The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) announced last week that it will conduct random inspections of various municipalities in the coming months (AP gaat op inspectie bij gemeenten | Autoriteit Persoonsgegevens). The purpose of these inspections is to assess how municipalities handle citizens' personal data and privacy. This initiative follows the 2024 Government Sector Report, which revealed that public authorities do not always fully comply with the GDPR. This is particularly concerning given that government organizations are collecting more personal data than ever before—and increasingly seeking to link these data sets.
The Dutch Data Protection Authority (AP) has indicated that during inspections it will examine, among other things:
Privacy and security are two closely related topics. Under the GDPR, the data controller is required to implement appropriate technical and organizational measures to secure personal data. The Cybersecurity Act (the Dutch implementation of the NIS2 Directive) also imposes security requirements and includes, among other things, a number of minimum security measures that municipalities must take.
In practice, privacy and security also prove to be closely linked. It is not uncommon for personal data to be involved in a cyber incident that, under the GDPR, may not—or may no longer—be processed. Nevertheless, those affected must be informed about the cyber incident—according to the AP, in almost all cases.
Would you like to know more about the obligations arising from both the GDPR and the Cybersecurity Act? Please do not hesitate to contact one of our specialists or Natascha van Duuren, Partner & Attorney at Law for IT, Privacy & Cybersecurity.
Would you like to receive a monthly overview of updates and blog posts in your inbox? Click here to subscribe to the newsletter!
