Employee Data Protection in the Netherlands

Eva Jongepier - employment lawyer in the Netherlands
April 23rd, 2026

Employee Data Protection (Bescherming Persoonsgegevens) in the Netherlands

The protection of employee personal data is governed primarily by the Algemene verordening gegevensbescherming (AVG/GDPR) and the Dutch implementation statute, the Uitvoeringswet AVG (UAVG). In the employment context, employers routinely process extensive categories of personal data: identification, payroll, attendance, performance assessments, disciplinary records, health information, and - increasingly - data derived from monitoring tools and productivity software. Each category of processing must be grounded in a valid AVG legal basis, must serve a specified and legitimate purpose, and must not exceed what is necessary for that purpose.

Special categories of data in employment under Dutch law

Certain categories of data receive heightened protection under Article 9 AVG. In the employment context, the most relevant are health data (medical information, sick leave records, disability status) and biometric data (fingerprints used for access control). The UAVG specifies the conditions under which these may be processed:

Health data: Only the bedrijfsarts and occupational health professionals may process clinical health data. The employer receives only functional information. Employers who retain medical certificates or doctors' letters without the employee's consent breach the AVG.
Biometric data: Only permitted if no less intrusive alternative exists and the processing is proportionate. The Autoriteit Persoonsgegevens (AP) has found that fingerprint-based time registration is disproportionate where a less intrusive alternative (such as a PIN) is available.

Employee data subject rights in the Netherlands

Employees have the full suite of AVG data subject rights against their employer: the right of access (Article 15 AVG), rectification (Article 16), erasure (Article 17, subject to legal retention obligations), restriction (Article 18), and the right to object to processing based on legitimate interests (Article 21). The employer must respond within one month and provide a full account of what data it holds and on what basis. Failure to respond is itself an AVG violation. See also employee privacy under the AVG and monitoring employees. For specialist advice, consult an employment lawyer in the Netherlands.

The former Act on the Protection of Personal Data, which required unequivocal consent for processing employee personal data, was revoked in 2018 and replaced by the GDPR, which applies to any structured set of personnel data accessible to third persons. The Medical Examinations Act (Wet op de medische keuringen) restricts the ability of employers to require medical examinations from applicants and employees, and sets detailed procedural requirements that supplement GDPR protections in the employment context.

Frequently Asked Questions

Must an employer appoint a Data Protection Officer (DPO) for employee data processing?

The obligation to appoint a Functionaris Gegevensbescherming (FG/DPO) applies to public authorities and to private organisations whose core activities involve large-scale systematic monitoring or large-scale processing of special category data. For most private employers, the processing of employee data does not reach these thresholds. However, HR departments handling large employee populations, or companies using extensive monitoring tools, should assess whether the threshold is met.

Can a former employer provide a negative reference that discloses disciplinary history?

Only with caution. Sharing personal data about a former employee with a prospective employer constitutes processing of personal data under the AVG. The former employer must have a legal basis, typically legitimate interests. Proportionality is key: sharing the fact that an employee was dismissed for serious misconduct may be justified; sharing excessive detail about the underlying conduct may not. Employees have a right to request information about what was shared.

What is a Data Protection Impact Assessment (DPIA) and when is it required in employment?

A Gegevensbeschermingseffectbeoordeling (GEB/DPIA) is required before implementing processing operations that are likely to result in high risks to individuals' rights and freedoms. In employment, a DPIA is typically required before implementing systematic employee monitoring, profiling systems (for example, productivity tracking), or large-scale use of biometric data. The DPIA must identify risks and document the measures taken to mitigate them.

Can employees be required to allow their employer to search their personal phone used for work?

Only to a very limited degree. An employer may require access to company data on a personal device (BYOD) in accordance with a clear BYOD policy, but may not search personal messages, photos, or apps. The AVG proportionality requirement means the employer may only access what is strictly necessary - for example, remotely wiping company data upon dismissal, without accessing the entire device. Any broader search requires either consent or judicial authorisation.