Office of the High Commissioner for Human Rights ↗The EU GDPR became directly applicable and the Uitvoeringswet AVG (UAVG) replaced the Wbp. The UAVG set the digital consent age at 16, added employment-data safeguards, and dramatically expanded the AP's sanctioning powers, raising maximum fines to €20 million or 4% of global annual turnover.
wetten.overheid.nl (Dutch Official Legislation Portal) ↗A Wbp amendment introduced a mandatory 72-hour data-breach notification obligation, one of the first statutory requirements of its kind in the EU, and simultaneously renamed the CBP to the Autoriteit Persoonsgegevens, granting it stronger sanctioning powers ahead of GDPR.
Autoriteit Persoonsgegevens ↗The Wet bescherming persoonsgegevens (adopted 6 July 2000) entered into force on 1 September 2001, implementing EU Directive 95/46/EC. It replaced the 1989 Wpr with broader definitions, stronger individual rights, and transformed the Registratiekamer into the College Bescherming Persoonsgegevens (CBP) with enhanced enforcement powers.
Council of Europe (official Wbp text) ↗The Netherlands enacted its first comprehensive data-protection statute, the Wet persoonsregistraties (Wpr), and created the independent Registratiekamer as the supervisory authority, the direct institutional forerunner of today's AP. This gave Dutch citizens formal, enforceable rights over their registered personal data for the first time.
Autoriteit Persoonsgegevens ↗Netherlands - other topics
Data & Privacy in other countries
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →