Personal data on the Internet
Many people publish data about themselves or about others on the Internet, such as photos on Instagram. Organisations also place personal data on the Internet. The consequences of this practice can be significant for the people concerned. Because once data have been placed on the Internet, they can often still be found there after many years. This may have negative consequences, for example, when applying for a job.
On this page
Legal basis of consent
No one is allowed to publish personal data of someone else on the Internet without a good reason. This is in principle only allowed if there is a legal basis from the General Data Protection Regulation (GDPR) for doing so. In the case of public disclosure on the Internet, this is almost always the legal basis of consent.
Exceptions apply for personal/domestic use and journalism.
Removing personal data
If someone's data are on the Internet, the person concerned has the right to have these data removed. For example, because they are no longer necessary for the purpose for which they were collected or processed, there no legal basis for processing (anymore), or because the processing is unlawful.
Doxing
Doxing is the collection or disclosure of personal information about someone else for the purpose of scaring or harassing that person. Doxing is punishable.
Quick answers
How do I know who the owner of a website is?
First check out the website to see if you can find any contact information. Webshops and others providers of online services are always obliged to state their contact details on their website. This will in any case be an email address or a contact form.
Are you unable to find contact details on the website? Then you can find the name of the owner through a website with domain registrations, via the website of Stichting Internet Domeinregistratie Nederland (SIDN).
Please note: you will only see the owner's email address. Does this fail to reach the owner? In some cases you can ask SIDN for more contact details. See: SIDN and privacy.
The police have access to even more extensive data in the WHOIS register. We recommend that you report serious violations and crimes.
Find contact details on a foreign website
Is it a foreign website? Then search via Whois.net.
Can I access my data usage at my internet provider?
Do you have a question about your internet provider's invoice for your data usage? Do you want to know, for example, which websites or apps used how many data at what times? Your internet provider can only give you access if you have given advance consent for retaining these data. If you have not done this, your provider will not have the data.
Data traffic contents
Your internet provider is in principle not allowed to know anything about the contents of your data traffic, such as which websites you have visited. This requires analysis of the data traffic (‘deep packet inspection’). An internet provider is only allowed to carry out such analysis if this is strictly necessary for a technical purpose, such as network management.
When carrying out such analysis, your internet provider must anonymise your data immediately. Your provider is not allowed to retain analyses at an individual level. Unless you, as a customer, have give advance consent for this purpose. Your provider must inform you about this option.
What do I have to pay attention to if people can register for my event through the Internet?
When you organise an event, you will often want to know in advance who will attend. In that case, it is convenient when visitors can register through the Internet. Pay attention then to the following things, in any case.
Security
The data of the registration form must be sent through a secure connection.
Quantity of data
Do not ask for more data than necessary. Do you only want to know the number of visitors and make name badges? Then asking for the first name, last name, position and organisation is usually enough.
Another example: registering the age is not necessary if you only want to know if someone is an adult. In that case, you can ask if someone was born before a specific year.
Informing
Explain properly why you collect the data. You can do this in your privacy statement. But explaining this in the form often provides more clarity.
Retaining data
Do not retain the data longer than necessary. This usually means that you have to remove the data after the end of the event. Do you need the data longer, for example for collecting payments? Then you must remove the data immediately after you have done this.
You are allowed retain aggregated, anonymous data, though. For example, that a total of 10 people had registered for your event.
Newsletter
Do you want to send visitors a newsletter about your products or services? This is only allowed if visitors state clearly in advance that they want to receive that newsletter. For example, by ticking a box. You must also offer the visitors the option to unsubscribe in every newsletter you send.
External registration system
Do you want to use a registration system that is offered by another organisation? This is possible, but you will have to conclude a processing agreement with that organisation in this case. In this agreement, you have to set out, among other things, that the organisation will not use the collected data for its own purposes and secure the data properly. In this case, the points for attention described above will also apply. You remain responsible for the data processing.
Sharing a list of participants
Do you want to share the list of participants of your event among your visitors, to facilitate networking by them, for example? Then ask the visitors in advance which contact details they want to share. Maybe they want to share a business telephone number, but do not want to have their private number placed on the list.
You can simply ask for consent at the time a person registers for the event. This consent must be given freely and unambiguously. You must be able to demonstrate that you have obtained consent.
