GDPR

GDPR in the Netherlands: AP Enforcement Focus Areas

5 min readUpdated 27 May 2026

The Dutch Data Protection Authority — the Autoriteit Persoonsgegevens (AP) — is one of the most active GDPR enforcement authorities in Europe. With over 100 fines issued since GDPR came into force and a track record of landmark decisions against major technology companies, the AP's enforcement priorities should inform the compliance strategy of any company with significant Dutch operations or Dutch customer data.

The AP's Enforcement Track Record

The AP has been consistent in its focus areas. Some of the most significant cases:

Clearview AI (2022): €30.5 million fine for unlawful processing of biometric data. The AP pursued this despite Clearview's US base — the extraterritorial reach of GDPR enforcement is real.

Netflix (2023): Fine for failing to provide adequate information to users about how their data was processed, combined with transparency failings.

Uber (2024): €290 million fine for illegal transfers of driver data to the US without adequate safeguards — one of the largest GDPR fines in Dutch regulatory history.

TikTok (2023): €750,000 fine for unlawfully processing children's data.

The pattern: the AP actively pursues international technology companies operating in the Netherlands, is particularly aggressive on international data transfers, and has a strong focus on transparency obligations.

AP Enforcement Focus Areas in 2025–2026

International data transfers. Following the Uber ruling, the AP has signalled continued focus on transfers to the US and other third countries without adequate safeguards. Every Dutch-market company using US cloud services, marketing platforms, or analytics tools must ensure transfer mechanisms (SCCs or DPF certification) are in place and documented.

Cookie consent. The AP has issued multiple decisions against companies using dark patterns in cookie consent — pre-ticked boxes, accept-all buttons more prominent than reject buttons, and consent banners that make it difficult to refuse. Dutch enforcement on cookies is strictly practical: if the consent mechanism is not genuinely informed and freely given, it is non-compliant.

Children's data. The AP has a dedicated focus on children's privacy, including special enforcement attention to apps and platforms accessible to minors. Age verification, parental consent, and child-appropriate privacy notices are scrutinised.

Data broker practices. The AP has been investigating data brokers, enrichment services, and marketing platforms that build profiles on individuals. Companies using enrichment data for Dutch prospects should review their practices.

Health data. Dutch enforcement on health data has been active, particularly around COVID-era health data repurposing and mental health platforms. Processing health data without valid Article 9 grounds is a priority enforcement area.

Key Requirements for Dutch Market Companies

Supervisor establishment: Any company with a Dutch establishment (registered office, branch, or employees) has the AP as a relevant supervisory authority. Non-EU companies without a Dutch establishment but targeting the Dutch market should consider whether the AP or another EU authority is the lead supervisory authority.

Cookie banners: The Dutch standard for cookie consent is strict. The consent mechanism must:

  • Not set non-essential cookies before consent
  • Give the reject option equal prominence to the accept option
  • Not use dark patterns to push users towards acceptance
  • Record consent with the specific time, version of the banner, and options selected

Privacy notices in Dutch: While GDPR does not require notices in a specific language, making privacy information available in Dutch for a Dutch-language audience is strongly recommended and aligns with the AP's "clear and plain language" requirement.

International transfer documentation: The AP specifically reviewed and acted on transfer violations. Maintain a current record of all transfers out of the EEA, the transfer mechanisms used, and evidence of the mechanism's adequacy.

Employee data: Dutch employment law creates specific contexts for employee monitoring and HR data processing. Works councils have consultation rights. Many Dutch employment-related GDPR disputes involve monitoring practices or access to employee communications.

Reporting to the AP

For companies with Dutch establishments, the AP is either the lead supervisory authority (if the main EU establishment is in the Netherlands) or a relevant authority (if Dutch individuals are affected by a violation).

Breach notifications to the AP must follow the standard 72-hour rule.

Complaints handling: Dutch individuals frequently file complaints with the AP. The AP actively investigates individual complaints, particularly those pointing to systematic processing issues.

AP investigation: If the AP opens an investigation, respond promptly and completely. The AP has demonstrated willingness to escalate to the EDPB for cross-border cases and to issue significant fines when cooperation is inadequate.

What to Prioritise for Dutch Compliance

  1. Review all international transfer mechanisms — document SCCs and DPF status for every US vendor
  2. Audit cookie consent implementation against AP's technical requirements
  3. Review privacy notice for plain language and complete disclosure
  4. Ensure breach notification procedure covers AP notification timelines
  5. If you process health, biometric, or children's data — conduct a DPIA and ensure Article 9 basis is documented

ComplyOne generates your GDPR documentation — RoPA, DPA, privacy notices, and gap assessment — in one workflow.

Run your GDPR gap check →

Related guides

Do You Need a DPO? GDPR Decision Tree for SMEs

Most SaaS companies don't need a Data Protection Officer — but the mandatory appointment criteria are broader than many founders realise. This guide explains when a DPO is required, what the role involves, and what to do instead.

GDPR Article 28 Explained for Startup Founders

Article 28 governs controller-processor relationships under GDPR. This guide explains what a Data Processing Agreement must contain, who needs one, and the common mistakes that cause compliance failures in enterprise deals.

GDPR Cookie Compliance in Germany (2026 Guide)

Germany has the strictest cookie compliance requirements in the EU. This guide covers the GDPR and TTDSG framework, what valid consent looks like, cookie banner requirements, and practical steps to comply.

View all guides in this module