What Is GDPR + Uitvoeringswet Algemene verordening gegevensbescherming (GDPR Implementation Act)?
The Netherlands applies the EU GDPR together with the Uitvoeringswet AVG (UAVG), the national implementation act that clarifies how GDPR applies locally and uses opening clauses for Dutch-specific rules (the age of digital consent is 16, plus rules on the BSN national-ID number and journalistic exemptions). The supervisory authority is the Autoriteit Persoonsgegevens (AP), respected for transparent, predictable guidance. The defining Dutch privacy issue is the KvK (Kamer van Koophandel / Chamber of Commerce) trade register. Every business registers in the Handelsregister, and for sole proprietorships (eenmanszaken) the visiting address is often the owner's home address — historically searchable and resold. Sole proprietors can now shield that visiting address (while providing a separate public postal address); officials' home addresses are protected by default. Separately, the residents' database (BRP, Basisregistratie Personen) cannot be opted out of — municipalities are legally required to maintain it — but residents can request 'geheimhouding' (confidentiality) so their data is not shared with certain third parties such as churches and non-government organisations.
At a glance
- Full name
- GDPR + Uitvoeringswet Algemene verordening gegevensbescherming (GDPR Implementation Act)
- Short code
- UAVG
- Jurisdiction
- Netherlands
- Enacted
- 2018
- Last major update
- UAVG in force 25 May 2018 alongside the EU GDPR
- Regulator
- Autoriteit Persoonsgegevens (AP)
- Private right of action
- Yes
- Statutory citation
- UAVG + Regulation (EU) 2016/679
Scope, who UAVG covers
Protected data
Data subject rights
Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure / right to be forgotten (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object, incl. absolute right for direct marketing (Article 21)
Right to request BRP confidentiality (geheimhouding) and to shield a KvK visiting address
Right to lodge a complaint with the Autoriteit Persoonsgegevens (Article 77)
Notable features
The Netherlands combines GDPR with an unusually strong collective-redress regime (WAMCA) and a well-regarded, transparent regulator. The standout practical issue is the KvK trade register exposing sole proprietors' home addresses; address shielding is available but does not retroactively remove data already copied by brokers. Telemarketing has required prior opt-in consent since 2021, replacing the old 'Bel-me-niet' opt-out register.
Enforcement & penalties
Regulator: Autoriteit Persoonsgegevens (AP)
Penalties: GDPR two-tier fines: up to €10M or 2% of global turnover (lower tier) and up to €20M or 4% of global turnover (higher tier), whichever is greater. The AP has issued fines across sectors and is known for clear, predictable enforcement guidance.
Private right of action: GDPR Article 82 grants a right to compensation for material or non-material damage before the Dutch civil courts. Collective actions are available under the Dutch WAMCA regime, which is among the most claimant-friendly collective-redress frameworks in the EU.
Relevance to data brokers
Data brokers, directories, and the KvK itself (which historically sold register data) are controllers under GDPR + UAVG. Dutch residents can shield their KvK visiting address, request BRP geheimhouding, exercise GDPR objection/erasure, and rely on opt-in-only telemarketing rules. The AP handles complaints, and WAMCA enables broad collective claims.
Exercise your rights
Remove your data from 500+ brokers for $7
OfflistMe drafts opt-out emails citing UAVG and other applicable laws. Citations included. You send from your own inbox. No account, no ID upload.
Request Removal NowFAQ
Who enforces data privacy in the Netherlands?+
The Autoriteit Persoonsgegevens (AP), the Dutch Data Protection Authority, which enforces both the EU GDPR and the national UAVG implementation act.
My home address is public on the KvK — can I hide it?+
Yes. Sole proprietors can always shield their visiting address in the Business Register (you must provide a separate public postal address instead). Other organisations can shield only where there is a proven threat, and officials' home addresses are protected by default. Note that shielding at the KvK does not remove data already copied by online brokers.
Can I opt out of the BRP residents' database?+
No — your municipality is legally required to register you, so the GDPR right to object does not apply to the BRP itself. But you can request "geheimhouding" (confidentiality) so your data is not shared with certain third parties such as churches and non-government organisations.
Is telemarketing allowed in the Netherlands?+
Only with prior opt-in consent. Rules tightened in 2021 replaced the old opt-out "Bel-me-niet" register, so companies may no longer cold-call consumers who have not agreed to be contacted.
Official sources & citations
Other international privacy regimes
UAVG sits in a global ecosystem of data-protection laws. Compare with other jurisdictions that shape cross-border data flows: