Netherlands Data Privacy Laws: GDPR, UAVG & AP Guide (2026)

Netherlands data privacy law rests on two instruments: the EU GDPR (Regulation (EU) 2016/679) and the national UAVG (Uitvoeringswet Algemene verordening gegevensbescherming, Stb. 2018, 144), both in force since 25 May 2018 and enforced by the Autoriteit Persoonsgegevens under Article 10 of the Dutch Constitution.

The Netherlands enforces one of the most active data protection regimes in the European Union. Dutch law applies the General Data Protection Regulation directly as EU law, supplements it through national legislation that goes beyond the GDPR in several areas, and backs both instruments with a supervisory authority that has demonstrated willingness to impose some of the largest fines in GDPR history.

This guide covers the full legal framework, the constitutional foundation, the authority responsible for enforcement, notable fines and enforcement trends, specific Dutch rules for BSN numbers, employee data, and cookies, plus the emerging EU AI Act overlay that is reshaping how the AP operates.

Information last verified on 2026-05-19. This article has not yet been reviewed by a licensed lawyer.

Jurisdiction scope: This article addresses Netherlands data protection law under the EU GDPR (Regulation (EU) 2016/679) and the Dutch UAVG (Uitvoeringswet Algemene verordening gegevensbescherming, Stb. 2018, 144), with notes on the EU AI Act and the Telecommunicatiewet. It does not address sector-specific Dutch health data law in depth. For the broader EU framework, see our EU data privacy laws guide.

Quick Answer: What Data Privacy Laws Apply in the Netherlands?

Two instruments form the core of Netherlands data privacy law. First, the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) applies directly as EU law throughout the Netherlands without any national transposition step. Second, the Uitvoeringswet Algemene verordening gegevensbescherming (UAVG) fills the areas where the GDPR grants member states discretion to set their own rules. Both instruments took effect on 25 May 2018. The Autoriteit Persoonsgegevens (AP), headquartered in The Hague, enforces both. The AP also enforces the Telecommunicatiewet (cookie and tracking consent), the Wet politiegegevens (police data), and, since 2025, prohibited practices under the EU AI Act.

Constitutional Basis: Article 10 of the Dutch Constitution

The right to privacy is a fundamental right in the Netherlands, anchored in Article 10 of the Dutch Constitution (Grondwet). Article 10(1) guarantees every person the right to respect for their privacy, subject to restrictions set by or pursuant to statute. Article 10(2) requires Parliament to enact rules protecting individuals in connection with the recording and dissemination of personal data. Article 10(3) requires rules on data subjects' right to be informed of recorded data and to have it corrected.

These constitutional provisions mean that any limitation on the right to privacy in the Netherlands must be grounded in a formal statutory basis. They informed the design of the UAVG and explain why Dutch law insists on statutory authorisation for BSN processing even where consent might otherwise suffice.

The Netherlands also applies Article 8 of the European Convention on Human Rights (ECHR) and Article 8 of the EU Charter of Fundamental Rights, both of which protect personal data. The Court of Justice of the EU has interpreted Article 8 of the Charter as conferring a fundamental right to data protection independent of the broader right to privacy.

The GDPR and the UAVG: Framework and Interaction

The GDPR

The GDPR sets the baseline for all personal data processing in the Netherlands. Its core requirements include:

• Lawfulness, fairness, and transparency (Article 5(1)(a)): processing must have a valid legal basis and be transparent to data subjects.
• Purpose limitation (Article 5(1)(b)): data collected for one purpose may not be used for incompatible purposes.
• Data minimisation (Article 5(1)(c)): only data necessary for the stated purpose may be collected.
• Accuracy (Article 5(1)(d)): personal data must be kept up to date and corrected when inaccurate.
• Storage limitation (Article 5(1)(e)): data may not be retained longer than necessary.
• Integrity and confidentiality (Article 5(1)(f)): appropriate security measures are required.
• Accountability (Article 5(2)): controllers must demonstrate compliance with all of the above.

