Privacy statements often overlooked

What happens to my personal data?

Whenever I fill in a form or buy something on-line, I am letting the website record my personal data. But what happens to my data afterwards? What is the company running the website allowed to do with it? It's a question that few internet users ask, but that anyone whose website gathers personal data really ought to consider.

Why have a privacy statement?

To protect internet shoppers and other website visitors, Dutch law requires anyone who gathers personal data on line to inform people before taking the data (Data Protection Act, Section 33). That requirement can be met by providing a privacy statement for the customer or visitor to read. The statement can be included in the organisation's terms and conditions, or it can take the form of a separate document. In the privacy statement, a website controller has to explain clearly what is going to happen to your personal data. Unfortunately, a lot of companies don't actually provide privacy statements. Either they don't know about the requirement, or they misinterpret it. A common mistake is not drawing the visitor's attention to the statement until after the personal data has been submitted.

Study of privacy statements in .nl

Last year, SIDN investigated the situation with privacy statements in the .nl zone. The study involved trawling through the entire zone. Using a 'crawler' and Chamber of Commerce data, we began by establishing how many .nl websites gathered personal data. We then counted the number of sites that had content that looked as if it could be some form of privacy statement. We took a broad view of what might be a privacy statement: we included terms and conditions documents, for example. We did not consider the quality of the content in question.

Most sites don't have privacy statements

Within the .nl zone, there are more than a million Dutch business websites. Our research revealed that 600,000 of those sites gather personal data. However, only about 160,000 have a page with legal info that could serve as a privacy statement, e.g. a privacy policy page, a legal page or a terms and conditions page. That is a strikingly small proportion, although we should point out that most of the major webshops familiar to the Dutch public are doing things correctly.

Does your website comply with the Data Protection Act?

Drawing up a privacy statement isn't difficult. Many companies already have privacy-related provisions in their terms and conditions, but are simply failing to display them on their websites as they should. If you need help deciding what should go in your privacy statement, you'll find various tools on line. For example, and has a privacy policy generator. Before publishing your statement, don't forget to clear it with your legal advisor.


  • Friday 19 April 2019

    Internet security

    Major data breach at youth services organisation could have been prevented


    Others warned about the risk posed by cancelled domain names

    Read more
  • Tuesday 18 February 2020

    Internet security

    Bosses are overoptimistic about cybercrime


    Crooks target all sorts of organisations

    Read more
  • Monday 4 November 2019

    Internet security

    Cheap connected home devices threatening our security and privacy


    Maintaining control over home and access networks. Download the white paper.

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.