Recent developments in data protection August 2025

5 August 2025

In this News Update, we discuss several recent developments in data protection: the Netherlands Authority for Consumers and Markets (ACM) will intensify its supervision of telemarketing rules; the Rotterdam District Court has asked the European Court of Justice to clarify the interplay between the Dutch WAMCA and the GDPR; the Amsterdam District Court has ruled that a limited partnership does not meet the requirements of the GDPR and therefore cannot claim access to data on behalf of gamblers; and the Dutch Data Protection Authority (DPA) has stated that the Tax Authority must stop using systems that pose privacy risks.

Hero image

ACM will intensify its supervision of telemarketing rules

The Dutch Authority for Consumers and Markets (ACM) has announced that it will step up its supervision of telemarketing practices as from 1 July 2025. In many cases, telemarketing requires the prior consent of the person being called. The decision comes in response to a high volume of complaints, particularly concerning energy suppliers and telecom companies. All parties involved in the telemarketing chain—from obtaining consent to the end of the contract—share responsibility for compliance. The company that ultimately enters into a contract with the consumer is also responsible for ensuring all rules are followed. Companies may be responsible for a third-party agency which violates the rules. The ACM encourages individuals to continue reporting suspected violations. This helps the ACM to identify problem areas and take effective action.

Rotterdam court asks European Court of Justice to clarify interplay between Dutch WAMCA and GDPR

In a collective action brought by Stichting Data Bescherming Nederland (SDBN) against Amazon, the Rotterdam District Court referred key questions to the Court of Justice of the European Union (CJEU). The referral, made on 23 July 2025, concerns alleged GDPR violations affecting around millions of Dutch Amazon account holders. The Court seeks clarification on whether Dutch law (WAMCA) can impose additional admissibility requirements—such as representativeness, similarity of interests, and a track record in data protection—on organisations bringing collective GDPR claims, and whether such actions can proceed without an explicit mandate from each data subject, given the Dutch opt-out system. The CJEU’s answers will be crucial for the future of collective redress for data protection breaches in the Netherlands and may have wider implications across the EU. Proceedings are suspended pending the CJEU’s decision.

Amsterdam court: a limited partnership does not meet requirements of the GDPR and cannot claim access to data on behalf of gamblers

In a collective action brought by Gokverliesterug, the Amsterdam District Court ruled in preliminary relief proceedings on the disclosure of personal data by online gambling providers who operated in the Netherlands without a license. The judgment was issued on 7 July 2025. The court found that Gokverliesterug did not meet the requirements of Article 80(1) GDPR, which stipulates that only non-profit organizations serving the public interest and active in data protection may represent data subjects in exercising their GDPR rights. The court emphasized that Gokverliesterug, structured as a limited partnership with commercial elements and external financing, had not demonstrated a lack of profit motive or a public interest objective. As a result, Gokverliesterug was declared inadmissible, and ordered to pay the defendants’ legal costs. This decision underscores the strict interpretation of representative standing under the GDPR in the Netherlands. Houthoff represented one the defendants in this case.

Dutch DPA: Tax Authority must stop using systems that pose privacy risks

The Dutch Data Protection Authority (AP) has ordered the Tax and Customs Administration (Belastingdienst) to urgently replace two of its systems and to promptly address deficiencies in four others, following an investigation that found these systems do not comply with privacy legislation. This action follows a KPMG report highlighting significant privacy risks in systems similar to the previously scrutinized Risk Analysis Model (RAM), which was found to have unlawfully processed sensitive personal data and enabled discriminatory practices until 2018. The Belastingdienst must submit a comprehensive phase-out plan for the ‘Klant Toezicht Model’ and ‘Informatiesjabloon’ systems by 15 October 2025, while also remedying issues in the remaining systems as soon as possible. The AP will closely monitor the Belastingdienst’s progress through a dedicated supervisory arrangement.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.