The GDPR defines six legal bases for processing personal data: consent (Article 6(1)(a)); performance of a contract (Article 6(1)(b)); compliance with a legal obligation (Article 6(1)(c)); protection of vital interests (Article 6(1)(d)); performance of a task in the public interest (Article 6(1)(e)); and legitimate interests of the controller or a third party (Article 6(1)(f)).

Where the UAVG Goes Further

The GDPR grants member states flexibility in a defined set of areas, and the Netherlands has used that flexibility to add stricter rules.

Age of consent for children. Article 8 of the GDPR permits member states to set the age of digital consent anywhere from 13 to 16. The Netherlands chose the maximum: 16 years. Children under 16 cannot consent to data processing for online services; a parent or guardian must provide that consent. A pending UAVG amendment would allow children aged 12 and above to make data subject requests independently.

BSN restrictions. The UAVG adds specific restrictions on processing the citizen service number (Burgerservicenummer, BSN) that do not exist in the GDPR. Processing the BSN requires explicit statutory authorisation; individual consent cannot substitute for a missing legal mandate.

Special categories of data. Articles 22 through 30 of the UAVG provide additional exceptions and safeguards for processing sensitive data, including health data, biometric data, and criminal records. These supplement the GDPR's Article 9 framework with Dutch legislative choices about proportionality.

Biometric data for employees. The UAVG permits employers to process biometric data only when necessary for authentication or security purposes. Explicit consent alone is insufficient in an employment context because the power imbalance between employer and employee makes truly free consent doubtful.

Healthcare. The Wet gebruik burgerservicenummer in de zorg authorises healthcare providers to use the BSN for patient identification and coordinates with GDPR obligations to create a layered health-data protection regime.

The Autoriteit Persoonsgegevens: Structure and Powers

The Autoriteit Persoonsgegevens (AP) is the Dutch national supervisory authority, established as an independent administrative body under Article 51 of the GDPR. It was formerly known as the College bescherming persoonsgegevens (CBP) before being renamed in 2016 when the GDPR was still in force only as a regulation pending application.

The AP supervises: the GDPR, the UAVG, the Telecommunicatiewet (ePrivacy / cookies), the Wet politiegegevens (law enforcement data), the Wet justitiele en strafvorderlijke gegevens (criminal records), the EU AI Act's prohibited practices provisions, and a range of sector-specific statutes.

Enforcement Powers

The AP's fining powers follow the two-tier GDPR structure:

• Up to EUR 10 million or 2% of global annual turnover for violations of organisational obligations, including failure to appoint a DPO, failure to maintain records of processing activities, and failure to conduct a required Data Protection Impact Assessment (DPIA).
• Up to EUR 20 million or 4% of global annual turnover for violations of core data protection principles, including processing without a legal basis, violating data subject rights, or transferring data internationally without adequate safeguards.

Beyond fines, the AP can issue warnings, reprimands, binding orders to bring processing into compliance, and temporary or permanent bans on processing. It can also impose periodic penalty payments for continued non-compliance.

AP Enforcement Priorities: 2024-2026

The AP organises its supervision around five strategic focus areas that have remained consistent from 2024 through its 2026-2028 strategic plan:

1. Algorithms and artificial intelligence -- automated decision-making, algorithmic discrimination, and AI Act compliance.
2. Big Tech -- accountability of major technology platforms, including as lead supervisory authority for EU-headquartered multinationals.
3. Freedom and security -- balancing surveillance by government and private actors against privacy rights.
4. Data trading and digital government -- data brokers, online tracking, and government data practices.
5. Digital government -- ongoing oversight of public sector algorithms.

The AP has explicitly reclassified online tracking as a form of mass surveillance in its 2026-2028 strategic plan. It built an automated scanning system that monitors approximately 10,000 Dutch websites annually for cookie compliance and intends to warn 500 organisations per year.

AP Annual Report 2025: Key Figures

The AP's 2025 annual report published in early 2026 reveals significant growth in enforcement demand:

• 44,374 data breach notifications received in 2025, up from 37,839 in 2024.
• 13,000+ complaints and signals from Dutch citizens, more than double the 7,100 received in 2024.
• 83 new appeal cases in 2025, a record, up from 72 in 2024 and 48 in 2023.
• Four fines imposed in 2025, compared to six in 2024, reflecting a strategic shift toward alternative interventions.
• Nine reprimands issued in 2025, up from seven in 2024.

