Employee Privacy and GDPR in the Netherlands

Eva Jongepier - employment lawyer in the Netherlands
April 23rd, 2026

Employee Privacy and the AVG (GDPR) in the Netherlands

The Algemene verordening gegevensbescherming (AVG - the Dutch implementation of the EU General Data Protection Regulation, GDPR) applies in full to the employment context. Employers process large amounts of personal data about employees - salary, attendance, performance, health, location - and must do so in compliance with the AVG's principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and security.

The AVG is supplemented in the Netherlands by the Uitvoeringswet AVG (UAVG), which addresses specific national derogations, including the conditions under which employers may process special categories of data (such as health data and biometric data) and the framework for employee monitoring.

Legal bases for processing employee data in the Netherlands

The most commonly applicable legal bases for employer data processing are:

Performance of the employment contract (Art. 6(1)(b) AVG): Processing necessary to manage the employment relationship - payroll, absence tracking, expense reimbursement.
Legal obligation (Art. 6(1)(c) AVG): Processing required by law - tax reporting, UWV reporting, Arbowet compliance.
Legitimate interests (Art. 6(1)(f) AVG): Business monitoring, security, and fraud prevention, subject to a proportionality test. This basis requires a balancing test and may be overridden by employee rights.
Consent (Art. 6(1)(a) AVG): Valid only if genuinely freely given. Given the inherent power imbalance in employment, consent is rarely a reliable basis for employer processing of employee data. The UAVG and the Autoriteit Persoonsgegevens (AP) take a strict approach to employment consent.

Health data and the bedrijfsarts under Dutch law

Health data is a special category under Article 9 AVG and may only be processed under strict conditions. Employers may not record diagnoses; only the bedrijfsarts may process clinical information. The employer may process only functional information (what the employee can and cannot do at work). For related issues, see employee data protection, monitoring employees, and the company doctor. Consult an employment lawyer in the Netherlands for AVG compliance in employment.

The Dutch implementing statute for the GDPR is the Uitvoeringswet AVG, which created the Autoriteit Persoonsgegevens to enforce the GDPR and advise the government on its implementation. The employment relationship provides a legitimate basis for data processing under Articles 5 and 6 GDPR, but the purpose must be identified and shown necessary and proportionate; employees have the right to fair and transparent data processing, access to their personal data, and rectification under Article 8 GDPR. Company privacy arrangements are subject to works council consent under the WOR.

Frequently Asked Questions

Can an employer demand that an employee consent to data processing as a condition of employment?

No. The Autoriteit Persoonsgegevens and the European Data Protection Board take the position that consent in an employment context is presumptively not freely given, given the power imbalance. Employers should therefore base processing on contract necessity, legal obligation, or legitimate interests rather than consent. Where consent is used, it must be genuinely voluntary and withdrawable without negative consequences.

How long can an employer retain employee data after the employment relationship ends?

Retention periods depend on the category of data: payroll and fiscal records must be retained for seven years (statutory fiscal obligation); personnel files are typically retained for up to two years post-employment; data relating to ongoing disputes or legal proceedings may be retained for the duration of the limitation period. Employers should adopt a data retention policy specifying periods for each category and implement deletion procedures.

Does an employee have the right to access all data the employer holds about them?

Yes, under Article 15 AVG. The employee may submit a subject access request to the employer and receive a copy of all personal data held about them, together with information about the processing purposes, recipients, and retention periods. The employer must respond within one month. Certain exemptions apply - for example, legally privileged documents or data containing third-party personal data that cannot be redacted.

What are the consequences of an employer breaching the AVG?

The Autoriteit Persoonsgegevens may impose administrative fines of up to €20 million or 4% of global annual turnover, whichever is higher. Employees may also bring civil claims for damages under Article 82 AVG. In practice, AP enforcement in the employment context has focused on unlawful monitoring, impermissible health data processing, and failure to respond to subject access requests.