Data protection and cybersecurity laws in Netherlands

• General Data Protection Regulation ("GDPR") (Algemene Verordening Gegevensbescherming).
• The Dutch GDPR Implementation Act ("DGIA") (Uitvoeringswet Algemene verordening gegevensbescherming).
• Police Data Act ("PDA") (Wet politiegegevens).
• Judicial and Criminal Records Act ("JCRA") (Wet justitiële en strafvorderlijke gegevens).
• The Intelligence and Security Services Act 2017 ("ISSA") (Wet op de inlichtingen- en veiligheidsdiensten 2017).
• Personal Records Database Act ("BRPA") (Wet basisregistratie personen).
• Dutch Telecommunications Act ("TA") (Telecommunicatiewet).

The DGIA implements the GDPR. The DGIA includes, for example, exceptions for the processing of special categories of personal data and data relating to criminal law matters and exceptions to the data subject’s rights and controller’s obligations.

The TA implements EU ePrivacy Directive 2002/58/EC and also includes provisions on unsolicited electronic communications and the use of cookies (and similar techniques). The TA also imposes several requirements on providers of public electronic communications networks and publicly available electronic communication services with regard to the processing of personal data.

The PDA regulates the processing of data by the national police, the special investigative services, the Royal Marechaussee and the National Criminal Investigation Department. The PDA also applies to tasks that the police performs for the Dutch justice department.

The JCRA regulates the processing of judicial data in personal files and issuance of certificates of behaviour (Verklaring omtrent gedrag). The law also regulates the processing of criminal records.

The ISSA regulates the processing of data by the Dutch intelligence and security services during fulfilment of their tasks.

The BRPA regulates the correct use of data recorded in the Netherlands Personal Records Database. This includes regulating the conduct of municipalities when adding, updating and issuing personal details in various official documents like national ID, passport, driving license and resident statements.

The Dutch Data Protection Authority (the "DDPA") (Autoriteit Persoonsgegevens).

The Collective Act Data Protection (Verzamelwet Gegevensbescherming) amends the DGIA and other laws related to data protection (such as article 3:17 of the Financial Supervision Act) on various topics and is currently in the preparatory phase.

Administrative sanctions:

For companies and those who act on behalf of a company, there are no substantive derogations from the GDPR. Financial penalties are the primary sanction against the companies violating the GDPR:

• Up to EUR 10 million or up to 2% of the undertaking’s total annual worldwide turnover in the preceding financial year; or
• Up to EUR 20 million or up to 4% of the undertaking’s total annual worldwide turnover in the preceding financial year.

The DDPA calculates the fines for companies violating the GDPR using the EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR.

Criminal sanctions:

N/A

Others:

• Order for incremental penalty payments;
• Processing prohibition;
• Reprimand;
• Warning. 

Please find an overview of the fines and sanctions imposed by the DDPA here.

DDPA Penalty Policy 2023 (Boetebeleidsregeles Autoriteit Persoonsgegevens 2023) and EDPB's Fining Guidelines

The DDPA uses the updated penalty policy (Boete beleidsregels Autoriteit Persoonsgegevens 2023) to calculate the amount of fines for violations of the GDPR by government organisations and natural persons who do not act on behalf of a company.

The DDPA penalty policy does not apply to companies.

Formally appointed data protection officers must be registered with the Dutch Data Protection Authority (here).

Registered data protection officers are entitled to contact the DDPA in case of questions related to their tasks or the GDPR.

There are no substantive derogations from the GDPR.

Citizen service number ("BSN") (Burgerservicenummer) may only be processed for purposes as determined under Dutch law. A general administrative order may designate further cases for which the BSN may be used. In such an order, further rules may be imposed on the use of the BSN

There are no derogations from the GDPR. 

There are no derogations from the GDPR. 

Under Dutch law, there is no specific data localisation requirement or restrictions to data transfers other than those introduced by the GDPR. Transfer of personal data to a third country or an international organisation is hence possible if the controller or processor has provided any of the appropriate safeguards listed in Article 46 (2) GDPR, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

The DGIA provides that the data protection officer must maintain the secrecy of any information that becomes known to him or her pursuant to a complaint by or request from a data subject, unless the data subject agrees to disclosure.

There are no substantive derogations from the GDPR.

There are no substantive derogations from the GDPR.

If a personal data breach has occurred, the controller shall report to the DDPA without undue delay and, where feasible, not later than 72 hours after becoming aware of it (here). The notification is not required if the data breach is unlikely to result in a risk to the rights and freedoms of individuals.

The data breach notification obligation vis-à-vis data subjects does not apply to financial companies as referred to in the Financial Supervision Act (Wet op het financieel toezicht).

In summary, as referred to in article 11.7 TA:

By fax, e-mail and SMS: prior consent required (opt-in).

By means of telephone or other means: allowed unless someone opted out. Also, be aware of the existence of the "do not call me register" (Bel-me-niet Register) and the "mail filter" (Postfilter).

There are a number of specific exceptions to the requirement of consent:

• If the user is a legal entity or a natural person acting in the exercise of its/his/her profession or business, no prior consent shall be required for the transmission by means of electronic mail of unsolicited communications for commercial, idealistic, or charitable purposes:
  • if the sender when transmitting the communication makes use of electronic contact details intended and provided by the user and said contact details have been used in accordance with the purposes attached to said contact details by the user; or
  • if the user is based outside the European Economic Area and the rules regarding the sending of unsolicited communications in the country concerned have been followed.

A party that has acquired electronic contact details for electronic messages in the context of the sale of its product or service may use said data to transmit communications for commercial, idealistic, or charitable purposes with regard to its own similar products or services (i) if, when the contact details were acquired, the customer was clearly and explicitly given the opportunity to object, free of charge and in a simple manner, to the use of said electronic contact details and, (ii) if the customer did not avail himself of said opportunity, he is offered the opportunity during every instance of communication, to object, on the same conditions, to the further use of his electronic contact data.