The AP noted that waiting times for complaint handling are increasing and that structural capacity growth is needed to maintain effective digital legal protection for Dutch residents.

Legal Bases and Consent

Processing personal data in the Netherlands requires one of the six GDPR Article 6 legal bases. For processing special categories of data (health, biometric, genetic, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sex life, or criminal convictions), an additional condition under Article 9 of the GDPR and Articles 22-30 of the UAVG is required.

Consent under Dutch law must be freely given, specific, informed, and unambiguous. Where consent is the legal basis, it must be as easy to withdraw consent as to give it (GDPR Article 7(3)). The AP has been consistent that pre-ticked boxes, consent obtained via cookie walls, and bundled consent for multiple purposes do not meet this standard.

Legitimate interests (Article 6(1)(f)) requires a three-part test: the controller must pursue a legitimate interest; the processing must be necessary for that interest; and the interest must not be overridden by the fundamental rights and freedoms of the data subject. The balancing test is fact-specific. Dutch courts and the AP have emphasised that the legitimate interests basis cannot be used to circumvent obligations that would apply under other bases.

Public task (Article 6(1)(e)) applies to government processing. Dutch public authorities frequently rely on this basis, but the toeslagenaffaire demonstrated that reliance on public task does not insulate processing from GDPR scrutiny if the underlying processing is discriminatory, disproportionate, or lacks adequate transparency.

Data Subject Rights

Individuals in the Netherlands hold the full GDPR data subject rights framework, enforced by the AP:

• Right of access (Article 15 GDPR): individuals may request a copy of all personal data an organisation holds about them and information about processing purposes, recipients, and retention periods.
• Right to rectification (Article 16 GDPR): inaccurate personal data must be corrected without undue delay.
• Right to erasure (Article 17 GDPR): data must be deleted when no longer necessary, when consent is withdrawn, or when processing was unlawful.
• Right to restriction (Article 18 GDPR): processing may be restricted pending a dispute about accuracy or lawfulness.
• Right to data portability (Article 20 GDPR): individuals may receive their data in a structured, machine-readable format where processing is based on consent or contract.
• Right to object (Article 21 GDPR): individuals may object to processing based on legitimate interests or public task, and have an unconditional right to object to direct marketing.
• Rights related to automated decision-making (Article 22 GDPR): individuals may not be subject to decisions based solely on automated processing that produce legal or similarly significant effects, unless one of the Article 22 exceptions applies.

Controllers must respond to data subject requests within one month. The pending UAVG amendment would allow children aged 12 to 15 to exercise data subject rights independently, without parental involvement.

Breach Notification

Timeline and Scope

Controllers must notify the AP of personal data breaches without undue delay and within 72 hours of becoming aware of the breach (Article 33 GDPR). If notification occurs after the 72-hour window, the controller must explain the reasons for the delay.

For complex incidents such as ransomware attacks, the AP accepts initial notifications before the full picture is clear, with follow-up notifications as new information emerges.

Notification to the AP is required unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. In practice, most breaches involving unencrypted personal data must be reported. If the breach poses a high risk to individuals, the controller must also directly notify those individuals without undue delay (Article 34 GDPR).

Dutch Notification Volume

The Netherlands consistently produces one of the highest breach notification volumes in the EU. The 44,374 notifications received by the AP in 2025 represent a significant increase over 37,839 in 2024 and the 33,000+ reported in prior years. This volume reflects both a high culture of incident reporting and the AP's enforcement against late or incomplete notifications, most visibly the EUR 475,000 fine against Booking.com in 2021 for a 22-day delay.

