From EU to NL: A Guide on AVG & Business Expansion to the Netherlands

If you are the owner of an EU business that is looking to expand into Holland, it is important to have a full understanding of the different regulations and laws that will apply to you in Dutch business law. Data protection and privacy should always be central to any business operating within the EU, and this is why you may consider outsourcing to a DPO that is a native Dutch speaker and understands everything that is required of your company as it expands into the Netherlands. This representative for your company in Dutch is externe functionaris gegevensbescherming.

GDPR is an EU regulation that ensures that businesses, organisations, and individual entrepreneurs act with care and responsibility when processing personal data relating to their customers, employees, and suppliers. If you are considering expanding your business operations to Holland, there are a few things you need to understand, which is why you should consider outsourcing to a DPO with knowledge of Dutch business law, taxation issues in the country, and Dutch language skills.

The Dutch AVG came into effect in May 2018, and the Dutch Data Protection Authority (AP) has the power to impose fines on any organisation that fails to comply with the regulations. This could be as high as €20 million or 4% of the global annual turnover of the company. Here is a rundown of what you need to be aware of when expanding your business to Holland.

Awareness of the regulations

The first thing to consider is that the owners and management of your business or organisation, the policymakers, must be fully aware of the regulations and what they mean in practice for the business. It can take a while for the culture of a company to evolve in such a way that everyone is on board, singing from the same hymn sheet and knows how to act during every process.

What are the rights of the data subjects?

The individual that the data relates to (the data subject) has more privacy rights under GDPR than they did previously. You must make sure that every individual has a right to access their personal data, the right to correct or remove information, and the right to data portability.

Document and overview

Everything must be clearly documented from start to finish, outlining the purpose of its use, the source of the data, and where the data is shared. This complete overview of the process should be made available to show compliance with AVG.


Data Protection Impact Assessments can sometimes be an obligation under the AVG. A DPIA is used to map out the processing system a company has in place and to list the potential risks and the different levels of risk. This is important as it provides the data from which risk reduction measures can be designed and implemented.

Different types of privacy

You can only collect data that has a specific purpose for processing. When designing your services and products it is therefore important to consider how you make sure that personal data is fully protected.

Outsource a DPO

It might be a requirement to appoint an official data protection officer, and if you are expanding into a different country from where your business originally operated, it is even more important to consider outsourcing to a native speaker.

Strict reporting rules

There are strict rules relating to the requirements for reporting data leaks under the AVG. This means that every single data leak must be documented and reported to the relevant authorities. This follows on from clear DPIAs and implementing a robust process of data flow management.

Outsourced agreements

In some cases, where you outsource the data processing that your company undertakes, you’ll need to assess what changes are needed to the contract agreements that ensure everything meets AVG regulations. An outsourced DPO will understand what is required from every stage of the process.

Ask for permission

As there are strict regulations relating to consent, it is important that your business asks for consent from the individual data subjects in a clear and transparent manner. You must have the ability to explain the reason for data collection and processing and show how the data is processed and provide the individual with all the options to remove or correct the data if requested.          

Searching for ‘externe functionaris gegevensbescherming’ will help your expanding EU business to find the right Dutch-speaking representative to look after all aspects of data protection and the systems you have in place for data security as you begin to operate in the Netherlands. Outsourcing a DPO should be near the top of your list of priorities as a growing business, as the implementation of GDPR, or AVG (Algemene Verordening Gegevensbescherming) as it is known in Holland.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.