the Dutch DPA
Close menu

Privacy statement of the Dutch DPA

For the Dutch Data Protection Authority (Dutch DPA), the protection of personal data is paramount. We also think it is important to inform you about this in a clear and transparent manner. In this privacy statement, we provide information about what we do with your personal data.

version October 2024

We respect your privacy and therefore ensure that we always treat your personal data confidentially. And in doing so, comply with the privacy legislation.

On this page

Who are we?

The Dutch DPA is the independent supervisory authority in the Netherlands that stands up for the fundamental right of protection of personal data. We monitor all organisations that and persons who process personal data. For the performance of our tasks, we also process personal data ourselves.

How do we obtain your personal data?

When we collect and use your personal data, this is mostly because you have contacted us yourself. And have given information about yourself. For example, when you submit a tip-off or complaint to us. Or when you, as an organisation, report a data breach.

Our records may also contain personal data of yours that you did not provide to us yourself. For example, because we are conducting an investigation into your organisation or because someone has submitted a complaint about you. We may also obtain information from public sources and record them if this is necessary for our work.

Which personal data do we process?

As Dutch DPA, we may process your following personal data:

  • name, address, and place of residence;
  • contact details (such as email address and telephone number);
  • personal data in an investigation file, possibly including special categories of personal data and/or criminal data;
  • financial data in, for example, an investigation file;
  • date and place of birth;
  • audio and/or video recordings for reporting hearings;
  • CCTV images made by security cameras;
  • identity document;
  • DPO number;
  • data of an organisation, including Chamber of Commerce number;
  • signature;
  • information from cookies and similar technologies.

Exactly which of your personal data we process depends on the situation. Read more about this in: For what purposes do we process your personal data?

Special categories of personal data or criminal data

Do we process special categories of your personal data or criminal personal data? The we are allowed to do this because there is an important public interest (Article 9, opening words of second paragraph and point g GDPR, Article 23 point b GDPR Implementation Act and Article 32 point e GDPR Implementation Act).

For what purposes do we process your personal data?

There are several purposes for which we may process your personal data. We first provide information about the purposes for which we process data when you have contact with us on behalf of yourself (as a private individual). Then we discuss the purposes for processing if you contact us on behalf of an organisation or as a professional.

On behalf of yourself

We may process personal data of you as a private individual in the following situations:

When you click a on link, you will find information about the processing in these situations. Do you want to know more about a specific processing? Take a look at our processing register.

On behalf of your organisation or as a professional

We may process your personal data in the following situations:

When you click a on link, you will find information about the processing in these situations. Do you want to know more about a specific processing? Take a look at our processing register.

On which legal bases do we rely for processing your personal data?

Every organisation that processes personal data is only allowed to do this if there is a legal basis for processing. As Dutch DPA, we process personal data on the following legal bases:

How long do we retain your personal data?

We will not retain your personal data longer than necessary for the purpose for which we process your data. Do we no longer need your personal data for that purpose? Then we will delete your personal data. But sometimes we are obliged to retain your personal data for a longer period of time. For example, if the Public Records Act says so.

Read more about archiving by the government

Do you want to know how long we retain your data in a specific situation? Take a look at our processing register.

With whom may we share your personal data?

In principle, we do not share personal data with other parties (third parties). Unless there really is no other way, because it is necessary for the performance of our statutory tasks. Then we may share personal data within the Netherlands, within the EEA, and sometimes also outside the EEA. In that case, we may share personal data with:

  • other supervisory authorities, including the EDPB, for example in the event of cross-border investigations;
  • other stakeholders, for example in objection proceedings;
  • (contact) persons at (other) parties or their authorised representatives and courts, and possibly the lawyer of the Dutch DPA;
  • the Administrative Jurisdiction Division of the Council of State, for conducting legal proceedings to which the Dutch DPA is party;
  • the Central Judicial Collection Agency (CJIB), for having fines collected;
  • processors, such as our IT service provider;
  • Statistics Netherlands (CBS), when sharing data breach notifications;
  • the police and the Public Prosecution Service (OM) if we report something;
  • ministries, on highly incidental occasions for legislative tests or preparing official reports with which the Dutch DPA provides ministries with input for answering Parliamentary questions.

International transfer

The Dutch DPA cooperates with the data protection authorities in all EEA countries and with the various bodies of the European Union, such as the EDPB. As a result, personal data are processed within the EEA. In addition, personal data are processed in countries outside the EEA, because of IT systems. This is done as little as possible. And only if there is a transfer mechanism and we have established that the transfer falls within the scope of the legislation and regulations.

Read more about personal data transfers outside the EEA

Who within the Dutch DPA has access to your personal data?

Within the Dutch DPA, employees may access personal data if they have been authorised to do so. The people at the Dutch DPA who have access to your personal data have, moreover, signed a confidentiality statement.

How do we secure your personal data?

We take both technical and organisational measures to secure the personal data we process. To prevent these data from being lost, for example. We do this in accordance with the applicable legal requirements and guidelines, such as the Government information security baseline (BIO) of the Dutch national government.

An example of a technical measure is that your data are transmitted through a secure connection when you use an online form on the website of the Dutch DPA. In addition, your data are encrypted during transmission. This means that your data are illegible, should they fall into the wrong hands.

An example of an organisational measure is that only competent Dutch DPA employees are allowed to access your data.

If you have any questions about the security of your personal data at the Dutch DPA, please contact the Chief Information Security Officer (CISO) at ciso@autoriteitpersoonsgegevens.nl.

Which privacy rights do you have?

When we process your personal data, you have a number of privacy rights:

  • Right of access: You can ask which of your personal data we use. This will enable you to check if we do this properly, in accordance with the privacy law, the GDPR.
  • Right to rectification: Are the data that we have of you not correct or are any data missing? Then you can ask us to rectify or supplement the data.
  • Right to removal: In some cases, you can ask us to delete your personal data.
  • Right to restriction of processing: You can ask us to temporarily stop using your personal data. For example, because you want to wait for a decision on another request first.
  • Right to data portability: You can ask us to transfer your personal data to another organisation.
  • Right to object: You can sometimes object to the processing of your personal data.
  • Right to human intervention in decision-making processes: When you receive an automated decision from us, you can ask us to take a new decision that has been assessed by a person.

You also have the right to withdraw your consent. Did you give us consent for the use of your personal data, but have you changed your mind? Then you can withdraw your consent again. We will no longer process your personal data from that time. Unless there is (also) another legal basis for processing your personal data.

And do you disagree with the way we process your personal data? Then you can contact the Data Protection Officer (DPO) of the Dutch DPA. The DPO is independent and monitors whether everyone within the Dutch DPA complies with the privacy legislation.

You can contact the DPO at the email address privacy@autoriteitpersoonsgegevens.nl. You can also send a letter to:

Dutch Data Protection Authority (DPA)
(Autoriteit Persoonsgegevens)
Attn. the Data Protection Officer 
Postbus 93374
2509 AJ DEN HAAG, The Netherlands

After your request has been dealt with, you can also submit a complaint to the Dutch DPA.

Using your privacy rights

Do you want to use one of your privacy rights? For more information on how to do this, take a look at Your rights. You will also find example letters there.

Do you have a complaint about the handling of your request by the Dutch DPA? Then contact the DPO of the Dutch DPA. After your request has been dealt with, you can also submit a complaint to the Dutch DPA.

Do you want to know more?

Do you have a question or a complaint about this privacy statement? Or about the way we handle your personal data? We will be happy to provide you with an explanation. Contact our DPO for this purpose.