DPO Requirements

When a DPO Is Mandatory

Certain organisations must appoint a Data Protection Officer under Article 37 of the GDPR. In the Netherlands, the AP has elaborated on these mandatory categories:

• Government bodies and public organisations: all central government departments, municipalities, provinces, healthcare institutions, and educational institutions. Courts are exempt under Article 37(3).
• Organisations whose core activities involve systematic, large-scale monitoring of individuals: this includes operating camera surveillance systems, GPS tracking systems, employee monitoring platforms, behavioural profiling for commercial purposes, and monitoring health data via wearables at scale.
• Organisations whose core activities involve large-scale processing of special categories of data: health data, biometric data, criminal records, genetic data, or data revealing racial or ethnic origin.

DPO Independence and Registration

The DPO must be able to perform their tasks independently. The AP specifies that the roles of chief financial officer, head of IT, head of HR, head of marketing, and chief information security officer are incompatible with the DPO function because they involve determining the purposes or means of processing.

Organisations that appoint a DPO must register the appointment with the AP. The DPO's contact details must be published and communicated to the AP under Article 37(7) GDPR.

International Data Transfers

Adequacy Decisions

Transfers of personal data from the Netherlands to third countries require a transfer mechanism under Chapter V of the GDPR. Transfers to countries with a European Commission adequacy decision require no additional safeguards. As of 2026, these include: Andorra, Argentina, Canada (commercial organisations under PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, Uruguay, and the United States under the EU-US Data Privacy Framework.

Standard Contractual Clauses

For transfers to non-adequate countries, organisations most commonly use Standard Contractual Clauses (SCCs) issued by the European Commission on 4 June 2021. The 2021 SCCs include four modular sets covering controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor transfers.

Transfer Impact Assessments

Following the Schrems II ruling (Data Protection Commissioner v Facebook Ireland Ltd, Case C-311/18, CJEU 2020), organisations relying on SCCs must conduct Transfer Impact Assessments (TIAs) to evaluate whether the laws of the recipient country provide protection essentially equivalent to EU standards. The EUR 290 million Uber fine demonstrates that the AP treats transfer violations as among the most serious GDPR breaches.

Major AP Enforcement Actions

Uber: EUR 290 Million (2024)

On 26 August 2024, the AP announced a EUR 290 million fine against Uber Technologies Inc. for transferring European drivers' personal data to the United States without adequate safeguards for more than two years after the Court of Justice invalidated the Privacy Shield in 2020. The data included account details, taxi licences, location data, photographs, payment information, identity documents, and in some cases criminal and medical records of drivers.

Uber stopped using Standard Contractual Clauses from August 2021, leaving transferred data without any GDPR-compliant transfer mechanism. The AP acted as lead supervisory authority because Uber's European headquarters is in Amsterdam. This was Uber's third fine from the Dutch DPA: EUR 600,000 in 2018 and EUR 10 million in 2023 preceded the 2024 penalty.

Clearview AI: EUR 30.5 Million (2024)

The AP fined Clearview AI EUR 30.5 million on 3 September 2024 for building an illegal facial recognition database. Clearview scraped more than 30 billion photographs from the internet and converted each face into a unique biometric code without consent or a legal basis. The AP found violations of the prohibition on processing biometric data without a proper Article 9 condition, failures of transparency toward data subjects, and a refusal to cooperate with data subject access requests. In addition to the fine, the AP imposed penalty payments of up to EUR 5.1 million for continued non-compliance and issued four enforcement orders requiring Clearview to cease its EU operations. The Library of Congress reported the decision as one of the largest fines ever imposed for biometric data violations in the EU.

Netflix: EUR 4.75 Million (2024)

The AP fined Netflix EUR 4.75 million for failing to provide customers with adequate information about its data processing practices between 2018 and 2020. Netflix did not clearly explain the legal basis for collecting personal data, which third parties received data, or how it protected personal data transferred outside Europe. The investigation originated from complaints by the Austrian privacy organisation noyb. Netflix, headquartered in Amsterdam for European purposes, appealed the decision.

A.S. Watson: EUR 600,000 (2025)

The AP fined A.S. Watson EUR 600,000 for placing tracking cookies without consent on webpages related to personal health products. This enforcement action is part of the AP's systematic cookie-compliance campaign, in which it monitors approximately 10,000 Dutch websites annually and issues escalating warnings before imposing fines.

