Netherlands Data Privacy Laws: GDPR & UAVG Guide (2026)

The Netherlands operates one of the most active data protection regimes in Europe. As an EU member state, Dutch law applies the General Data Protection Regulation directly, but national legislation adds layers of protection that go beyond what the GDPR requires in several areas.

This guide covers the full legal framework governing data privacy in the Netherlands, the authority responsible for enforcement, the major fines and scandals that have shaped Dutch data protection culture, and the specific rules that businesses and organizations must follow.

Legal Framework: GDPR and the UAVG

Two primary instruments govern data protection in the Netherlands. The General Data Protection Regulation (GDPR) applies directly as EU law. The Uitvoeringswet Algemene verordening gegevensbescherming (UAVG), which translates to the GDPR Implementation Act, fills the gaps where the GDPR allows member states to make their own rules.

The UAVG took effect on May 25, 2018, the same day as the GDPR. It replaced the earlier Wet bescherming persoonsgegevens (Wbp), which had implemented the 1995 EU Data Protection Directive.

Where the UAVG Goes Beyond the GDPR

The GDPR gives member states flexibility in several areas, and the Netherlands has used that flexibility to impose stricter rules.

Age of consent for children. Article 8 of the GDPR allows member states to set the age of digital consent anywhere between 13 and 16. The Netherlands chose the maximum: 16 years old. Children under 16 cannot consent to data processing for online services. A parent or guardian must provide that consent on their behalf.

BSN (citizen service number) restrictions. The UAVG adds protections for the Burgerservicenummer that do not exist in the GDPR itself. More on this below.

Special categories of data. Articles 22 through 30 of the UAVG spell out additional exceptions and safeguards for processing sensitive data, including health data, biometric data, and criminal records. These go beyond what the GDPR requires and reflect Dutch legislative choices about proportionality.

Biometric data for employees. The UAVG permits employers to process biometric data only when it is necessary for authentication or security purposes. Explicit consent alone is not sufficient in an employment context, because the power imbalance between employer and employee makes truly free consent questionable.

The Autoriteit Persoonsgegevens: Enforcement Authority

The Autoriteit Persoonsgegevens (AP), or Dutch Data Protection Authority, is the independent supervisory body responsible for enforcing both the GDPR and the UAVG. It was formerly known as the College bescherming persoonsgegevens (CBP) before being renamed in 2016.

The AP has broad powers. It can investigate organizations on its own initiative or in response to complaints. It can conduct audits, issue warnings, order organizations to change their practices, and impose administrative fines.

Enforcement Powers

The maximum fines the AP can impose follow the GDPR framework:

• Up to EUR 10 million or 2% of global annual turnover for violations of organizational obligations, such as failing to appoint a Data Protection Officer, failing to maintain records of processing activities, or failing to conduct a Data Protection Impact Assessment.

• Up to EUR 20 million or 4% of global annual turnover for violations of core data protection principles, such as processing data without a legal basis, violating data subject rights, or transferring data internationally without adequate safeguards.

The AP has also published specific fining guidelines that categorize violations by severity and set base amounts for calculating penalties.

Enforcement Priorities

For 2024 and 2025, the AP identified four strategic enforcement priorities:

1. Algorithms and artificial intelligence -- addressing automated decision-making risks
2. Big Tech -- holding major technology platforms accountable
3. Freedom and security -- balancing surveillance with privacy rights
4. Data trading and digital government -- scrutinizing data brokers and government data practices

The AP also serves as the lead supervisory authority for companies that have their main European establishment in the Netherlands, including major international corporations like Netflix and Uber.

Major Enforcement Actions and Fines

The Netherlands has been at the center of some of the largest and most consequential GDPR enforcement actions in Europe.

Uber: EUR 290 Million (2024)

On August 26, 2024, the AP announced a EUR 290 million fine against Uber for transferring European drivers' personal data to the United States without adequate safeguards. This was one of the largest GDPR fines ever imposed by any data protection authority.

The violation centered on Uber's transfer of sensitive driver data to its US headquarters for more than two years. The data included account details, taxi licenses, location data, photographs, payment information, identity documents, and in some cases criminal and medical records.

After the Court of Justice of the EU invalidated the EU-US Privacy Shield in 2020, organizations needed to use alternative transfer mechanisms like Standard Contractual Clauses. Uber stopped using Standard Contractual Clauses from August 2021, leaving the data of EU drivers without sufficient protection.

The case originated from complaints by French Uber drivers, filed through the Ligue des droits de l'Homme. Because Uber's European headquarters is in the Netherlands, the AP handled the investigation as the lead supervisory authority. This was Uber's third fine from the Dutch DPA, following a EUR 600,000 fine in 2018 and a EUR 10 million fine in 2023.

