Data & Privacy - Netherlands

The GDPR applies directly and is supplemented by the UAVG (BWBR0040940), which entered into force on 25 May 2018, replacing the former Wet bescherming persoonsgegevens (Wbp). The UAVG sets national specifics, exceptions and elaborations and establishes the supervisory authority's powers.

The Autoriteit Persoonsgegevens (AP), the independent Dutch Data Protection Authority (formerly the College bescherming persoonsgegevens), supervises and enforces the GDPR and UAVG, handles complaints, conducts investigations and issues guidance.

Processing must rest on one of the six GDPR legal bases (consent, contract, legal obligation, vital interests, public task, legitimate interests). Controllers must meet the accountability principle, and data subjects hold rights of access, rectification, erasure, data portability and objection.

Cookie placement is governed by Article 11.7a of the Telecommunicatiewet (the Dutch implementation of the EU ePrivacy Directive), while the GDPR governs use of the resulting data. Non-essential cookies require prior, freely given consent; cookie walls are prohibited, and the AP enforces these rules.

Using the GDPR's margin for member states, the UAVG sets the age of valid digital consent for information-society services at 16, the maximum permitted; below that age parental/guardian consent is required.

The AP can impose administrative fines up to €20 million or 4% of worldwide annual turnover. Recent actions include a €290 million fine against Uber in 2024 over EU-to-US driver-data transfers and a 2025 enforcement campaign warning 200+ websites over non-compliant cookie banners.