Coolblue: EUR 40,000 (2025)

The AP fined Coolblue EUR 40,000 for placing tracking cookies and collecting personal data without valid consent. The fine reflects the AP's graduated enforcement model, calibrated to organisation size and severity.

Dutch Tax Authority: EUR 3.7 Million (2022) and EUR 2.75 Million (2021)

The AP imposed its then-record fine of EUR 3.7 million on the Belastingdienst for maintaining an illegal fraud detection blacklist, and a separate EUR 2.75 million fine for discriminatory processing of dual-nationality data in the childcare benefits system.

Experian: EUR 2.7 Million (2025)

The AP fined Experian for compiling creditworthiness reports using large volumes of personal data without informing individuals they were being assessed, finding both an absence of a valid legal basis and a failure to meet Article 14 transparency obligations.

Booking.com: EUR 475,000 (2021)

The AP fined Booking.com EUR 475,000 for reporting a data breach 22 days after the 72-hour deadline.

Penalties at a Glance

The Toeslagenaffaire: Algorithmic Discrimination and Government Data Misuse

The Dutch childcare benefits scandal, the toeslagenaffaire, is one of the most severe examples of government data misuse in European history. The Dutch Tax Authority used a machine-learning algorithm to flag childcare benefit applicants as potential fraudsters. The model partially relied on nationality as a risk signal, causing individuals with dual nationality, particularly those with Turkish, Moroccan, or Eastern European backgrounds, to face heightened scrutiny disproportionate to any genuine fraud risk.

Tens of thousands of families were falsely accused of fraud and compelled to repay benefits in full. Repayment demands averaged EUR 20,000 to EUR 60,000 and required immediate full repayment without instalment arrangements. Many families were driven into severe financial hardship. Some parents lost custody of their children. Multiple suicides were linked to the scandal.

A parliamentary investigation in late 2020 found systematic discrimination and massive injustice across successive administrations. The entire cabinet under Prime Minister Mark Rutte resigned on 15 January 2021. By February 2026, the Dutch Tax Authority and Police were named the biggest privacy violators of 2025, with the AP finding that more than 50 algorithms used by the Belastingdienst remain in violation of the GDPR.

The toeslagenaffaire directly shaped the AP's decision to establish a dedicated algorithmic oversight structure and is one reason the Netherlands has been at the forefront of both AI Act implementation and algorithmic impact assessment requirements.

EU AI Act Overlay and AP Algorithmic Oversight

The Department for the Coordination of Algorithmic Oversight (DCA)

Since 2023, the AP has operated a dedicated Department for the Coordination of Algorithmic Oversight (Directie Coordinatie Algoritmetoezicht, DCA). The DCA maps cross-sector algorithmic and AI risks, coordinates with the Rijksinspectie Digitale Infrastructuur (RDI) and sectoral regulators including the AFM (financial markets) and DNB (central bank), and publishes a biannual Algorithm Risk Report for the Netherlands.

The AP's 2024 algorithm and AI report called for a national master plan to manage rising algorithmic risks as AI adoption accelerated. The report found that AI and algorithm risks had increased amidst growing use and called for stronger transparency obligations, mandatory auditing frameworks, and clearer governance standards.

In 2025, the DCA focused on: transparent algorithm governance, standardisation of AI risk assessments, compliance auditing, non-discrimination in automated decisions, and AI literacy across Dutch organisations.

EU AI Act Implementation Timeline

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. Implementation follows a phased schedule:

• 2 February 2025: Prohibited AI practices banned across the EU. This covers social scoring by public authorities, real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions), subliminal manipulation, and exploitation of vulnerabilities. AI literacy obligations also took effect for all organisations deploying AI systems.
• 2 August 2025: Requirements for general-purpose AI models (GPAIs), including large language models. Providers must maintain technical documentation, comply with EU copyright law, and publish training data summaries.
• 2 August 2026 (original) / 2 December 2027 (expected): Requirements for high-risk AI systems. The European Parliament adopted the Digital Omnibus on 26 March 2026, proposing to defer this deadline from 2 August 2026 to 2 December 2027 for stand-alone high-risk AI and 2 August 2028 for high-risk AI embedded in products. The Council and Parliament reached a provisional agreement in May 2026.

