Home / Publications / Data Law Navigator | The Netherlands

Data Law Navigator | The Netherlands

Information on Data Protection and Cyber Security laws from CMS experts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security

Data Protection

Last updated 23 July 2019

Risk scale

Risk Scale Orange


  • General Data Protection Regulation (GDPR)
  • Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming)
  • Dutch Telecommunications Act (Telecommunicatiewet)


Dutch Data Protection Authority (DDPA) (Autoriteit Persoonsgegevens): www.autoriteitpersoonsgegevens.nl

If applicable: stage of legislative implementation of GDPR

The Dutch Parliament has passed Dutch GDPR Implementation Act (DGIA) that became effective on 25 May 2018. 

If applicable: local derogations as permitted by GDPR 

The DGIA takes a policy-neutral approach to implementation of the GDPR. This means that only existing exceptions will be maintained. This applies, for example, to the regulation on the processing of a national personal identification number and the processing of special categories of personal data.


The DGIA applies to the processing of personal data (wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system):

  • in the context of activities of an establishment of a controller or processor in the Netherlands; and
  • of data subjects in the Netherlands by a controller or processor not established in the European Union, where the processing activities are related to (i) offering goods or services to such data subjects in the Netherlands, irrespective of whether payment is required from them; or (ii) the monitoring of their behaviour in so far as this behaviour takes place within the Netherlands.

The DGIA does not apply to the processing of data:

  • in the course of a purely personal or household activity;
  • by or on behalf of the intelligence and security services;
  • which is governed by or pursuant to the Persons Database Act;
  • for the implementation of the Judicial Information and Criminal Records Act;
  • for the implementation of the Election Act;
  • by the armed forces if the Minister of Defence decides that the data processing is for the purposes of deploying or making available the armed forces to maintain or promote the international legal order;
  • carried out solely for journalistic, artistic or literary purposes.


Sanctions under the GDPR:

  • Financial penalties are the primary sanction against the controller and the processor, thus, against the company.


  • Up to € 10 million or up to 2% of total global sales for companies (in case of invalid consent of children, violation of privacy by design, etc.);
  • Up to € 20 million or up to 4% of total global sales for companies (in case of violation of principles (including consent), inadmissible transfer to third countries, etc.).

Registration / notification 

In accordance with Article 36 GDPR: the controller shall consult the supervisory authority prior to processing where a data protection impact assessment (under Article 35 GDPR) indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

Main obligations and processing requirements

The main obligations and processing requirements are identical the provisions as set out in the GDPR.

Data subject rights

In accordance with Chapter III GDPR.

Processing by third parties

In accordance with Article 28 GDPR.

Transfers out of Country

In accordance with Chapter V GDPR.

Data Protection Officer

In accordance with Articles 37-39 GDPR.

The DGIA provides that the data protection officer must maintain the secrecy of any information that becomes known to him or her pursuant to a complaint by or request from a data subject, unless the data subject agrees to disclosure.


In accordance with Article 32 GDPR.

Breach notification

In accordance with Articles 33-34 GDPR.

The data breach notification obligation towards data subjects does not apply to financial companies as referred to in the Financial Supervision Act (Wet op het Financieel Toezicht).

Direct Marketing

In summary, as referred in article 11.7 of the Telecommunications Act:

  • By fax, e-mail and SMS: prior consent required (opt-in);
  • By means of telephone or other means: allowed unless someone opted-out. Also, be aware of the existence of the "do not call me register" (Bel-me-niet Register) and the "mail filter" (Postfilter).
  • There are a number of specific exceptions to the requirement of consent:
    • If the user is a legal entity or a natural person acting in the exercise of its/his profession or business, no prior consent shall be required for the transmission by 
      • means of electronic mail of unsolicited communications for commercial, idealistic, or charitable purposes:
        • a. If the sender when transmitting the communication makes use of electronic contact details intended and provided by the user and said contact details have been used in accordance with the purposes attached to said contact details by the user; or
        • b. If the user is based outside the European Economic Area and the rules regarding the sending of unsolicited communications in the country concerned have been complied with.
    • A party that has acquired electronic contact details for electronic messages in the context of the sale of its product or service may use said data to transmit communications for commercial, idealistic, or charitable purposes with regard to its own similar products or services if, when the contact details were acquired, the customer was clearly and explicitly given the opportunity to object, free of charge and in a simple manner, to the use of said electronic contact details and, if the customer did not avail himself of said opportunity, he is offered the opportunity during every instance of communication, to object, on the same conditions, to the further use of his electronic contact data.