As referred to in article 11.7a TA:

• Using cookies or similar techniques is only allowed if the user has been provided with clear and complete information in accordance with the GDPR and has given consent for the action concerned. However, this rule does not apply if:
  • the cookie is used for the sole purpose of carrying out communications over an electronic communications network;
  • the cookie is strictly necessary to provide an information society service requested by the user; or
  • the cookie is used to obtain information about the quality or effectiveness of a service provided, on the condition that this has only limited impact on the user's privacy.

Moderate

• Dutch GDPR Implementation Act text
• GDPR text
• Dutch Data Protection Authority (Autoriteit Persoonsgegevens) website
• Dutch Telecommunications Act text
• ACM Consultation version of Digital Service Act Guidelines
• The Collective Act Data Protection
• Police Data Act (Wet politiegegevens) text
• Judicial and Criminal Records Act (Wet justitiele en strafvorderlijke gegevens) text
• The Intelligence and Security Services Act 2017 website
• Dutch Intelligence and Security Services Act 2017 text (Wet op de inlichtingen- en veiligheidsdiensten 2017)
• Personal Records Database Act (Wet basisregistratie personen) text
• Financial Supervision Act (Wet op het financieel toezicht) text

The Network and Information Systems Security Act ("NISSA", Wet beveiliging netwerk- en informatiesystemen), implementing NIS Directive (EU) 2016/1148 (“NIS1”).

The national government is currently in the process of transposing the Network and Information Security 2 Directive ("NIS2") and the Critical Entities Resilience Directive ("CER"), which shall apply from 18 October 2024.

The NISSA applies to:

• "digital service providers" (within the meaning of NIS1) who fall under the jurisdiction of the Netherlands, excluding small and micro enterprises; and
• designated "vital operators" in the Netherlands, divided into:
  • "operators of essential services" (within the meaning of the NIS1); and
  • operators of other services of which the continuity is of vital importance for Dutch society.

The designation of vital operators can be found in the Network and Information Systems Security Decree ("NISSD", Besluit beveiliging netwerk- en informatiesystemen).

Digital service providers not established in the EU must appoint a representative that acts on its behalf. The representative may be addressed with regard to the NISSA based obligations.

The competent authority for digital service providers is the Minister of Economic Affairs and Climate (Minister van Economische Zaken en Klimaat). The Dutch Authority for Digital Infrastructure (Rijksinspectie Digitale Infrastructuur, part of the Ministry of Economic Affairs and Climate) acts as supervisor.

With regard to energy and digital infrastructure, the competent authority is the Minister of Economic Affairs and Climate. The Dutch Authority for Digital Infrastructure (Rijksinspectie Digitale Infrastructuur, part of the Ministry of Economic Affairs and Climate) acts as supervisor.

With regard to (i) transport and (ii) the supply and distribution of drinking water, the competent authority is the Minister of Infrastructure and Water Management (Minister van Infrastructuur en Waterstaat). The Human Environment and Transport Inspectorate (Inspectie Leefomgeving en Transport) acts as supervisor.

For banking and financial infrastructure, the competent and supervising authority is the Dutch Central Bank (De Nederlandsche Bank).

For the health sector, the competent authority is the Minister for Healthcare. The Health and Youth Care Inspectorate (Inspectie Gezondheidszorg en Jeugd) acts as supervisor.

NISSA:

• Digital service providers and operators of essential services must implement appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems and the possible impacts of security incidents. They must also implement appropriate measures to prevent and mitigate the impact of such security incidents.
• Designated vital operators must notify the National Cyber Security Centre ("NCSC", part of the Ministry of Security and Justice), acting as Computer Security Incident Response Team ("CSIRT") of:
  1. any incident with a significant impact on the continuity of their services; and
  2. any breach of the security of network and information systems which may have serious adverse effects on the continuity of their service.
• If an operator of an essential service uses a digital service provider, an incident at such digital service provider must be notified by such operator to the competent authority if the incident has a significant impact on the continuity of the service.
• Digital service providers must notify the Minister of Economic Affairs and Climate (as competent CSIRT) and the Dutch Authority for Digital Infrastructure (as the supervisory service for the competent authority) of any 

• The competent authorities have several kinds of general investigative powers.
• Fines can be imposed with a maximum of EUR 1 million or EUR 5 million depending on the violation.

NISSA based supervision and enforcement only applies to operators of essential services and digital service providers (e.g. not included are operators of other services of which the continuity is of vital importance for Dutch society).

Yes. The NCSC is the CSIRT for vital operators. NCSC is also the Point of Contact responsible for coordinating issues related to the security of network and information systems and cross-border cooperation at the EU level.

The Dutch Minister of Economic Affairs is the CSIRT for digital services.

During a cyber crisis, the National Manual on Decision-making in Crisis Situation is applied (hyperlink included below). NCSC plays a key role in such cyber crises.

The National Digital Crisis Plan (hyperlink included below) is a cyber-specific elaboration of the National Manual on Decision-making in Crisis Situation.

The Cybersecurity Assessment Netherlands 2023 (CSBN 2023) provides insight into the digital threat, the interests that could be affected, digital resilience and digital risks.

• National Cyber Security Centre website – Ministry of Justice and Security
• Guide to Cyber Security Measures – National Cyber Security Centre – Ministry of Justice and Security
• The Cybersecurity Assessment Netherlands 2023 – National Cyber Security Centrum – Ministry of Justice and Security
• National Cybersecurity Certification Authority (NCCA) - Authority for Digital Infrastructure – Ministry of Economic Affairs and Climate Policy.