The Dutch data protection authority – the Autoriteit Persoonsgegevens (AP, the Netherlands' Data Protection Authority) – has significantly intensified its enforcement activity in recent months. Fines are larger, investigations move faster, and international businesses operating through Dutch besloten vennootschap (BV) or naamloze vennootschap (NV) structures are squarely in scope. Companies that have treated GDPR compliance as a box-ticking exercise face real exposure now.
The AP has issued a series of enforcement decisions targeting unlawful data transfers, defective consent mechanisms, and failures by both the data controller and data processor to maintain adequate records of processing activities. These actions apply immediately to any organisation established in the Netherlands or processing personal data of Dutch residents. Businesses that have not reviewed their compliance posture since the initial GDPR implementation period are the most exposed.
This alert identifies the categories of business most affected, the threshold criteria that trigger AP scrutiny, the practical compliance deadlines that now apply, and five immediate actions international companies should take.
What has changed – the enforcement shift and its triggers
The AP has moved from issuing warnings and reprimands to imposing administrative fines as a first-order response. This reflects a broader shift in enforcement philosophy across European data protection authorities. In the Netherlands specifically, the AP has focused its resources on three conduct categories.
The first is unlawful international data transfer. Transfers of personal data outside the European Economic Area without a valid legal basis – such as approved standard contractual clauses or binding corporate rules – now attract priority scrutiny. The AP has made clear that reliance on outdated transfer mechanisms is not acceptable. Companies that embedded transfer arrangements during the initial GDPR roll-out and have not revisited them are at material risk.
The second is defective consent. The AP has scrutinised consent mechanism design, particularly cookie banners and marketing opt-ins. Where consent is pre-ticked, bundled with terms of service, or where withdrawal is made materially harder than granting consent, the AP treats this as a breach. Dutch courts – including the Rechtbank (district court) and, on appeal, the Hoge Raad (Supreme Court of the Netherlands) – have confirmed that the burden of proving valid consent rests on the data controller.
The third is processor oversight failures. The AP has examined cases where a data controller delegated processing activities to a data processor without a compliant data processing agreement. Absence of documented due diligence on processor security measures is being treated as an independent infringement, separate from any underlying breach by the processor itself.
For companies with operations registered at the Kamer van Koophandel (KvK, the Dutch Chamber of Commerce), the AP can and does use the commercial register to identify responsible legal entities and their directors. Registration with the KvK does not shield a business from enforcement – it makes identification easier.
Who is affected – threshold criteria and business categories
The enforcement pattern is not random. The AP applies identifiable threshold criteria when selecting investigation targets. Understanding those criteria is the first step toward managing risk.
Scale of processing. Organisations processing personal data at scale – including large customer databases, employee data systems, and digital advertising platforms – face the highest scrutiny. The AP does not define "scale" by a fixed number, but the volume and sensitivity of data processed are both relevant factors under data protection legislation.
Cross-border transfers. Any business using cloud infrastructure, analytics tools, or customer relationship management systems that route data outside the EEA is within scope. This includes companies that transfer data to group entities in the United States, the United Kingdom post-Brexit, or other third countries without having updated their transfer documentation.
Sensitive data categories. Health data, biometric data, and data concerning children receive heightened attention. Technology platforms and healthcare-adjacent businesses operating in the Netherlands should treat this as an elevated-risk category requiring dedicated legal review.
Consumer-facing digital products. E-commerce operators, subscription businesses, and app publishers targeting Dutch consumers are regularly investigated following complaints. A single complaint to the AP is sufficient to open a formal investigation.
International corporate structures. A foreign parent company with a Dutch subsidiary – whether a BV or NV – can face AP enforcement directed at the Dutch entity. The subsidiary's directors, whose appointment may be documented before a notaris (civil law notary in the Netherlands), bear personal accountability for ensuring compliance within the Dutch entity.
For a tailored assessment of your organisation's exposure under current Dutch data protection enforcement conditions, contact us at info@ferrazwhitmore.com.
Immediate actions for international companies
Five actions should be completed without delay by any international business with Dutch operations or Dutch-resident data subjects.
First: audit your data transfer mechanisms. Map every transfer of personal data leaving the EEA. Verify that each transfer rests on a currently valid legal basis. Standard contractual clauses must reflect the most recent approved versions under data protection legislation. Legacy arrangements based on mechanisms that have since been invalidated must be replaced immediately.
Second: review consent mechanism design. Examine all consent collection points – cookie banners, registration forms, marketing opt-ins. Each must meet the AP's current standard: freely given, specific, informed, and unambiguous. Withdrawal must be as easy as giving consent. Engage qualified counsel to test whether existing mechanisms would withstand AP scrutiny.
Third: verify processor agreements. Every data processor handling personal data on your behalf must be covered by a compliant written agreement. That agreement must specify the subject matter, duration, nature, and purpose of processing. It must also address security obligations, sub-processor engagement, and breach notification. Gaps in processor agreements are a direct enforcement target.
Fourth: update records of processing activities. Both data controllers and data processors are required to maintain written records of processing activities under data protection legislation. Many organisations created these records at GDPR implementation and have not updated them since. New processing activities, new systems, and new processors must be reflected in current documentation.
Fifth: assess AI and automated decision-making tools. The AP has flagged automated decision-making and profiling as a priority enforcement area. If your business uses algorithmic tools that produce decisions with legal or similarly significant effects on individuals, a data protection impact assessment is required. The intersection of data protection and AI regulation in the Netherlands is an emerging enforcement frontier. for a deeper analysis of how Dutch AI regulation interacts with GDPR obligations. See our AI law advisory services for the Netherlands.
For businesses seeking comprehensive support on data protection compliance in the Netherlands, our team can conduct a structured compliance review and provide a prioritised remediation plan.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice assists international companies, technology businesses, and institutional investors operating in the Netherlands and across Europe with GDPR compliance reviews, AP investigation support, data transfer structuring, and consent mechanism design. We combine Portuguese civil law expertise with English common law tradition to deliver practical, cross-border data protection solutions. Our team has advised on data protection matters across both civil law and common law systems, and participates in cross-border practice groups focused on privacy and technology regulation. Engaging a lawyer in Netherlands regulatory matters requires counsel who understands both local enforcement patterns and the EU-wide regulatory context. As an international law firm in Netherlands matters, Ferraz & Whitmore brings that dual perspective to every mandate. For a preliminary review of your data protection position in the Netherlands, email info@ferrazwhitmore.com. You may also find our data protection enforcement alert for Portugal useful if your business operates across both jurisdictions.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.