Create your privacy statement in 15 minutes

Privacy Statement

The total price for this privacy statement is €200,00 ex. vat. This amount will be invoiced once this form is completed.

Starting from May 25, 2018, all businesses (including self-employed individuals and small and medium-sized enterprises) that process personal data are required to provide better information about their privacy policy. This is done through a Privacy Statement. It is legally required, helps avoid fines, and shows your customers that you handle their personal data responsibly.

Do I need a privacy policy?

The General Data Protection Regulation (GDPR) mandates that all businesses and self-employed individuals in the Netherlands who process personal data must adhere to the obligation to inform. A privacy policy is a straightforward way to meet this requirement. Typically, nearly all businesses meet their obligation to inform through a privacy policy.

Processing personal data is an activity almost every business carries out nowadays. The term "processing" encompasses all actions related to personal data; collecting, recording, consulting, retrieving, etc. For example, storing a customer's name in a client database is a form of processing personal data, which means there's a high likelihood you'll need a privacy policy.

Advantages of a privacy policy

The Dutch Data Protection Authority (DPA) ensures that all privacy and personal data regulations are strictly followed. Non-compliance can lead to substantial fines, sometimes even up to 4% of annual revenue. A privacy policy is one of the documents that helps you avoid such fines.

Moreover, a privacy policy serves as a marketing tool. It differentiates you from others and builds trust by informing your customer or client about the extensive measures you take to safeguard their privacy. Also, it lets your clients know what to expect, contributing positively to your business's image.

What does a privacy policy entail?

In a privacy policy, you define things like:

  • The use of personal data
  • The source of personal data
  • If data is shared with third parties
  • How personal data can be amended
  • The rights of the customer/client

How long can I keep personal data?

While many businesses would prefer to keep data indefinitely because it might prove useful later, this is not allowed. When collecting data, you must consider beforehand how long you genuinely need certain data.

You are allowed to use personal data only for predetermined, legally permissible purposes. Once you no longer need specific data to achieve that purpose, you must delete or anonymize the data.

Some examples:

  • You keep a personnel file for all your employees because it is legally required. Once an employee leaves your company and all salary payments have been made, you must delete his personnel file.
  • You have customer data in your financial records. You are legally required to keep this data for seven years for tax audit purposes. After those seven years, you must delete your customers' personal data from your records.
  • You keep email addresses and purchase history of your customers to later send them information about offers. Over time, the purchase history is filled with very old orders that are no longer relevant. You must then delete these data.

I've created a privacy policy… What's next?

You use your privacy policy to inform the data subject about the data you process about them, the purposes of this processing, and the rights they have. You must bring the privacy policy to the attention of the data subject before obtaining their personal data. The data subject doesn't need to sign the privacy policy; it's not a contract but an informational document.

One of the key obligations of the GDPR is to inform the person whose data you process - the data subject - about this. If at all possible, you should do this before you obtain their data.

Many entities collect data through their website. In that case, the website itself is obviously the best place. You can place the privacy policy, for example, in your website's footer.

When users place an order or create an account, it's a good idea to include a link to the privacy policy at the final step. This ensures that your users have had the opportunity to read your privacy policy.

What constitutes personal data?

The concept of 'personal data' is broadly interpreted. It doesn't only refer to someone's name, but to any data that can be used to identify a person. A unique number, a home address, a postal code, an IP address—all qualify as personal data. Data in a database that's linked to such identifiers becomes personal data due to that association. Pseudonymized data (like hashed or encrypted data) also fall into the category of personal data.

Indirectly identifying data
Data that allows only indirect identification of an individual also qualifies as personal data. For instance, if you have a database storing only location data, this data could be so unique that only a small group of people could potentially have that location pattern. In such cases, it still constitutes personal data.

Business data
Even when you process data solely about small businesses, it usually involves handling personal data. This is because a business can be a sole proprietorship or a company with only one employee.

Some examples of personal data include:

- Account number
- Pictures
- Professional activities
- Habits
- Mortgages
- Interest in a product
- Name, address, and phone number (NAP) data
- Profile picture
- Travel behavior
- Social contacts
- Solvency
- Surfing behavior
- Telephone number
- Expenditures