Privacy rights under the GDPR

People have a number of rights if organisations use their personal data. These can be found in the General Data Protection Regulation (GDPR). We call these rights ‘privacy rights’. These rights are intended to enable people to stay in control of their personal data.

On this page

  1. General information

People have the right, for example, to know what an organisation does with their personal data. And they can ask organisations, among other things, for access to their data and for rectification or removal of their data.

This subject contains an explanation about the different privacy rights, called ‘data subjects' rights’ in the GDPR. A description of how people can use their privacy rights can also be found here. Organisations can also find information about what they have to do when they receive a request, such as a request for access.

Quick answers

For citizens

2 questions and answers

How do I initiate application proceedings with the court?

You initiate application proceedings by writing a letter to the civil-law sector of the district court. You do not need a lawyer to do this.

Conflict about privacy rights

You have privacy rights. Such as the right to access your data, to have your data rectified or removed. You can, for example, ask an organisation to give you access to your data.

The organisation has to reply to your request within 1 month. Does the organisation fail to do this? Or do you receive a response, but are you not satisfied with it? Then you can initiate application proceedings.

Note: this only applies if it concerns a business. Does it concern a government organisation? And does this organisation not respond? Then you can give the organisation notice of default for failure to decide in time. Do you receive a response, but are you not satisfied? Then you can object.

Normally, you need a lawyer for submitting your application to the civil court. But this does not apply if the case concerns your privacy rights. This is an exception that can be found in Article 35, paragraph 4 of the GDPR Implementation Act.

Contents of the application

It is important that you explain the situation in your letter. And that you indicate exactly what you want the court to do. You can ask the court, for example, to order a website administrator to remove your data from a certain website. Or you can ask for access to your file at an organisation.

You can also ask the court, for example, for adjustment of incorrect personal data, restriction of the use of your data, or transfer of your data to another organisation.

Support your story by adding copies of evidence and other important documents to your letter.

Address of the court

On rechtspraak.nl you can find the address of the court in your district where you can send your letter.

Period for application

You have to send your letter within 6 weeks after you received the organisation's answer to your request. Did the organisation not respond in time? Then you do not have to submit your application before a specific date.

Summons

Do you want the court to forbid the use of your personal data by an organisation? Or have you suffered damage because an organisation does not use your personal data in accordance with the law? Then you can initiate summons proceedings against that organisation.

How do I initiate summons proceedings with the court?

Do you want the court to forbid the use of your personal data by an organisation? Or have you suffered damage because an organisation does not use your personal data in accordance with the law? Then you can initiate summons proceedings against that organisation. You need a bailiff to do this.

Summons

A summons is a letter to the organisation in which you summon the organisation to appear before the court. A bailiff issues the summons to the organisation and sends the summons to the court.

On rechtspraak.nl you can find more information about the:

Related themes and topics

Basic GDPR

GDPR basics

The most important law that has the protection of personal data as its subject is the General Data Protection Regulation (GDPR).
Go to subject