We see many small business owners who may be unknowingly violating GDPR and other local laws. Our goal here is to spread awareness and help those businesses get compliant and set themselves up for future success.
This article is intended for informational purposes only and does not constitute legal advice. GDPR compliance is a complex area of law, and requirements may vary depending on your specific business activities. If you have questions about your obligations, consult a qualified attorney.
Who Does GDPR Apply To?
GDPR applies based on where your customers are, not where your business is. If you have even one customer or website visitor in the EU, GDPR applies to you, regardless of where your business is based. Individual EU member states may also have laws that work alongside GDPR. This checklist includes a section covering additional requirements for businesses operating in the Netherlands.
Section 1: Your Website
Lawful Basis for Processing
You must have a valid legal reason, called a lawful basis, before collecting any personal data. Consent is the most relevant basis for email marketing, but other processing (like storing a client’s details to fulfill a contract) may rely on a different basis. Document the lawful basis for every type of data you collect.
Privacy Policy
Your privacy policy must explain what data you collect, why you require it, how it’s used, and how long you keep it. A generic template or an AI-generated policy may not reflect your actual practices, so make sure yours is accurate and reviewed regularly by a legal expert.
Data Minimization
Only collect data you actually need. If you have no use for a date of birth or a favorite product, don’t ask for it. Unnecessary data collection creates compliance risk and erodes user trust.
Data Retention
Don’t keep personal data longer than necessary. State your retention periods in your privacy policy and delete data when it’s no longer needed.
Note: Some data, like financial records, have legally mandated retention periods.
Cookie Consent Banner
Display a cookie consent banner on every visitor’s first visit, giving them a real choice to accept or decline non-essential cookies. Pre-checked boxes and notice-only banners don’t meet GDPR requirements.
Cookie Policy
Link a cookie policy from your consent banner explaining what cookies your site uses, their purpose, and how users can manage their preferences.
Secure Data Storage
Personal data collected through your website must be stored securely. Encryption is the standard. Confirm this is in place with your website host or platform.
Data Access Request Process
Users have the right to access, correct, or delete their personal data. Have a documented, responsive process in place to handle these requests.
Data Processing Agreements
If a third party processes personal data on your behalf (e.g., your email platform, booking tool, or accountant), you must have a data processing agreement (DPA) with them. You remain responsible for their compliance.
Data Breaches
A breach, like emailing personal data to the wrong person, losing an unencrypted device, or a cyberattack, must be reported to your local supervisory authority within 72 hours. Document all breaches internally, even those that don’t require reporting. If a breach poses a high risk to those affected, notify them directly as well.
Website Footer
- Your footer must include:
- Business name (including legal entity, e.g., B.V., Ltd.)
- Physical business address
- Contact information (email and/or phone)
- Links to your Privacy Policy and Cookie Policy
- A Data Subject Access Request (DSAR) form or link
- A link to your Terms & Conditions (best practice, not a legal requirement)
Section 2: Your Email Footer
Business Name & Physical Address
Every marketing email must include your business name and a valid physical address.
Sender Identity
Your “From” name and email address must accurately identify who is sending the email. Disguised or misleading sender identities are prohibited.
Subject Lines
Subject lines must accurately reflect the content of the email. Misleading or deceptive subject lines are prohibited.
Unsubscribe Link
Every marketing email must include a visible, one-click unsubscribe link. Customers should not have to log in to a system to unsubscribe. Once someone unsubscribes, remove them promptly. Unsubscribe requests need to be honored immediately. Most modern CRMs and ESPs handle these requests automatically.
Note: In most email-capable systems, if a person unsubscribes from an email list, but an email has already been scheduled for them, the email will still be sent. After that message is sent, the customer will no longer receive emails.
Privacy Policy Link
Include a link to your privacy policy in every marketing email. Your privacy policy must inform customers about what data you collect, how you collect it, how long you keep it, and what you use it for.
Section 3: Your Forms
Explicit Opt-In
Consent must be actively given. Pre-checked boxes and implied consent don’t meet GDPR requirements. Users must take a clear, affirmative action, like checking an empty box.
Don’t gate content behind a subscription. Requiring opt-in consent to access content is not compliant.
Specific Consent
Consent must be specific to what you’re sending. If you send multiple content types (e.g., a newsletter and promotional offers), get separate consent for each. Multiple labeled checkboxes on one form work well.