Clearview AI: EUR 30.5 Million (2024)

The AP imposed a EUR 30.5 million fine on Clearview AI for building an illegal facial recognition database. Clearview scraped more than 30 billion photographs from the internet and converted each face into a unique biometric code, all without consent or a legal basis.

The AP found violations of multiple GDPR articles, including the prohibition on processing special categories of data (biometric data) without a proper legal basis. In addition to the fine, the AP imposed penalty payments of more than EUR 5 million for non-compliance and warned that using Clearview's services is also prohibited under EU law.

Netflix: EUR 4.75 Million (2024)

The AP fined Netflix EUR 4.75 million for failing to provide customers with adequate information about its data processing practices between 2018 and 2020. Netflix did not clearly explain the purposes and legal basis for collecting personal data, which third parties received data and why, or how it protected personal data transferred outside Europe.

The investigation began after complaints from the Austrian privacy organization noyb (None of Your Business). Because Netflix's European headquarters is in Amsterdam, the AP was the lead authority. Netflix has since updated its privacy statement and appealed the decision.

Booking.com: EUR 475,000 (2021)

The AP fined Booking.com EUR 475,000 for reporting a data breach 22 days late. In December 2018, criminals used phone scams to obtain hotel staff login credentials, gaining access to data on 4,109 guests and the credit card details of 283 people. Booking.com learned of the breach on January 13, 2019, but did not notify the AP until February 7, well beyond the 72-hour deadline.

Experian: EUR 2.7 Million (2025)

The AP fined Experian for compiling creditworthiness reports using large volumes of personal data without informing individuals they were being assessed. The company processed data without a valid legal basis and failed to adequately inform data subjects about the collection of their personal data.

Dutch Tax Authority: EUR 3.7 Million and EUR 2.75 Million

The AP imposed its then-record fine of EUR 3.7 million on the Belastingdienst (Dutch Tax and Customs Administration) for maintaining an illegal fraud detection blacklist for years. A separate fine of EUR 2.75 million followed for discriminatory processing of dual-nationality data in the childcare benefits system. These fines are part of the broader toeslagenaffaire, discussed below.

The Toeslagenaffaire: A National Data Scandal

The Dutch childcare benefits scandal, known as the toeslagenaffaire, stands as one of the most severe examples of government data misuse in European history. It reshaped Dutch politics and strengthened the argument for strict data protection enforcement.

The Dutch Tax Authority used a self-learning algorithm to create risk profiles for childcare benefit applicants. The system flagged applicants as potential fraudsters based partly on their nationality. People with dual nationality, particularly those with Turkish, Moroccan, or Eastern European backgrounds, were automatically subjected to heightened scrutiny.

Tens of thousands of families were falsely accused of fraud and forced to repay their benefits in full. Many were pushed into poverty. Some parents lost custody of their children. Multiple suicides were linked to the financial devastation caused by the wrongful fraud accusations.

A parliamentary investigation in late 2020 found systematic discrimination and massive injustice. The entire cabinet under Prime Minister Mark Rutte resigned in January 2021.

The AP found that the Tax Authority violated multiple data protection principles. The processing of nationality data lacked a legal basis. The algorithms were opaque and discriminatory. Data subjects had no control over their personal data and were not informed about how it was being used. Outdated data was retained and shared improperly.

The scandal continues to generate consequences. In February 2026, the Dutch Tax Authority and Police were named the biggest privacy violators of 2025, with the AP finding that more than 50 algorithms used by the Belastingdienst remain illegal.

BSN (Burgerservicenummer) Protections

The BSN, or Burgerservicenummer, is the citizen service number assigned to every person registered in the Netherlands. It serves as a universal identifier for dealings with the government, healthcare, and other regulated sectors.

Because the BSN can link information across multiple databases, the Dutch legislature treats it as a sensitive data point requiring special protection.

Who May Use the BSN

Under the Wet algemene bepalingen burgerservicenummer (BSN General Provisions Act) and the UAVG, the BSN may only be used when a specific law authorizes it. This is a critical distinction from most personal data processing, where consent can serve as a legal basis.

Government organizations may use the BSN when necessary for performing their public duties, as established in Article 10 of the BSN General Provisions Act.

Healthcare organizations are authorized by the Wet gebruik burgerservicenummer in de zorg (Act on the Use of the BSN in Healthcare) to use the BSN for patient identification.

Educational institutions may use the BSN under specific education legislation.

Private companies generally may not request, process, or store your BSN. A gym, employer outside of specific legal obligations, or online platform has no legal basis to ask for your BSN.

Even with an individual's explicit consent, an organization that lacks a legal mandate cannot process the BSN. Consent does not override the statutory requirement.