Dutch Supervisory Structure

The Netherlands has opted for a hybrid supervisory model involving approximately ten market supervisory authorities, with the AP coordinating via the DCA. A proposal for a Dutch AI Implementation Act was published for public consultation on 20 April 2026. The Netherlands did not meet the August 2025 EU deadline for formally designating national supervisory authorities.

Providers of high-risk AI systems must implement risk management systems, maintain technical documentation and event logs, and meet requirements for transparency, accuracy, and cybersecurity. Deployers of high-risk AI must conduct fundamental rights impact assessments (FRIAs) before deployment, requirements that overlap with the GDPR's DPIA obligation.

BSN (Burgerservicenummer) Protections

The Burgerservicenummer (BSN) is the citizen service number assigned to every person registered in the Netherlands. Because it can link records across government, healthcare, tax, and benefits databases, Dutch law treats it as requiring special statutory protection.

Statutory Authorisation Required

Under the Wet algemene bepalingen burgerservicenummer and the UAVG, the BSN may only be processed when a specific Dutch law authorises it. Individual consent is not sufficient to create a lawful basis even if freely given.

Authorised users include:

• Government agencies, when necessary for public duties, under Article 10 of the BSN General Provisions Act.
• Healthcare organisations, under the Wet gebruik burgerservicenummer in de zorg.
• Educational institutions, under applicable education legislation.
• Digital sales platforms (since January 2024), under EU regulations requiring collection of seller identification data including BSN for tax reporting, subject to heightened security and purpose limitation requirements.

Private companies outside these categories have no legal basis to request, record, or store the BSN. The AP has issued guidance specifying that even if an individual voluntarily offers their BSN, an organisation without the requisite statutory authorisation may not process it.

Employee Data and Workplace Privacy

Dutch law imposes specific constraints on employer data collection and monitoring.

Monitoring and Surveillance

Employers may monitor employees only when a legitimate business reason outweighs workers' privacy interests. Core requirements:

• Advance notice: employees must be informed before monitoring begins, including the purpose, scope, and methods used.
• Proportionality: less invasive alternatives must be preferred.
• DPIA: large-scale or systematic monitoring, including GPS tracking, email monitoring, and camera surveillance, typically requires a data protection impact assessment.
• Works council approval: if the organisation has an ondernemingsraad (works council), it must approve monitoring regulations. Without that approval, monitoring is impermissible regardless of other justifications.

Camera footage for employee performance evaluation is prohibited. Hidden cameras are generally unlawful unless serious theft or fraud is being investigated, and even then only under strict conditions. Footage must be deleted within approximately four weeks. GPS systems in company vehicles may be used for route planning or vehicle security but must be limited to working hours unless a 24-hour monitoring justification exists.

Health and Biometric Data

Employers may process employee health data only when necessary for workplace reintegration and coaching in relation to illness or disability. An employer may not ask why an employee is sick; that information flows through the bedrijfsarts (company doctor), who reports only the accommodation information the employer needs.

The UAVG permits employer processing of biometric data, such as fingerprint scanners for building access, only when necessary for authentication or security purposes. Where a less invasive alternative exists, such as a badge system, the employer must use it. A DPIA and, if applicable, works council consent are required.

Cookie Consent and the Telecommunicatiewet

The Telecommunicatiewet (Telecommunications Act) implements the EU ePrivacy Directive and governs cookie and tracking consent in the Netherlands.

Prior informed consent is required before placing any non-essential cookie or similar tracking technology. Functional cookies necessary for communication or a requested service are exempt. Analytics cookies with minimal privacy impact may qualify for an exemption when configured appropriately and when data is not shared with third parties.

The AP has consistently held that cookie walls, where access to a website is blocked unless the user accepts all cookies, do not constitute valid consent. Its 2025 enforcement campaign warned over 200 organisations about non-compliant cookie banners; by late 2025, three-quarters had adjusted their banners. The AP's automated scanning infrastructure monitors approximately 10,000 Dutch websites annually, with 500 warnings targeted per year and fines following for those who do not comply.

