Personal data on the Internet
Many people publish information about themselves or others on the Internet, such as photos on Instagram. Organisations also post personal data on the Internet. The consequences of this may be significant for the people concerned. Because once uploaded on the Internet, data usually can still be found there many years later. This may have negative consequences, for example, when applying for a job.
On this page
Legal basis of consent
No one is allowed to publish personal data of someone else on the Internet without a good reason. In principle, this is only allowed if there is a legal basis from the General Data Protection Regulation (GDPR). In the case of publication on the Internet, this is almost always the legal basis consent.
Exceptions apply for personal/domestic use and journalism.
Deleting personal data
If someone's data are on the Internet, that person will have the right to have these data deleted. For example, because they are no longer necessary for the purpose for which they were collected or processed, there is no legal basis for processing (anymore), or because the processing is unlawful.
Doxing
Doxing is the collection or publication of personal data of someone else, with the aim of scaring or harassing that person. Doxing is also a criminal offense.
Quick answers
How do I know who the owner of a website is?
First see if you can find any contact information on the website. Webshops and other providers of online services are always obliged to state contact details on their website. This will in any case be an email address or a contact form.
Are you unable to find any contact details on the website? Then you can find out who the owner of the website is by consulting a website with domain registrations.
Finding the contact data of a Dutch website
Does it concern a Dutch website, ending in .nl? Then look up the owner of the website through the website of the Foundation for Internet Domain Registration in the Netherlands (Dutch abbreviation: SIDN).
Then contact the person or the organisation mentioned as the 'holder' (owner) of the domain.
Note: you will only see the email address of the owner. Are you unable to reach the owner using this address? In some cases, you can ask SIDN for more contact details. See: SIDN and privacy.
The police have access to more extensive data in the WHOIS register. In the case of serious offences and crimes, we recommend that you report these.
Finding the contact data of a foreign website
Does it concern a foreign website? Search via Whois.net then.
Can I access my data usage at my internet provider?
Do you have a question about your internet provider's invoice for your data usage? Do you want to know, for example, which websites or apps used how many data at what times? Your internet provider can only give you access if you have given advance consent for retaining these data. If you have not done this, your provider will not have the data.
Data traffic contents
Your internet provider is in principle not allowed to know anything about the contents of your data traffic, such as which websites you have visited. This requires analysis of the data traffic (‘deep packet inspection’). An internet provider is only allowed to carry out such analysis if this is strictly necessary for a technical purpose, such as network management.
When carrying out such analysis, your internet provider must anonymise your data immediately. Your provider is not allowed to retain analyses at an individual level. Unless you, as a customer, have give advance consent for this purpose. Your provider must inform you about this option.
What do I have to pay attention to if people can register for my event through the Internet?
When you organise an event, you will often want to know in advance who will attend. In that case, it is convenient when visitors can register through the Internet. Pay attention then to the following things, in any case.
Security
The data of the registration form must be sent through a secure connection.
Quantity of data
Do not ask for more data than necessary. Do you only want to know the number of visitors and make name badges? Then asking for the first name, last name, position and organisation is usually enough.
Another example: registering the age is not necessary if you only want to know if someone is an adult. In that case, you can ask if someone was born before a specific year.
Informing
Explain properly why you collect the data. You can do this in your privacy statement. But explaining this in the form often provides more clarity.
Retaining data
Do not retain the data longer than necessary. This usually means that you have to remove the data after the end of the event. Do you need the data longer, for example for collecting payments? Then you must remove the data immediately after you have done this.
You are allowed retain aggregated, anonymous data, though. For example, that a total of 10 people had registered for your event.
Newsletter
Do you want to send visitors a newsletter about your products or services? This is only allowed if visitors state clearly in advance that they want to receive that newsletter. For example, by ticking a box. You must also offer the visitors the option to unsubscribe in every newsletter you send.
External registration system
Do you want to use a registration system that is offered by another organisation? This is possible, but you will have to conclude a processing agreement with that organisation in this case. In this agreement, you have to set out, among other things, that the organisation will not use the collected data for its own purposes and secure the data properly. In this case, the points for attention described above will also apply. You remain responsible for the data processing.
Sharing a list of participants
Do you want to share the list of participants of your event among your visitors, to facilitate networking by them, for example? Then ask the visitors in advance which contact details they want to share. Maybe they want to share a business telephone number, but do not want to have their private number placed on the list.
You can simply ask for consent at the time a person registers for the event. This consent must be given freely and unambiguously. You must be able to demonstrate that you have obtained consent.