GDPR Compliance Checklist for Dutch Businesses (2026)

The AVG (Algemene Verordening Gegevensbescherming) is the Dutch implementation of the GDPR. It applies to any business that processes personal data. A contact form, an analytics tool or an email newsletter all count.

Want to see which trackers and forms your own site is running right now? Scan your website free and get a 35-point report in two minutes.

This checklist covers 35 requirements. Work through it once and you will have a clear picture of what you are missing and what you can safely check off.

Section 1: Privacy Policy (Articles 13-14 GDPR)

A privacy policy is not optional. If your website collects any personal data, you need one, and it must be findable.

• You have a privacy policy published on your website
• The policy is accessible from every page, typically via a footer link
• Identity and contact details of the data controller (your business) are stated
• Purpose and legal basis for each type of data processing is specified
• Retention periods are stated for each category of data
• Third parties who receive data are listed (analytics providers, email tools, payment processors, etc.)
• Data subject rights (access, correction, deletion, objection, portability) are explained
• Right to lodge a complaint with the AP (Autoriteit Persoonsgegevens) is mentioned
• The policy is written in plain language, understandable by your target audience
• The policy is up to date, reflecting all services and tools currently in use

For a detailed breakdown of what belongs in each section, read our guide on privacy policy requirements.

Section 2: Cookie Consent (Telecommunications Act Art. 11.7a)

Cookie consent is governed by the Dutch Telecommunications Act (Telecommunicatiewet), not directly by the GDPR. But non-compliance with cookie rules also triggers GDPR violations when tracking scripts process personal data without consent.

• You know which cookies your website places. Run a cookie scan if you are unsure
• Functional-only cookies (session, shopping cart, language preference) require no consent banner
• If you use Google Analytics, Facebook Pixel or similar, you need a consent banner
• The cookie banner shows before any tracking scripts load, not after
• Reject is as easy as accept, same visual prominence and same number of clicks
• No pre-ticked consent boxes. Non-functional categories must be off by default
• No cookie walls. The website must be usable without accepting cookies
• Consent is stored so returning visitors are not asked again unnecessarily
• Users can withdraw consent at any time via a preference centre or similar mechanism

Read more about whether you need a cookie banner and cookie banner dark patterns to avoid.

Section 3: Legal Basis for Processing (Article 6 GDPR)

Every data processing activity needs a legal basis. Identify which applies to each activity.

• You have identified the legal basis for each type of processing on your website
• Consent is used only where freely given, specific and revocable
• Legitimate interest is not used for marketing or tracking without a balancing test
• Contractual necessity covers processing needed to fulfil a service (e.g., order fulfilment, reservation handling)
• Legal obligation covers processing required by law (tax records, employment administration)

The legal basis must be stated in your privacy policy for each processing activity.

Section 4: Data Processors (Article 28 GDPR)

If another company processes personal data on your behalf (your hosting provider, email tool, analytics platform or CRM) they are a data processor. You need a written data processing agreement (DPA) with each of them.

• You have identified all data processors: tools and services that handle your customers' data
• You have a signed data processing agreement with each processor
• Major processors (Mailchimp, ActiveCampaign, Google Analytics, hosting providers) are covered
• The DPA specifies what data is processed, for what purpose and under what security requirements

Most large SaaS platforms provide standard DPAs. Check the provider's documentation or legal pages. For a guide on what belongs in a DPA, read data processing agreements explained.

Section 5: Data Retention (Article 5(1)(e) GDPR)

You may not keep personal data longer than necessary for its original purpose.

• You have defined retention periods for each category of personal data
• Customer data is deleted or anonymised after the relationship ends (accounting records: 7 years)
• Newsletter subscribers are removed from mailing lists when they unsubscribe
• Website contact form submissions are deleted after they are acted upon
• Data is actually deleted on schedule, not just a policy on paper

Read our data retention periods guide for a practical cheatsheet.

Section 6: Data Breach Response (Articles 33-34 GDPR)

A data breach that affects personal data must be reported to the AP within 72 hours if it poses a risk to individuals.

• You know what constitutes a data breach: unauthorized access, accidental deletion or a lost device with customer data
• You have a documented response procedure. Even a one-page checklist counts
• You know how to reach the AP to file a breach notification (via the AP breach portal)
• You log all incidents, even those that do not require AP notification

Use our 72-hour breach reporting decision tree when an incident occurs.

Section 7: Technical Security (Article 32 GDPR)

The GDPR requires "appropriate technical and organisational measures" to protect personal data. There is no fixed list, but the following are baseline expectations for websites.

• Your website runs on HTTPS with a valid TLS certificate and no mixed content
• CMS and plugins are up to date. Apply security updates promptly
• Admin accounts use strong, unique passwords and multi-factor authentication where possible
• Database access is restricted and not exposed to the internet
• Regular backups exist and can be restored
• Security headers are set (HSTS, Content-Security-Policy, X-Frame-Options)

For a full security checklist, see our secure website checklist for GDPR.

Section 8: Data Subject Rights (Articles 15-22 GDPR)

Individuals have the right to access, correct, delete and export their data. You need a way to handle these requests.

• You have a contact method for data subject requests (email address in privacy policy is sufficient)
• You can respond within one month. GDPR Article 12 requires this
• You can identify which data you hold about a specific person if asked
• You can delete data on request, unless a legal retention obligation applies
• You can provide a data export in a portable format if requested

Section 9: Special Category Data (Article 9 GDPR)

Health data, biometrics, religion, political views, sexual orientation and trade union membership have stricter rules. They require explicit consent or another specific legal basis.

• If you collect health data (allergies, medical conditions, disabilities), you have explicit consent
• If you collect special category data, it is stored separately with stricter access controls
• You do not collect special category data unnecessarily. Minimize what you ask for

Section 10: Third Country Transfers (Articles 44-49 GDPR)

Transferring personal data to countries outside the EU/EEA requires additional safeguards.

• You know which of your processors are based outside the EU/EEA (many US-based SaaS tools fall here)
• Standard Contractual Clauses (SCCs) are in place for US-based processors where no adequacy decision exists
• The transfer is documented in your privacy policy

The US has been granted adequacy status under the EU-US Data Privacy Framework (July 2023) for certified US companies. Check if your US processor is certified at dataprivacyframework.gov.

Your Score

Count your checked items:

• 32-35: Strong compliance posture. Review annually.
• 25-31: Good foundation with gaps. Address the unchecked items by category.
• 15-24: Significant gaps. Prioritise privacy policy, cookie consent and data processor agreements.
• Below 15: Start with the basics: privacy policy, cookie banner and identify your data processors.

For more context on each item, read the full GDPR obligations guide for Dutch entrepreneurs or scan your website free to see what tracking tools are actually running.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.