Privacy Policy Requirements for Dutch Websites: A 10-Step Guide

A privacy policy is not a legal formality — it is how you explain to your website visitors what you do with their information. Done right, it builds trust. Done wrong, it exposes you to AP investigations.

This guide walks through 10 steps to build a compliant privacy policy for a Dutch website.

Step 1: Identify Who You Are

Your privacy policy must open with who is responsible for the data processing — the "data controller."

Include:

• Your legal business name (exactly as registered with the KVK)
• Your legal form (B.V., eenmanszaak, V.O.F., etc.)
• Your registered address
• Your email address for data protection matters
• Your KVK number

Example:

"Bakkerij De Leeuw V.O.F., registered in the Dutch Chamber of Commerce (KVK 12345678), located at Bakkerstraat 12, 1234 AB Amsterdam, is responsible for the processing of personal data as described in this privacy policy. Contact us at privacy@bakkerij-deleeuw.nl."

If you have a Data Protection Officer (DPO) — required only in limited circumstances — include their contact details separately.

Step 2: List What You Collect and Why

For each processing activity, explain:

• What data is collected
• Why it is collected (purpose)
• The legal basis under Article 6 of the GDPR

The six legal bases (GDPR Article 6):

1. Consent — you asked and they agreed (use for newsletters, marketing cookies, non-essential tracking)
2. Contract — processing is necessary to fulfil a contract with the person (use for order processing, service delivery)
3. Legal obligation — you are required by law to process the data (use for tax records, employment administration)
4. Vital interests — processing is necessary to protect someone's life (rare for websites)
5. Public task — processing is necessary for a task in the public interest (rare for private businesses)
6. Legitimate interests — your legitimate interest, provided it is not overridden by the individual's rights (use carefully and document your balancing test)

Common website processing activities:

Be specific — "we collect personal data to improve our services" is not a purpose.

Step 3: Disclose Third Parties

You must name (or at minimum categorise) every organisation that receives personal data. For most websites, this means listing:

• Your hosting provider
• Your analytics platform (Google Analytics, Plausible, etc.)
• Your email platform (Mailchimp, ActiveCampaign, etc.)
• Your payment processor (Stripe, Mollie, etc.)
• Your booking system (if applicable)
• Your CRM (if applicable)
• Your accountant (if they access financial records with personal data)

Example format:

"We share your data with the following categories of recipients:

• Google Ireland Ltd (Google Analytics) — for website analytics. Google's privacy policy: policies.google.com
• Mollie B.V. (payment processor) — to process your payment. Mollie's privacy policy: mollie.com/en/privacy
• STRATO AG (hosting provider) — to host our website and databases. STRATO's privacy policy: strato.de"

Step 4: Explain International Transfers

If any of your service providers transfer data outside the EU/EEA, state this and explain the legal mechanism:

Options:

• Adequacy decision — the EU has decided the country provides adequate protection (UK, Switzerland, Canada, Japan, Israel, and others)
• EU-US Data Privacy Framework — for certified US companies (Google LLC, Meta, Mailchimp are certified)
• Standard Contractual Clauses (SCCs) — a contract between the EU company and the non-EU recipient that provides GDPR-equivalent protection
• Binding Corporate Rules — for transfers within a multinational corporate group

Example:

"Google Analytics is provided by Google LLC, based in the USA. This transfer takes place on the basis of Google's certification under the EU-US Data Privacy Framework. You can verify Google's certification at dataprivacyframework.gov."

Step 5: State Retention Periods

Every processing activity must have a stated retention period. "We keep data as long as necessary" is not compliant.

Minimum requirements:

• State specific timeframes where possible: "12 months," "7 years (required by Dutch tax law)"
• Or state the criteria if a fixed period cannot be given: "For the duration of your subscription, plus 2 years after cancellation"

Use our data retention periods guide for the recommended timeframes.

Step 6: Explain Data Subject Rights

This section should explain each right and — importantly — how to exercise it.

Include all of the following:

Right to access (Article 15): You can request a copy of the personal data we hold about you.

Right to rectification (Article 16): You can request correction of inaccurate data.

Right to erasure (Article 17): You can request that we delete your personal data when it is no longer necessary, when you withdraw consent, or in other specified circumstances.

Right to restriction (Article 18): You can request that we limit processing of your data while accuracy is contested or a legal basis is disputed.

Right to data portability (Article 20): Where processing is based on consent or contract and carried out by automated means, you can request your data in a portable format.

Right to object (Article 21): You can object to processing based on legitimate interests. For direct marketing, the right to object is absolute.

For each right: state how to exercise it: "To exercise any right, contact us at [email]. We will respond within one month."

Step 7: Include the Right to Complain to the AP

Every Dutch privacy policy must include:

"If you have a complaint about how we process your data, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). You can contact the AP via their online complaint form."

The AP specifically checks for this during audits. TikTok was fined in part because Dutch children could not understand the privacy policy — including this right.

Step 8: Handle Special Category Data (If Applicable)

If you process special category data (GDPR Article 9) (health, religion, political views, sexual orientation, trade union membership, biometric or genetic data), you must:

• Identify the specific type of special category data
• State the specific legal basis (not just Article 6(1)(a) consent — Article 9 requires explicit consent or another Article 9 basis)
• Apply stricter security measures

For most small businesses, special category data is not in scope — but check if you collect dietary requirements (health data), process medical certificates from employees, or have a website where users disclose personal beliefs.

Step 9: Address Automated Decision-Making (If Applicable)

If you make automated decisions that have significant legal or similarly significant effects on individuals (including profiling), you must disclose this and explain the logic involved.

For most small business websites, this is not applicable. If you use AI-driven pricing, automated loan decisions, or profiling for personalised offers, this section becomes relevant.

Step 10: Keep It Updated

Your privacy policy must reflect what you actually do — not what you did when you last wrote it. Set a calendar reminder for:

• Annual review — check whether all services are current, retention periods still apply, and third-party links still work
• When you add a new service — update immediately
• When a service changes its practices — update your policy to reflect the new reality

Include a "last updated" date at the top of your policy. This is not legally required but is good practice and shows the AP that you maintain the document.

Common AP Findings During Audits

Based on AP enforcement actions and public guidance:

1. Privacy policy not linked from every page — should be in the footer
2. Privacy policy not linked from forms — must be linked where data is collected
3. Third-party services not named — using Google Analytics without naming it
4. Retention periods missing or vague — "as long as necessary" is insufficient
5. AP complaint right not included — always required
6. Data subject rights listed but no contact method — rights without a way to exercise them are useless
7. Policy not in an understandable language — English-only policy for Dutch-speaking audience

Fixing these seven points covers the majority of what the AP looks for in a routine review.

For more context on when a privacy policy is required, see privacy policy required on Dutch websites. For a template with example text, see our privacy policy generator guide.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.