Privacy Policy Link
Every sign-up form must include a visible link to your privacy policy.
Right to Withdraw
Tell users at sign-up that they can withdraw consent at any time. A simple line like “You can unsubscribe at any time” satisfies this requirement.
Consent Records
Keep a record of when and how each subscriber consented and what they agreed to receive. This is your proof of compliance.
Right to Object
Subscribers can object to the use of their data for marketing purposes at any time, even if they previously gave consent.
Children’s Data
If your service could be accessed by anyone under 16, parental consent is required. Some member states require parental consent for anyone under 13, so check with an attorney. Most small business services won’t have to worry about this, but be aware if your audience may include minors.
Double Opt-In
A confirmation email requiring users to verify their subscription creates a timestamped consent record and validates the email address. It’s not legally required, but it is a best practice and strongly recommended.
Third-Party Forms
Embedded tools like booking calendars or external form builders may store data separately from your systems. Your privacy policy must accurately reflect all the ways data is collected across your site, regardless of which tool collects it.
Section 4: The Netherlands (Business, Consumers, and Taxes)
Businesses in the Netherlands have additional obligations under Dutch business and tax law. These are not GDPR requirements, but they apply to your website and business correspondence. Items marked “e-commerce” apply specifically to businesses that sell products or services online. If you are service-based, review these items with your attorney to determine what applies to you. Regardless of what type of business you run, check with your attorney to learn what other laws you may need to be compliant with.
Business Law
KVK Number
Your KVK number, the 8-digit registration number from the Dutch Chamber of Commerce (Kamer van Koophandel), must appear on your website, emails, invoices, and official correspondence.
Required Website Information
In addition to your KVK number and BTW-id, your website must display your business name as registered with KVK, your physical address, email address, phone number, and the days and hours your business can be reached. If you have a complaints procedure or are registered with a disputes committee, that must be listed as well.
Tax Law
VAT Identification Number (BTW-id)
Your BTW-id must appear on your website and invoices. This is your customer-facing VAT number, not the ob-nummer used with the Dutch Tax Administration. Businesses using the small businesses scheme (KOR) or those exempt from VAT are not required to display it.
GDPR
Dutch Data Protection Authority
The Autoriteit Persoonsgegevens (AP) enforces GDPR in the Netherlands. Individuals can file complaints directly with the AP, which offers a Dutch-language self-assessment tool called the Regelhulp AVG.
Report data breaches to the Autoriteit Persoonsgegevens within 72 hours. See https://autoriteitpersoonsgegevens.nl/ for guidance on what must be reported.
E-commerce
Cancellation Button (Herroepingsknop)
As of June 19, 2026, online sellers must include a clearly visible cancellation button on their website. Customers must be able to cancel a purchase or service. After cancellation, they need to receive a confirmation message stating that the order or service was canceled successfully. This is in addition to, not a replacement for, the standard return form.
Note: This date is subject to final parliamentary approval.
Cancellation & Return Information
Customers must be clearly informed of how to cancel or return a purchase, including the legally required 14-day cooling-off period and a link to the cancellation form.
Consumer Law
Customer Reviews
Only genuine customer reviews may be displayed; AI-generated customer reviews, or reviews by bots, are not permitted. You must explain how you verify them and actually carry out that verification. If you paid for a review or offered a product in exchange for one, you must disclose it. This applies to social media as well.
Countdown Timers
You may only use a countdown timer if the offer genuinely expires when the timer runs out. Fake urgency timers are prohibited and monitored by the ACM (Autoriteit Consument & Markt).
Geo-Blocking
Enforced in the Netherlands by the ACM
You may not refuse customers from other EU countries or treat them differently. You may offer different versions of your website for different EU markets, but customers must be able to choose which version they use. You are permitted to limit delivery to the Netherlands, provided EU customers can specify a Dutch delivery address or pickup point.
While we can’t help you write your policies or act as a data processor, we can help you implement any changes you need, whether that’s updating your website and email footers, adding new policy pages, or fixing your forms. We’ve created a Compliance Checklist to help you get started.
At Little Nudge Marketing, compliance is part of how we build customer experiences within larger email marketing automation strategies. If you’d like help implementing changes, let’s chat.