AVG/GDPR Rights in the Netherlands: A Complete Guide to Your Data Privacy Rights

The Algemene Verordening Gegevensbescherming (AVG) — the Dutch implementation of the EU's General Data Protection Regulation (GDPR) — gives you powerful rights over your personal data. Every company, organisation, and government body that processes your data must comply. Yet most Dutch residents barely use these rights, often because they do not know what they are entitled to or how to exercise those rights.

This guide explains each AVG right in practical terms, with step-by-step instructions for exercising them and filing complaints with the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority.

Your AVG/GDPR Rights at a Glance

Right	What It Means	Common Use Cases
Right of access (inzagerecht)	See what data an organisation holds about you	Checking what your employer, insurer, or social media stores
Right to rectification	Correct inaccurate data	Wrong address, name spelling, outdated information
Right to erasure	Request deletion of your data	Removing old accounts, deleting marketing profiles
Right to data portability	Receive your data in a transferable format	Switching banks, moving between service providers
Right to object	Stop processing of your data	Opting out of direct marketing, profiling
Right to restriction	Limit how your data is used	During a dispute about data accuracy
Right regarding automated decisions	Challenge decisions made purely by algorithms	Credit scoring, automated job screening

Right of Access (Inzagerecht)

This is your most powerful and commonly used right. Any organisation that has your personal data must tell you:

• What data they hold about you
• Why they process it (the legal basis)
• Who they share it with (third parties, other companies)
• How long they keep it (retention periods)
• Where the data came from (if they did not collect it from you directly)

How to Submit an Access Request

1. Identify the organisation's data protection contact. Most companies list a privacy contact or Data Protection Officer (DPO) on their website, often in their privacy policy.
2. Send a written request via email. You do not need to use any specific format, but include:
   • Your full name and contact details
   • A clear statement that you are exercising your right of access under the AVG
   • Specify what data you want to see (or request all personal data they hold)
3. Provide identification if requested. The organisation may ask for proof of identity, but they cannot ask for more than necessary (e.g., they should not need your BSN just to process an access request).
4. Wait for the response. The organisation has 30 days to respond. They can extend this by 60 days for complex requests, but must notify you of the extension within the first 30 days.
5. The response must be free. Organisations cannot charge you for the first copy of your data. They may charge a reasonable fee for additional copies.

Sample Access Request Email

Subject: AVG Inzageverzoek / Data Access Request

Dear Data Protection Officer,

Under Article 15 of the AVG/GDPR, I am requesting access to all personal data your organisation processes about me. Please provide:

• A copy of all my personal data
• The purposes of processing
• The categories of recipients with whom my data has been shared
• The retention periods for my data

My details: [Name, email address, customer/account number if applicable]

Please respond within 30 days as required by law.

Right to Erasure (Right to Be Forgotten)

You can request deletion of your personal data when:

• The data is no longer necessary for the original purpose
• You withdraw your consent
• You object to processing and there is no overriding legitimate interest
• The data was processed unlawfully
• The data must be deleted to comply with a legal obligation

Important Limitations

Organisations can refuse deletion when:

• They are legally required to keep the data (e.g., tax records for 7 years)
• The data is necessary for legal claims
• There is an overriding public interest (e.g., public health)
• The data is needed for journalistic, academic, or statistical purposes

Practical Tips for Deletion Requests

• Be specific about what you want deleted — all data, specific categories, or data from a specific period.
• Close your account first if you no longer use the service, then request deletion of remaining data.
• Follow up if you do not receive a confirmation within 30 days.
• Request confirmation that all data has been deleted, including backups (organisations have a reasonable time to purge backups).

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format. You can also request that the organisation transfer your data directly to another service provider.

This right applies when:

• Processing is based on your consent or a contract
• Processing is carried out by automated means

When This Is Useful

• Switching banks — Request your transaction history in a standard format
• Changing health insurers — Transfer your claims history
• Moving between cloud services — Export your data from one provider to import into another
• Switching email providers — Transfer your contacts and email data

Right to Object

You can object to processing of your data in several situations:

Direct Marketing

You have an absolute right to object to processing for direct marketing purposes. The organisation must stop immediately — no exceptions.

Profiling

If an organisation profiles you (creates a profile based on your data to make predictions or decisions), you can object. They must stop unless they can demonstrate "compelling legitimate grounds."

Public Interest or Legitimate Interest Processing

When processing is based on public interest or the organisation's legitimate interest, you can object. They must stop unless they can demonstrate that their interests override yours.

Filing a Complaint with the Autoriteit Persoonsgegevens

If an organisation does not comply with your AVG rights, you can file a complaint with the Autoriteit Persoonsgegevens (AP).

Before Filing

1. Exercise your rights directly first. The AP expects you to contact the organisation before complaining.
2. Wait the legal response time (30 days, extendable to 90 for complex requests).
3. Document everything — keep copies of your requests and the organisation's responses (or lack thereof).

How to File

1. Visit autoriteitpersoonsgegevens.nl and use the online complaint form (klacht indienen).
2. Provide:
   • Your details
   • The organisation you are complaining about
   • What right you tried to exercise
   • Copies of your correspondence
   • The response you received (or confirmation that no response came)
3. The AP will assess your complaint and decide whether to investigate.

What the AP Can Do

• Investigate the organisation
• Issue warnings or reprimands
• Order compliance — force the organisation to respond to your request
• Impose fines — up to 20 million euros or 4% of global annual turnover

Protecting Your Personal Data Proactively

While AVG rights help you control data after it has been collected, prevention is better than cure. Here are practical steps:

• Minimise data sharing. Only provide what is strictly necessary. A gym does not need your BSN. An online shop does not need your date of birth.
• Read privacy policies — at minimum, check what data is collected and with whom it is shared.
• Use separate email addresses for different services to limit cross-tracking.
• Exercise your rights regularly. Make an annual habit of requesting data from organisations you interact with.

When you need to share personal documents — ID copies, BSN-containing documents, or sensitive personal information — use secure, temporary channels. LOCK.PUB lets you create encrypted, password-protected memos and links with automatic expiration. Instead of emailing a copy of your ID that sits in someone's inbox forever, create a LOCK.PUB link that expires after the recipient has seen it.

Your AVG Rights by Situation

Situation	Right to Use	What to Request
Left a job	Erasure + Access	Delete personal files, request copy of employee data
Switched banks	Portability + Erasure	Transfer data, delete old account records
Getting spam emails	Object + Erasure	Stop direct marketing, delete marketing profile
Denied credit	Access + Automated decisions	See your credit data, challenge the algorithm
Found wrong info online	Rectification + Erasure	Correct or delete inaccurate data
Old social media account	Erasure	Delete all data associated with the account
Data breach notification	Access	Find out what data was exposed

AVG Enforcement in the Netherlands

Metric	Figure
AP complaints received annually	25,000+
Average time to resolve complaint	3-6 months
Largest Dutch fine to date	Tens of millions (varies by year)
Most common complaint type	Right of access / failure to respond
Sectors with most complaints	Telecom, healthcare, finance, government

The Bottom Line

Your AVG rights are real, enforceable, and free to exercise. Do not let the legal language intimidate you — at its core, AVG says you own your data and organisations must respect that. Start by requesting access from a few organisations you interact with regularly. You will likely be surprised by how much data they hold.

For sharing sensitive personal data when you must, use LOCK.PUB to create encrypted memos and links with automatic expiration. Control your data at every step — from what organisations collect to how you share it yourself.

---

Protect your personal data with LOCK.PUB — encrypted, password-protected sharing with automatic expiration.