BSN on Digital Platforms

The AP has specifically addressed BSN use on digital sales platforms like eBay and Marktplaats. Since January 2024, EU regulations require platforms to collect seller identification data, including BSN, for tax reporting. However, the AP has provided guidance clarifying that platforms must handle this data with heightened security and purpose limitation.

Employee Data and Workplace Privacy

Dutch law imposes specific constraints on how employers may collect and process employee data.

Employee Monitoring

Employers may monitor employees only if they have a legitimate business reason that outweighs workers' privacy rights. Key requirements include:

• Advance notice. Employees must be informed about monitoring before it begins.
• Proportionality. If less invasive alternatives exist, those must be used instead.
• Data Protection Impact Assessment. Large-scale or systematic monitoring, including GPS tracking, email monitoring, and camera surveillance, typically requires a DPIA.
• Works council consent. If the organization has a works council (ondernemingsraad), it must approve monitoring regulations. Without works council consent, monitoring is not permitted.

Camera Surveillance

Employers may use cameras to protect personnel and property, but they may not use camera footage to evaluate employee performance. Hidden cameras are generally prohibited unless there is evidence of serious theft or fraud, and even then only under strict conditions. Camera footage must be deleted within approximately four weeks.

GPS Tracking

Employers may install GPS systems in company vehicles for legitimate purposes like route planning or vehicle security. However, tracking must be limited to working hours unless 24-hour monitoring can be justified, employees must be informed before implementation, and a DPIA is typically required.

Health Data

Under the UAVG, employers may process employee health data only when necessary for reintegration and coaching in relation to illness or disability. An employer may not ask why an employee is sick. That information flows through the company doctor (bedrijfsarts), who reports only what the employer needs to know for workplace accommodations.

Biometric Data

The UAVG permits employer processing of biometric data, such as fingerprint scanners for building access, only when it is necessary for authentication or security purposes. A Dutch court fined a company for requiring employees to use fingerprint scanners when badge-based alternatives were available.

Cookie Consent and the Telecommunicatiewet

The Netherlands implements EU cookie rules through the Telecommunicatiewet (Telecommunications Act), which transposes the ePrivacy Directive.

Consent Requirements

Placing cookies or using similar tracking technologies requires prior informed consent from the user, with limited exceptions:

• Functional cookies necessary for transmitting communications or providing a service the user explicitly requested are exempt.
• Analytics cookies with minimal privacy impact may be exempt if they meet specific conditions, such as using privacy-friendly settings and not sharing data with third parties.
• All other cookies, including advertising and tracking cookies, require affirmative consent before placement.

The AP has taken a strong stance on cookie walls. Simply blocking access to a website unless users accept all cookies does not constitute valid consent under Dutch law.

Google Analytics Enforcement

The AP issued specific guidance on the use of Google Analytics, warning organizations that default configurations may violate both the Telecommunicatiewet and the GDPR because of data transfers to the United States. Organizations must configure analytics tools to anonymize IP addresses, disable data sharing features, and ensure no personal data leaves the EEA without appropriate safeguards.

Penalties

Violations of cookie consent requirements under the Telecommunicatiewet can result in fines of up to EUR 900,000 or 10% of annual turnover.

Data Breach Notification

The Netherlands has one of the most active breach notification regimes in the EU. Organizations must report personal data breaches to the AP under the rules set out in Articles 33 and 34 of the GDPR.

Timeline

Controllers must notify the AP without undue delay and within 72 hours of becoming aware of a breach. If notification occurs after 72 hours, the controller must explain the delay.

For complex incidents such as ransomware or phishing attacks, the AP expects an initial notification within 72 hours even if the investigation is ongoing. Follow-up notifications can be submitted as new information becomes available.

When Notification is Required

Notification to the AP is required unless the breach is unlikely to result in any risk to the rights and freedoms of individuals. In practice, this means most breaches involving personal data must be reported.

If the breach poses a high risk to individuals, the controller must also notify the affected data subjects without undue delay.

Notification Volume

The Netherlands consistently records among the highest breach notification volumes in the EU. In recent reporting periods, Dutch organizations submitted over 33,000 breach notifications to the AP, placing the Netherlands among the top three EU countries alongside Germany and Poland.

Data Subject Rights

Individuals in the Netherlands hold the full set of GDPR data subject rights, enforced by the AP:

• Right of access (Article 15): Individuals can request a copy of all personal data an organization holds about them.
• Right to rectification (Article 16): Incorrect data must be corrected without undue delay.
• Right to erasure (Article 17): Also known as the right to be forgotten, individuals can request deletion of their data when it is no longer necessary, consent is withdrawn, or processing is unlawful.
• Right to data portability (Article 20): Individuals can receive their data in a structured, machine-readable format.
• Right to object (Article 21): Individuals can object to processing based on legitimate interests or for direct marketing.
• Right not to be subject to automated decision-making (Article 22): Individuals can challenge decisions made solely by algorithms that significantly affect them.

