Personal data on the Internet

Many people publish information about themselves or others on the Internet, such as photos on Instagram. Organisations also post personal data on the Internet. The consequences of this may be significant for the people concerned. Because once uploaded on the Internet, data usually can still be found there many years later. This may have negative consequences, for example, when applying for a job.

On this page

  1. General information

Legal basis of consent

No one is allowed to publish personal data of someone else on the Internet without a good reason. In principle, this is only allowed if there is a legal basis from the General Data Protection Regulation (GDPR). In the case of publication on the Internet, this is almost always the legal basis consent.

Exceptions apply for personal/domestic use and journalism.

Deleting personal data

If someone's data are on the Internet, that person will have the right to have these data deleted. For example, because they are no longer necessary for the purpose for which they were collected or processed, there is no legal basis for processing (anymore), or because the processing is unlawful.

Doxing 

Doxing is the collection or publication of personal data of someone else, with the aim of scaring or harassing that person. Doxing is also a criminal offense.

Quick answers

How do I know who the owner of a website is?

First see if you can find any contact information on the website. Webshops and other providers of online services are always obliged to state contact details on their website. This will in any case be an email address or a contact form.

Are you unable to find any contact details on the website? Then you can find out who the owner of the website is by consulting a website with domain registrations.

Finding the contact data of a Dutch website

Does it concern a Dutch website, ending in .nl? Then look up the owner of the website through the website of the Foundation for Internet Domain Registration in the Netherlands (Dutch abbreviation: SIDN).

Then contact the person or the organisation mentioned as the 'holder' (owner) of the domain.

Note: you will only see the email address of the owner. Are you unable to reach the owner using this address? In some cases, you can ask SIDN for more contact details. See: SIDN and privacy.

The police have access to more extensive data in the WHOIS register. In the case of serious offences and crimes, we recommend that you report these.

Finding the contact data of a foreign website

Does it concern a foreign website? Search via Whois.net then.

Can I access my data usage at my internet provider?

Do you have a question about your internet provider's invoice for your data usage? Do you want to know, for example, which websites or apps used how many data at what times? Your internet provider can only give you access if you have given advance consent for retaining these data. If you have not done this, your provider will not have the data. 

Data traffic contents

Your internet provider is in principle not allowed to know anything about the contents of your data traffic, such as which websites you have visited. This requires analysis of the data traffic (‘deep packet inspection’). An internet provider is only allowed to carry out such analysis if this is strictly necessary for a technical purpose, such as network management.

When carrying out such analysis, your internet provider must anonymise your data immediately. Your provider is not allowed to retain analyses at an individual level. Unless you, as a customer, have give advance consent for this purpose. Your provider must inform you about this option.

 

What do I have to pay attention to if people can register for my event through the Internet?

When you organise an event, you will often want to know in advance who will attend. In that case, it is convenient when visitors can register through the Internet. Pay attention then to the following things, in any case.

Security

The data of the registration form must be sent through a secure connection.

Quantity of data

Do not ask for more data than necessary. Do you only want to know the number of visitors and make name badges? Then asking for the first name, last name, position and organisation is usually enough.

Another example: registering the age is not necessary if you only want to know if someone is an adult. In that case, you can ask if someone was born before a specific year.

Informing

Explain properly why you collect the data. You can do this in your privacy statement. But explaining this in the form often provides more clarity.

Retaining data

Do not retain the data longer than necessary. This usually means that you have to remove the data after the end of the event. Do you need the data longer, for example for collecting payments? Then you must remove the data immediately after you have done this.

You are allowed retain aggregated, anonymous data, though. For example, that a total of 10 people had registered for your event.

Newsletter

Do you want to send visitors a newsletter about your products or services? This is only allowed if visitors state clearly in advance that they want to receive that newsletter. For example, by ticking a box. You must also offer the visitors the option to unsubscribe in every newsletter you send.

External registration system

Do you want to use a registration system that is offered by another organisation? This is possible, but you will have to conclude a processing agreement with that organisation in this case. In this agreement, you have to set out, among other things, that the organisation will not use the collected data for its own purposes and secure the data properly. In this case, the points for attention described above will also apply. You remain responsible for the data processing.

Sharing a list of participants

Do you want to share the list of participants of your event among your visitors, to facilitate networking by them, for example? Then ask the visitors in advance which contact details they want to share. Maybe they want to share a business telephone number, but do not want to have their private number placed on the list.

You can simply ask for consent at the time a person registers for the event. This consent must be given freely and unambiguously. You must be able to demonstrate that you have obtained consent.

Related themes and topics

Basic GDPR

Privacy rights under the GDPR

People have a number of rights if organisations use their personal data. These can be found in the General Data Protection Regulation (GDPR). We call these rights ‘privacy rights’.
Go to subject
Security

Security of personal data

A proper security of personal data is one of the basic principles of the GDPR privacy law for a reason.
Go to subject
Internet and smart devices

Visual material

Almost everyone makes photos and videos. If other people are in these photos or videos, this may constitute an infringement of their privacy.
Go to subject
This page was last edited on
.