European Union · updated 2026-06-15
Netherlands
The Dutch AP focuses on late breach notifications, unlawful cookie walls, and algorithmic harms — it fined Booking.com for reporting a breach 22 days late. Treat the 72-hour clock as a hard engineering deadline here.
- Law:
- GDPR + UAVG + Telecommunicatiewet
- Regulator:
- Autoriteit Persoonsgegevens (AP)
Cookie consent
Opt-in required
Breach deadline
72 hours
DPA with vendors
Required
Max fine
€20,000,000 or 4% of global annual revenue, whichever is higher
What Netherlands requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
Privacy policy (privacyverklaring)
Art. 13–14 GDPRPrivacy notice naming controller, purposes, legal bases, recipients, retention, and rights. Dutch is expected for consumer-facing services; English is generally accepted for B2B and tech audiences.
How to implement Publish at /privacy, name the AP as complaint authority, and state concrete retention periods — the AP calls out vague 'as long as necessary' wording.
Required -
Cookie consent banner
Art. 11.7a TwOpt-in consent with a first-layer reject option; cookie walls are presumptively non-compliant per AP guidance.
How to implement One-click reject at the first layer, no pre-checked boxes, prior tag blocking. The AP published banner do's-and-don'ts in 2024 and runs sweeps against Dutch-traffic sites.
Required -
Records of processing (ROPA)
Art. 30 GDPRStandard register of processing activities.
How to implement Keep it in your compliance folder next to your DPA inventory; the AP requests it early in investigations.
Required -
Data protection officer (FG)
Art. 37 GDPRMandatory at GDPR-baseline thresholds; registered with the AP as a Functionaris Gegevensbescherming.
How to implement Register the FG via the AP portal and publish contact details in your privacyverklaring.
Conditional -
Breach notification process
Art. 33–34 GDPR72-hour notification through the AP's meldloket, plus an internal breach register.
How to implement Pre-register your organisation on the meldloket, and rehearse the flow — Booking.com's fine shows the deadline is enforced literally.
Required -
Algorithmic transparency
AP algorithm supervisionThe AP hosts the national algorithm regulator. High-impact automated systems face scrutiny after the childcare-benefits scandal.
How to implement If you deploy scoring, fraud detection, or profiling affecting Dutch users, run a DPIA and be ready to explain the model's inputs and human oversight.
Recommended
The details
- Cookie consent
- Art. 11.7a Telecommunicatiewet requires opt-in consent for non-essential cookies. The AP began actively fining cookie-banner dark patterns in 2024–2025, checking that reject is a single click at the first layer.
- Data Protection Officer
- GDPR baseline thresholds apply. The UAVG adds no lower threshold, but the AP expects large-scale health, tracking, and platform businesses to have one.
- Processing agreements
- Art. 28 GDPR verwerkersovereenkomst required with every processor. Dutch enterprise customers will demand one from you as a vendor almost immediately.
- Breach notification
- Report via the AP's online breach portal within 72 hours. The Netherlands had a national breach-notification law before GDPR, and the AP receives about 25,000 reports a year — late reporting is a fining offence on its own.
- Enforcement in practice
- Booking.com was fined €475,000 in 2021 purely for notifying a breach 22 days too late; the AP fined Clearview AI €30.5M in 2024 over scraped biometric data.
Data subject rights
What users can demand from you in Netherlands, and the engineering that satisfies each right.
Right to access
Art. 15 GDPRCopy of personal data and processing details within one month.
Dutch courts hear many Art. 15 cases; provide underlying documents where feasible, not just a field summary.
Right to erasure
Art. 17 GDPRDeletion when data is no longer necessary or consent withdrawn.
Dutch tax law requires 7-year retention of administration — cite it as your exemption for financial records.
Right to data portability
Art. 20 GDPRMachine-readable export of user-provided data.
JSON/CSV export endpoint; applies to consent- and contract-based processing.
Right to rectification
Art. 16 GDPRCorrection of inaccurate personal data.
Self-service profile edits plus support flow.
Right to restrict processing & to object
Art. 18, 21 GDPRFreeze during disputes; absolute objection to direct marketing.
Maintain a suppression list; Dutch law also requires an opt-out register check (Bel-me-niet successor rules) for cold calls.
Automated decision-making
Art. 22 GDPRProtection against solely automated significant decisions.
Post-toeslagenaffaire, Dutch scrutiny of automated fraud scoring is intense. Add human review to any automated rejection flow.
Tools that cover Netherlands
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
cookie consent
Cookiebot
CMP with per-country configuration; its Dutch preset matches AP banner guidance.
Visit Cookiebot → -
privacy policy
iubenda
Generates Dutch and English privacyverklaringen with concrete retention wording.
Visit iubenda → -
dpa template
Termly
Verwerkersovereenkomst-ready DPA templates for vendor relationships.
Visit Termly →
Frequently asked questions
What gets companies fined in the Netherlands most often?
Late or missing breach notifications, ignored access requests, and unlawful tracking. The AP's Booking.com fine was purely about timing — the breach itself came from a third party, but the 22-day delay in reporting cost €475,000.
Are cookie walls allowed in the Netherlands?
The AP has said take-it-or-leave-it cookie walls violate freely-given consent. A paid tracking-free alternative may pass, but a hard wall with no alternative is a known enforcement target.
Do I need my privacy policy in Dutch?
For consumer services aimed at the Dutch market, yes in practice — information must be intelligible to your audience. Developer tools and B2B SaaS commonly ship English-only without issue.
How seriously should I take the 72-hour breach deadline?
In the Netherlands, literally. Pre-register on the AP's meldloket, keep a decision tree for 'aware' vs 'investigating', and file a preliminary report if facts are incomplete — you can supplement later.
Similar jurisdictions
Free download
Get GDPR updates for Netherlands
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.