Organizations must respond to data subject requests within one month. The AP has shown it will fine organizations that fail to properly handle these requests, as demonstrated by the Netflix enforcement action.

International Data Transfers

Transferring personal data outside the European Economic Area requires adequate safeguards under Chapter V of the GDPR.

Adequacy Decisions

Data may flow freely to countries the European Commission has recognized as providing adequate protection. As of 2026, these include Andorra, Argentina, Canada (commercial organizations under PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, Uruguay, and the United States (under the EU-US Data Privacy Framework).

Standard Contractual Clauses

For transfers to countries without an adequacy decision, organizations typically use Standard Contractual Clauses (SCCs) adopted by the European Commission. The current SCCs were issued on June 4, 2021, and include modular clauses covering controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller transfers.

New SCCs are expected to be adopted by the European Commission in 2025 or 2026.

Transfer Impact Assessments

Following the Schrems II ruling, organizations relying on SCCs must conduct Transfer Impact Assessments to evaluate whether the laws of the recipient country provide equivalent protection. The Uber fine demonstrates that the AP takes transfer violations extremely seriously.

Data Protection Officer Requirements

The GDPR requires certain organizations to appoint a Data Protection Officer (DPO). In the Netherlands, the AP has provided detailed guidance on when appointment is mandatory.

Mandatory DPO Appointment

A DPO must be appointed by:

• Government bodies and public organizations, including central government, municipalities, provinces, healthcare institutions, and educational institutions. Courts are exempt.
• Organizations whose core activities involve systematic, large-scale monitoring of individuals, such as profiling for risk assessments, operating camera surveillance systems, staff tracking systems, or monitoring health via wearables.
• Organizations whose core activities involve large-scale processing of special categories of data, including health data, biometric data, or criminal records.

DPO Independence

The DPO must be able to independently monitor GDPR compliance. They cannot hold another position that determines the purposes and means of data processing. Roles like head of finance, head of IT, head of marketing, head of HR, and CISO are incompatible with the DPO function.

Registration

Organizations that appoint a DPO must register the appointment with the AP.

AI Regulation and Algorithmic Oversight

The Netherlands is positioning itself as a leader in AI governance, driven in part by the lessons of the toeslagenaffaire.

Since 2023, the AP has acted as the coordinating regulator for algorithms and AI that pose risks to fundamental values and rights. The EU AI Act, which entered into force on August 1, 2024, is being implemented in phases:

• February 2025: Prohibited AI practices banned. AI literacy obligations took effect for all organizations using AI systems.
• August 2025: Requirements for general-purpose AI models (including large language models) apply.
• August 2026: Requirements for high-risk AI systems take full effect. The Netherlands plans to launch a regulatory sandbox for supervised testing of AI systems.

The Dutch government published an AI Act Guide in September 2025 to help organizations prepare for compliance. The Autoriteit Persoonsgegevens and the Rijksinspectie Digitale Infrastructuur (RDI) serve as coordinating supervisory authorities, with sector-specific regulators like the AFM and DNB covering financial services.

Other Relevant Legislation

Several additional Dutch laws intersect with data privacy:

Wet politiegegevens (Police Data Act). Regulates personal data processing by law enforcement for criminal investigations, implementing EU Directive 2016/680. The AP oversees compliance.

Wet justitiele en strafvorderlijke gegevens (Judicial Data and Criminal Records Act). Governs the processing of criminal records and judicial data.

European Data Act. From September 12, 2025, companies offering connected products and related services in the Netherlands must design them so users can easily access their data.

NIS2 Directive Implementation. The Netherlands is implementing the EU Network and Information Security Directive, which adds cybersecurity and incident reporting obligations for essential and important entities.

Penalties at a Glance

Organization	Fine	Year	Violation
Uber	EUR 290 million	2024	International data transfers without safeguards
Clearview AI	EUR 30.5 million	2024	Illegal biometric data collection
Uber	EUR 10 million	2023	Data protection violations
Netflix	EUR 4.75 million	2024	Inadequate transparency
Dutch Tax Authority	EUR 3.7 million	2022	Illegal fraud detection blacklist
Dutch Tax Authority	EUR 2.75 million	2021	Discriminatory nationality processing
Experian	EUR 2.7 million	2025	Unlawful credit profiling
Uber	EUR 600,000	2018	Data breach notification failure
Booking.com	EUR 475,000	2021	Late breach notification
KNLTB	EUR 250,000	2025	Unlawful data sharing