What is the AVG?
The AVG (Algemene Verordening Gegevensbescherming) is the Dutch translation of the GDPR (General Data Protection Regulation): the European privacy law that has been in force since 25 May 2018.
The AVG governs how organisations may collect, use, retain and protect personal data β with the goal of safeguarding citizensβ privacy.
π― Why is the AVG important?
- Requires organisations to handle personal data responsibly
- Emphasises transparency, consent and security
- Grants data subjects rights such as access, correction and erasure
- Sets requirements for breach notifications, processor agreements and risk assessments
- Imposes substantial fines for breaches (max. β¬20 million or 4% of worldwide turnover)
π What are personal data?
Under the AVG this is any information that can be traced directly or indirectly to a person, such as:
- Name, email address, IP address, photograph
- Location data, medical data, BSN (Dutch citizen service number)
- HR records, camera footage, access logs
π§ Key principles of the AVG
| Principle | Explanation |
|---|---|
| Purpose limitation | Data may only be used for a clear, specified purpose |
| Data minimisation | Collect no more than is necessary |
| Transparency | Inform data subjects clearly about what you do with their data |
| Security | Take appropriate technical and organisational measures |
| Accountability | You must be able to demonstrate compliance with the AVG |
π Technical measures (link to cybersecurity)
To comply with the AVG, the following security measures are particularly relevant:
- Data encryption
- Access management & MFA
- SIEM & monitoring for data breaches
- Incident Response Plan for notifiable incidents
- Regular testing, assessment and evaluation of measures
π What about a data breach?
- Data breach = loss, theft or unauthorised access to personal data
- Must be reported within 72 hours to the Dutch Data Protection Authority (AP)
- Inform affected individuals if there is a risk of harm
- Document every incident (even if no notification is required)
π§Ύ Obligations under the AVG
| Obligation | For whom? |
|---|---|
| Maintain a record of processing activities | Organisations that process personal data |
| Conclude a data processing agreement | When outsourcing to external parties |
| Report data breaches | To the Data Protection Authority and data subjects |
| Carry out a DPIA | For high-risk processing |
| Appoint a DPO (Data Protection Officer) | Government bodies or large-scale processing |
π In summary
The AVG is the European privacy law that governs how to handle personal data responsibly and securely. Organisations must process data in a transparent, purposeful and secure manner β failing which they risk fines and reputational damage.