The information on this page was current at the time it was published. Regulations, trends, statistics, and other information are constantly changing. While we strive to update our Knowledge Base, we strongly suggest you use these pages as a general guide and be sure to verify any regulations, statistics, guidelines, or other information that are important to your efforts.

Data Protection and Cookie Laws in the Netherlands

In the business world today, the collection, use, and disclosure of personal data by a company is an integral part of its functioning and success. Data collection, use, and disclosure activities have many risks for both consumers and companies. For consumers, the unauthorized access and use of their personal data could mean identity theft, which can affect every aspect of their lives for many years. For companies, big, medium, and small, a data breach can be ruinous. For a security breach, companies face criminal prosecution, civil penalties, audit, lawsuit liability, extreme expense to notify customers, to investigate the breach, to compensate customers, and update the system to prevent another such breach, and a loss of profits from a decrease in consumer confidence and a negative reputation.

Many countries, including the Netherlands, are increasingly tightening their data protection regulations. Being a member of the European Union (EU), the Netherlands must take the EU data privacy standards and incorporate them into their own legislation. Any company doing business in the Netherlands and with its people must comply with its data protection laws. There are several ways in which a company can do so, depending on the country it is from and how it chooses to prove that it is in compliance.

Data protection is taken very seriously in the Netherlands. We recommend that you have a clear understanding of the laws and regulations that apply to your business and that you seek legal assistance if you are unsure whether you are in compliance.

Netherlands Marketplace - Legal Services

Data Protection Act and Breach Notification Law

What laws and regulations apply?

The general data protection law is the Wet bescherming persoonsgegevens (Personal Data Protection Act (PDPA)). The Wet meldplitch datalekken en uitbreidling bestuurlijke boetebevoegdheid Cpb (Breach Notification Law (in Dutch)) regulations notification requirements in the event of a security breach. The Autoriteit Persoonsgegevens (Dutch Data Protection Authority (Dutch DPA)) regulates data protection laws and regulations in the Netherlands.

To Whom and What do the Data Protection Act and the Breach Notification Law apply?

The DPA applies to the processing of personal data, including sensitive personal data, by data controllers and data processors. Furthermore, it applies to automatically and manually stored and processed data. Below are some important terms to understand that pertain to the DPA.

Personal data is any information relating to an identified or identifiable natural person.

Sensitive personal data is personal data on a person’s religion, race, political views, health, sexuality, and trade union membership.

A data controller is a person or body which processes personal data for the responsible party, without coming under the direct authority of that party.

How do companies comply with the DPA and Breach Notification Law?

The Personal Data Protection Law requires that data controllers implement appropriate data security measures. Under the PDPA, companies have data collection, data processing, data transfer, international data transfer, data security, and breach notification obligations and requirements.

The Breach Notification Law requires that organizations (companies and governments) immediately inform the Dutch Data Protection Authority as soon as they experience a serious data breach. In some cases, the company must also notify the data subjects of the breach. For more information on your obligations, review the Dutch Data Protection Authority’s policy rules.

What are the consequences of noncompliance?

Data subjects have a right to be compensated for damages that result from a data breach.

The Dutch Data Protection Authority has the discretion to imposed a fine of up to €820,000 penalty for a violation of the Breach Notification Law.

Dutch Cookie Law

Cookies, also known as browser cookies or tracking cookies, are small, often encrypted, text files that are downloaded onto the ‘terminal equipment’ (e.g., a computer or smartphone) when a user accesses a website. Cookies allow a website to recognize a user’s device and store information about the user’s preferences and past actions. Cookies are not just created by the website the user is browsing, often called first party cookies, but also, by other websites that run ads, widgets, or other elements being loaded on the page, often called third party cookies. Cookies can expire at the end of a session or they can be stored for longer. Session cookies expire after a browser session. Session cookies can be used to remember what a user has put in a cart or shopping basket or for security reasons when accessing internet banking or webmail. Persistent cookies are stored on a user's’ device in between browsing sessions and can be used to remember a user’s preferences and choices or for targeted advertising.

What laws or regulations apply?

The Dutch Cookie Law regulates the placement and enforcement of cookies. The Cookie law is regulated and enforced by both the Dutch Authority for Consumer Market (ACM) and the Dutch Data Protection Authority (Dutch DPA).

To Whom and What does the Cookie Law apply?

The Cookie Law applies to any organization that uses cookies.

How do companies comply with the Cookie Law?

Any organization that places cookies must inform the user and get his consent before placing or reading the cookies. Under Dutch law, consent must be an active act, or explicit, which therefore, excludes opt-out and implied consent.

The Dutch cookie law is one of the strictest in Europe.

Explicit consent can be obtained through a pop-up or banner that requires the user to click an acceptance or agreement (to the setting and use of cookies) to continue to use your website. Implied consent can be obtained by using a pop-up to inform your user that cookies are being used and that the continued use of your website will be deemed consent.

The new exceptions to this information and consent rule are:

• cookies that are required for transmission and the working of the website itself;

• cookies that are technically and strictly necessary to provide specific services on a website (e.g. shopping carts); and

• cookies that are used to obtain information about the quality or efficiency of the website, as long as they do not, or have a limited, impact on the privacy of users (e.g. analytic cookies, affiliate cookies, and a/b testing cookies).

The above exceptions do not require that the user be informed of and give his explicit consent to the use of cookies. A User’s consent is still required to place tracking cookies that are used to create a user profile.

What are the consequences of noncompliance?

Both the ACM and the Dutch DPA have the authority to impose steep fines for violations of the Cookie Law. The ACM can impose a fine of up to €450,000 per violation.

Personal Data Protection Act

Breach Notification Law

Dutch Data Protection Authority

Cookie Law

Dutch Authority for Consumer Market

Dutch Government Websites

In today’s digital world, your business cannot risk a data breach, so it is imperative you have an effective process in place. Not only does your process need to comply with Dutch legal requirements, but it should be sufficient to protect your business from other nongovernmental consequences of a data breach.