Skip to content
GDPR by Law

European Union · updated 2026-06-15

Netherlands

Conditional

The Dutch AP focuses on late breach notifications, unlawful cookie walls, and algorithmic harms — it fined Booking.com for reporting a breach 22 days late. Treat the 72-hour clock as a hard engineering deadline here.

Law:
GDPR + UAVG + Telecommunicatiewet
Regulator:
Autoriteit Persoonsgegevens (AP)

Cookie consent

Opt-in required

Breach deadline

72 hours

DPA with vendors

Required

Max fine

€20,000,000 or 4% of global annual revenue, whichever is higher

What Netherlands requires

Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.

  1. Privacy policy (privacyverklaring)

    Art. 13–14 GDPR

    Privacy notice naming controller, purposes, legal bases, recipients, retention, and rights. Dutch is expected for consumer-facing services; English is generally accepted for B2B and tech audiences.

    How to implement Publish at /privacy, name the AP as complaint authority, and state concrete retention periods — the AP calls out vague 'as long as necessary' wording.

    Required
  2. Cookie consent banner

    Art. 11.7a Tw

    Opt-in consent with a first-layer reject option; cookie walls are presumptively non-compliant per AP guidance.

    How to implement One-click reject at the first layer, no pre-checked boxes, prior tag blocking. The AP published banner do's-and-don'ts in 2024 and runs sweeps against Dutch-traffic sites.

    Required
  3. Records of processing (ROPA)

    Art. 30 GDPR

    Standard register of processing activities.

    How to implement Keep it in your compliance folder next to your DPA inventory; the AP requests it early in investigations.

    Required
  4. Data protection officer (FG)

    Art. 37 GDPR

    Mandatory at GDPR-baseline thresholds; registered with the AP as a Functionaris Gegevensbescherming.

    How to implement Register the FG via the AP portal and publish contact details in your privacyverklaring.

    Conditional
  5. Breach notification process

    Art. 33–34 GDPR

    72-hour notification through the AP's meldloket, plus an internal breach register.

    How to implement Pre-register your organisation on the meldloket, and rehearse the flow — Booking.com's fine shows the deadline is enforced literally.

    Required
  6. Algorithmic transparency

    AP algorithm supervision

    The AP hosts the national algorithm regulator. High-impact automated systems face scrutiny after the childcare-benefits scandal.

    How to implement If you deploy scoring, fraud detection, or profiling affecting Dutch users, run a DPIA and be ready to explain the model's inputs and human oversight.

    Recommended

The details

Cookie consent
Art. 11.7a Telecommunicatiewet requires opt-in consent for non-essential cookies. The AP began actively fining cookie-banner dark patterns in 2024–2025, checking that reject is a single click at the first layer.
Data Protection Officer
GDPR baseline thresholds apply. The UAVG adds no lower threshold, but the AP expects large-scale health, tracking, and platform businesses to have one.
Processing agreements
Art. 28 GDPR verwerkersovereenkomst required with every processor. Dutch enterprise customers will demand one from you as a vendor almost immediately.
Breach notification
Report via the AP's online breach portal within 72 hours. The Netherlands had a national breach-notification law before GDPR, and the AP receives about 25,000 reports a year — late reporting is a fining offence on its own.
Enforcement in practice
Booking.com was fined €475,000 in 2021 purely for notifying a breach 22 days too late; the AP fined Clearview AI €30.5M in 2024 over scraped biometric data.

Data subject rights

What users can demand from you in Netherlands, and the engineering that satisfies each right.

Right to access

Art. 15 GDPR

Copy of personal data and processing details within one month.

Dutch courts hear many Art. 15 cases; provide underlying documents where feasible, not just a field summary.

Right to erasure

Art. 17 GDPR

Deletion when data is no longer necessary or consent withdrawn.

Dutch tax law requires 7-year retention of administration — cite it as your exemption for financial records.

Right to data portability

Art. 20 GDPR

Machine-readable export of user-provided data.

JSON/CSV export endpoint; applies to consent- and contract-based processing.

Right to rectification

Art. 16 GDPR

Correction of inaccurate personal data.

Self-service profile edits plus support flow.

Right to restrict processing & to object

Art. 18, 21 GDPR

Freeze during disputes; absolute objection to direct marketing.

Maintain a suppression list; Dutch law also requires an opt-out register check (Bel-me-niet successor rules) for cold calls.

Automated decision-making

Art. 22 GDPR

Protection against solely automated significant decisions.

Post-toeslagenaffaire, Dutch scrutiny of automated fraud scoring is intense. Add human review to any automated rejection flow.

Tools that cover Netherlands

Services we'd shortlist for this jurisdiction. Links may be affiliate links.

  • cookie consent

    Cookiebot

    CMP with per-country configuration; its Dutch preset matches AP banner guidance.

    Visit Cookiebot →
  • privacy policy

    iubenda

    Generates Dutch and English privacyverklaringen with concrete retention wording.

    Visit iubenda →
  • dpa template

    Termly

    Verwerkersovereenkomst-ready DPA templates for vendor relationships.

    Visit Termly →

Frequently asked questions

What gets companies fined in the Netherlands most often?

Late or missing breach notifications, ignored access requests, and unlawful tracking. The AP's Booking.com fine was purely about timing — the breach itself came from a third party, but the 22-day delay in reporting cost €475,000.

Are cookie walls allowed in the Netherlands?

The AP has said take-it-or-leave-it cookie walls violate freely-given consent. A paid tracking-free alternative may pass, but a hard wall with no alternative is a known enforcement target.

Do I need my privacy policy in Dutch?

For consumer services aimed at the Dutch market, yes in practice — information must be intelligible to your audience. Developer tools and B2B SaaS commonly ship English-only without issue.

How seriously should I take the 72-hour breach deadline?

In the Netherlands, literally. Pre-register on the AP's meldloket, keep a decision tree for 'aware' vs 'investigating', and file a preliminary report if facts are incomplete — you can supplement later.

Similar jurisdictions

Free download

Get GDPR updates for Netherlands

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.