Is a Privacy Policy Required on Your Dutch Website? The 14 Mandatory Elements

The short answer: yes — if your website collects any personal data. And almost every website does.

A contact form collects names and email addresses. Google Analytics collects IP addresses and browsing behaviour. A newsletter signup collects email addresses. Even a comment section collects a name and IP address. All of these are personal data processing activities, and all of them trigger the obligation to inform users under Articles 13 and 14 of the GDPR.

A privacy policy is not legally mandated by name. The GDPR requires you to provide certain information to data subjects at the time their data is collected. In practice, a privacy policy document linked from your website's footer is the standard way to satisfy this requirement.

The 14 Mandatory Elements (Articles 13 and 14 GDPR)

Article 13 covers data collected directly from the individual (contact forms, newsletter signups, account registration). Article 14 covers data not collected directly (purchased lists, third-party sources). For most websites, Article 13 is the relevant one.

Your privacy policy must contain:

1. Identity and contact details of the controller — your business name, registered address, and contact information. For Dutch businesses, include your KVK number.

2. Contact details of the Data Protection Officer (DPO) — only required if you have one. Most small businesses do not.

3. Purposes of processing — why you collect each type of data. "To respond to your enquiry," "to send our monthly newsletter," "to analyse website traffic."

4. Legal basis for processing — for each purpose, specify which legal basis applies: consent (Article 6(1)(a)), contract (Article 6(1)(b)), legal obligation (Article 6(1)(c)), vital interests (Article 6(1)(d)), public task (Article 6(1)(e)), or legitimate interests (Article 6(1)(f)).

5. Legitimate interests — if you rely on legitimate interests as a legal basis, you must specify what those interests are. You cannot simply state "legitimate interests" without explaining what they are.

6. Third parties receiving data — list the categories of recipients (analytics providers, email platforms, payment processors, hosting providers) or specific organisations. If you transfer data outside the EU/EEA, state this explicitly.

7. International transfers — if data is transferred to third countries, state which countries and what safeguards apply (Standard Contractual Clauses, adequacy decision, or other mechanism).

8. Retention periods — how long you keep each category of data. If a specific period cannot be given, state the criteria used to determine it (e.g., "until you withdraw consent" or "for as long as required by Dutch tax law").

9. Right of access — users have the right to request a copy of their data (Article 15).

10. Right to rectification — users have the right to correct inaccurate data (Article 16).

11. Right to erasure — users have the right to request deletion of their data in certain circumstances (Article 17).

12. Right to restriction — users have the right to request that processing is restricted while accuracy is contested or a legal basis is disputed (Article 18).

13. Right to data portability — users have the right to receive their data in a portable format (Article 20). This applies to data processed on the basis of consent or contract.

14. Right to object — users have the right to object to processing based on legitimate interests or for direct marketing (Article 21).

Additionally, your policy must include:

• Right to lodge a complaint with the AP (Autoriteit Persoonsgegevens), including their contact details
• Whether providing personal data is a contractual or statutory requirement, and the consequences of not providing it (relevant where you require data to provide a service)
• Automated decision-making and profiling (Article 22) — if relevant, you must explain the logic involved and the significance and consequences

Dutch-Specific Requirements

Language

The GDPR requires that information be provided in a "concise, transparent, intelligible and easily accessible form, using clear and plain language." TikTok was fined €750,000 by the AP in 2023 for providing its privacy notice in English only to Dutch child users.

For a general Dutch audience, providing your privacy policy in Dutch is strongly advisable. If your website targets international visitors, providing an English version alongside Dutch is good practice.

The Mousse Case: What "Findable" Means

In a 2019 decision (Mousse), the CJEU ruled that a privacy policy must be actively communicated to the data subject — it is not sufficient to publish it somewhere on the website and assume users will find it. At the moment personal data is collected (when a form is submitted, when a user signs up), the privacy policy must be visible or linked from the form.

In practice this means:

• A link to your privacy policy in the footer of every page
• A link to your privacy policy in every form where personal data is collected
• If you use a cookie banner, the privacy policy must be linked from the banner

What the AP Audits

The AP focuses on several specific failures when reviewing Dutch websites:

• Privacy policy not linked from the footer or not accessible from every page
• Privacy policy exists but is generic (not matching actual processing)
• Privacy policy does not mention third-party analytics tools actually in use
• No legal basis stated for cookie-based tracking
• Retention periods missing or stated as "as long as necessary" without specifics
• Data subject rights listed but no contact method provided to exercise them
• Right to complain to the AP not mentioned

Common Mistakes

Copy-pasting a template without adapting it. If your privacy policy mentions Google Analytics but you don't use it, or fails to mention Facebook Pixel that you do use, it is inaccurate and non-compliant.

Not updating when you add new tools. When you install a new plugin, use a new email platform, or add a booking system, the privacy policy must be updated to reflect the new processing.

Listing "legitimate interests" without explaining what they are. The AP has repeatedly found that citing legitimate interests without substantiation is insufficient. Explain concretely why your interest outweighs the data subject's privacy interest.

Vague retention periods. "We keep your data until you ask us to delete it" is not a retention period. State specific timeframes.

No Dutch version. If your primary audience is Dutch-speaking, an English-only privacy policy may not meet the intelligibility requirement.

The Relationship to Other Required Disclosures

A privacy policy is one of several transparency requirements for Dutch websites. Others include:

• Cookie notice / banner — required separately when placing non-functional cookies (governed by the Telecommunications Act)
• Legal notice (colofon) — business identification details required by the Services Directive (Dienstenwet)
• VAT number display — required for VAT-registered businesses
• KVK number — required by the Commercial Register Act (Handelsregisterwet)

For a complete guide to what your website must display legally, read our GDPR compliance checklist.

What to Do Now

1. Check whether you have a privacy policy. Open your website and look in the footer. If there is no link, you need one.
2. Check whether it covers your actual processing activities. Does it mention every tool that processes visitor data? Does it match what your website actually does?
3. Check retention periods. Are specific timeframes given for each category?
4. Check that it's accessible from every form where personal data is collected.
5. Check the language. Is it in plain, understandable Dutch (or the language of your target audience)?

For a step-by-step guide on what to put in each section, see our privacy policy requirements guide. For a template with example text, see our privacy policy generator guide.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.