Data protection & privacy laws in Netherlands (2026)

The Dutch DPA sent warning letters to more than 200 websites for cookie banners lacking a genuine 'reject' option or loading tracking scripts before user consent. A dedicated annual budget of €500,000 funds a target of 500 warnings per year, signalling systematic enforcement of ePrivacy/GDPR consent rules.

From 2 February 2025, Chapter II of the EU AI Act — banning social scoring, real-time remote biometric surveillance, and other high-risk AI uses — became enforceable. The AP, already acting as the national AI-supervision coordinator since 2023, warned Dutch organisations using prohibited systems to expect substantial fines.

The AP fined Clearview AI €30.5 million for scraping billions of photos from the internet to build a facial-recognition database without a lawful basis under GDPR. The AP simultaneously warned Dutch organisations that any use of Clearview's services is itself unlawful.

The AP imposed a €290 million fine on Uber for transferring sensitive personal data of European taxi drivers to US servers for over two years without any approved transfer mechanism after Standard Contractual Clauses lapsed in August 2021, violating GDPR Chapter V. This remains the largest fine ever issued by the Dutch DPA.

The AP fined the Belastingdienst €3.7 million for operating the FSV fraud blacklist in breach of GDPR, and separately €2.75 million for unlawfully processing applicants' nationality data as a discriminatory fraud indicator for years. The scandal — which wrongly accused tens of thousands of families — became a landmark case for algorithmic discrimination and data-protection enforcement against the state.

The AP fined TikTok for presenting its privacy policy solely in English to Dutch users — including young children — between May 2018 and July 2020, preventing meaningful informed consent. The case reinforced that children's data requires accessible, language-appropriate disclosures under GDPR.

The court ruled that the SyRI legislation — a big-data welfare-fraud profiling system — violated Article 8 ECHR due to lack of transparency and disproportionate interference with private life. One of the world's first rulings on human-rights limits of AI in public administration, it led the Dutch government to immediately cease use of SyRI.

The EU GDPR became directly applicable and the Uitvoeringswet AVG (UAVG) replaced the Wbp. The UAVG set the digital consent age at 16, added employment-data safeguards, and dramatically expanded the AP's sanctioning powers — raising maximum fines to €20 million or 4% of global annual turnover.

A Wbp amendment introduced a mandatory 72-hour data-breach notification obligation — one of the first statutory requirements of its kind in the EU — and simultaneously renamed the CBP to the Autoriteit Persoonsgegevens, granting it stronger sanctioning powers ahead of GDPR.

The Wet bescherming persoonsgegevens (adopted 6 July 2000) entered into force on 1 September 2001, implementing EU Directive 95/46/EC. It replaced the 1989 Wpr with broader definitions, stronger individual rights, and transformed the Registratiekamer into the College Bescherming Persoonsgegevens (CBP) with enhanced enforcement powers.

The Netherlands enacted its first comprehensive data-protection statute, the Wet persoonsregistraties (Wpr), and created the independent Registratiekamer as the supervisory authority — the direct institutional forerunner of today's AP. This gave Dutch citizens formal, enforceable rights over their registered personal data for the first time.