GDPR enforcement becomes stricter in the Netherlands

21st of June 2019 | Door:  Joost Blom

As you will probably know, the GDPR has been in force in the Netherlands since 25 May 2018. We have already communicated about this topic in the past. So far, the authority tasked with the supervision of compliance with the GDPR in the Netherlands, the Dutch Data Protection Authority (DPA), has played a mainly informative role. However, the DPA announced some time ago that it would no longer only provide information, but also take enforcement action. In the meantime, the first fines have been imposed on companies. This is why, for the sake of completeness, you will find an overview below of everything you can be faced with in the Netherlands with regard to the GDPR.

The ground for processing

You are only allowed to process personal data if you have a good reason to do so, you are not allowed to process more data than necessary for the purpose for which you process it (proportionality principle) and the purpose cannot be achieved without the processing operations (subsidiarity principle). But these are only the general rules. In addition, you will have to meet a number of important requirements, namely:

Rights of data subjects

In addition, it is important to consider the rights that people have if personal data of them is stored and processed. This means that, with regard to both the technical systems and the internal guidelines, you must ensure that these rights can be respected. In particular, the rights concerned here are the following:


All in all, a lot of rules. Meeting these rules will require a considerable effort from companies. However, it is important to have everything with regard to the GDPR in good order. The fines that can be imposed by the DPA are hefty: up to 20 million euro or 4% of the worldwide turnover of a company!