The AP issued specific guidance on Google Analytics, warning that default configurations may violate both the Telecommunicatiewet and the GDPR because of data transfers to the United States. Organisations must configure analytics tools to anonymise IP addresses, disable data-sharing features, and prevent personal data from leaving the EEA without appropriate safeguards.

Cookie and tracking violations under the Telecommunicatiewet can result in fines up to EUR 900,000 or 10% of annual turnover. The EUR 600,000 fine against A.S. Watson in 2025 for health-related tracking demonstrates active enforcement.

Recent Developments (2024-2026)

2024 enforcement wave: The AP fined Uber EUR 290 million, Clearview AI EUR 30.5 million, and Netflix EUR 4.75 million in a single year, establishing the Netherlands as one of the most active GDPR enforcement jurisdictions in the EU.

Cookie compliance campaign (2025): The AP warned more than 200 organisations about misleading cookie banners, fined A.S. Watson EUR 600,000 and Coolblue EUR 40,000, and continued building its automated monitoring infrastructure covering 10,000 Dutch websites annually.

AP 2025 annual report figures: 44,374 breach notifications (up 17% from 2024), 13,000+ public complaints (double the 2024 figure), and 83 appeal cases (a record). The AP imposed only four fines in 2025 but increased use of binding orders and reprimands, signalling a shift toward faster, broader interventions rather than time-intensive fine proceedings.

UAVG amendment proposal (2026): The Dutch government published a proposal to amend the UAVG on 16 key points, including: empowering children aged 12 to 15 to make data subject requests independently; narrowing the definition of criminal personal data following a court ruling; and creating a new exception for accountants processing special data during statutory audits. The proposal was in public consultation as of April 2026.

EU AI Act Digital Omnibus (March-May 2026): The European Parliament adopted the Digital Omnibus on 26 March 2026, proposing to delay the application of high-risk AI requirements from 2 August 2026 to 2 December 2027. The Council and Parliament reached a provisional agreement in May 2026. The Netherlands, which did not formally designate AI supervisory authorities by the August 2025 deadline, published a draft national AI Implementation Act for consultation on 20 April 2026.

Belastingdienst ongoing supervision (2026): More than 50 Belastingdienst algorithms remain under AP review for GDPR compliance. The Dutch Tax Authority and Police were named the biggest privacy violators of 2025 in February 2026.

Business Compliance: Key Obligations

For organisations operating in or targeting the Netherlands, the core compliance obligations are:

1. Record of Processing Activities (ROPA): document every processing activity with legal basis, purpose, data categories, recipients, and retention period (Article 30 GDPR).
2. Privacy notice: provide clear, accessible transparency information under Articles 13-14 GDPR.
3. Data subject rights procedure: a process to handle access, rectification, erasure, and portability requests within one month.
4. 72-hour breach notification: an incident response process that delivers an initial AP notification within 72 hours.
5. DPO appointment: assess mandatory DPO obligation; register any appointment with the AP.
6. DPIA for high-risk processing: conduct a data protection impact assessment before processing likely to result in a high risk to individuals. The AP publishes a list of processing types that always require a DPIA.
7. Transfer mechanism for non-EEA transfers: verify that every international transfer has a compliant mechanism (adequacy decision, SCCs, binding corporate rules) and maintain TIA documentation.
8. Cookie compliance: implement a compliant consent management platform; avoid cookie walls; configure analytics tools per AP guidance.
9. BSN restriction: do not request, record, or store the BSN unless a specific Dutch statute authorises it for your activity.
10. AI and algorithm governance: document algorithmic decision-making, conduct DPIAs for automated decisions with significant effects, and comply with Article 22 GDPR rights.

For deeper analysis of the EU framework, see our EU data privacy laws overview. For recording consent rules in the Netherlands, see Netherlands recording laws.

Not legal advice. This article presents general legal information about Netherlands data protection law under the GDPR and UAVG as verified on 2026-05-19. The law changes regularly and the AP issues new guidance and enforcement decisions continuously. Consult a lawyer or privacy specialist licensed in the Netherlands for advice about your specific situation.