As referred in article 11.7a of the Telecommunications Act:

  • Using cookies or similar techniques is only allowed if the user has been provided with clear and complete information in accordance with the Personal Data Protection Act and has given consent for the action concerned. However, this rule does not apply if:
    • the cookie is used for the sole purpose of carrying out communications over an electronic communications network;
    • the cookie is strictly necessary to provide an information society service requested by the user; or
    • the cookie is used to obtain information about the quality or effectiveness of a service provided, on the condition that this has only limited impact on the user's privacy.

Useful links


Cyber Security

Last updated 23 July 2019

Risk Scale

Risk Scale Orange

*This assessment is based on the assumption that the CA will enter into force with similar provisions as the current CA consultation draft.

Laws and regulations

The Network and Information Systems Security Act ("NISSA", Wet beveiliging netwerk- en informatiesystemen) has become effective as per 9 November 2018.

The NISSA implements NIS Directive (EU) 2016/1148.


The NISSA applies to:

  • "digital service providers" (within the meaning of the NIS Directive) with a main establishment in the Netherlands, excluding small and micro enterprises; and
  • designated "vital operators" in the Netherlands, divided in:
  • "operators of essential services" (within the meaning of the NIS Directive); and
  • operators of other services of which the continuity is of vital importance for the Dutch society.

The designation of vital operators can be found in the Network and Information Systems Security Decree ("NISSD", Besluit beveiliging netwerk- en informatiesystemen).

Digital service providers not established in the EU must appoint a representative that acts on its behalf. The representative may be addressed with regard to the NISSA based obligations.


The competent authority for digital service providers is the Minister of Economic Affairs and Climate (Minister van Economische Zaken en Klimaat). The Radiocommunications Agency Netherlands (Agentschap Telecom, part of the Ministry of Economic Affairs and Climate) acts as supervisor.

With regard to energy and digital infrastructure, the competent authority is the Minister of Economic Affairs and Climate. The Radiocommunications Agency Netherlands acts as supervisor.

With regard to (i) transport and (ii) the supply and distribution of drinking water, the competent authority is the Minister of Infrastructure and Water Management (Minister van Infrastructuur en Waterstaat). The Human Environment and Transport Inspectorate (Inspectie Leefomgeving en Transport) acts as supervisor.

For banking and the financial infrastructure, the competent and supervising authority is the Dutch Central Bank (De Nederlandsche Bank).

For the health sector, the competent authority is the Minister for Healthcare. The Health and Youth Care Inspectorate (Inspectie Gezondheidszorg en Jeugd) acts as supervisor.

Key obligations 


  • Digital service providers and operators of essential services must implement appropriate and proportionate technical and organizational measures to manage the risks posed to the security of their network and information systems and the possible impacts of security incidents. They must also take implement appropriate measures to prevent and mitigate the impact of such security incidents.
  • All designated vital operators must notify the National Cyber Security Centre ("NCSC", part of the Ministry of Security and Justice), acting as Computer Security Incident Response Team "CSIRT") of:

(i) any incident with a significant impact on the continuity of the essential services;

(ii) any security incident in their network and information systems which may have serious adverse effects on the continuity of their service.

  • If an operator of an essential service uses a digital service provider, an incident at such digital service provider must be notified by such operator to the competent authority for the sector of such operator if the incident has a significant impact on the continuity of the service.
  • Digital service providers must notify the Minister of Economic Affairs and Climate (as competent CSIRT) and Radiocommunications Agency Netherlands (as competent authority) of any incident which may have serious adverse effects on the provision of their services.


  • The competent authorities have several kinds of general investigative powers.
  • Fines can be imposed with a maximum of EUR 1m or EUR 5m depending on the violation.

NISSA based supervision and enforcement only applies to operators of essential services and digital service providers (e.g. not included are operators of other services of which the continuity is of vital importance for the Dutch society).

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

Yes. NCSC is the CSIRT for vital operators. NCSC is also the Point of Contact responsible for coordinating issues related to the security of network and information systems and cross-border cooperation at EU level.The Dutch Ministry of Economic Affairs is the CSIRT for digital services.

Is there a national incident management structure for responding to cyber security incidents?

Yes. During a cyber crisis, the National Manual on Decision-making in Crisis Situation is applied (hyperlink included below). NCSC plays a key role in such cyber crises. 

Useful links

NCSC: https://www.ncsc.nl/english

NISSA text: https://wetten.overheid.nl/BWBR0041515/2019-01-01

NISSD text: https://wetten.overheid.nl/BWBR0041520/2019-01-01

Website for digital service providers to notify competent authority

Website for digital service providers to notify CSIRT

The Netherlands National Handbook on Decision-Making in Crisis Situations

< back to Overview


Edmon Oude Elferink
Brussels - EU Law Office