TITLE: Netherlands' Personal Data Protection Authority Seeks Feedback on Data Protection Impact Assessment Exemptions
BODY:
On June 24, 2026, the Autoriteit Persoonsgegevens (AP), the Netherlands' personal data protection authority, launched a consultation seeking feedback on a preliminary list of data processing activities exempt from data protection impact assessment (DPIA) requirements.
A DPIA, also known as a gegevensbeschermingseffectbeoordeling (GEB) in Dutch, is a tool organisations use to assess privacy risks before processing personal data. Organisations planning to process personal data that poses a high privacy risk—particularly when using new technologies—must conduct a DPIA to identify and mitigate potential risks. The AP has the authority to establish and publish a list of processing activities that do not require a DPIA, particularly for small and medium-sized enterprises (SMEs) and self-employed entrepreneurs in the Netherlands. This exemption list aims to reduce regulatory burden on smaller businesses while maintaining appropriate data protection standards.
The AP is consulting with SMEs, self-employed entrepreneurs, experts, and other stakeholders to ensure the preliminary list aligns with practical business needs and accurately reflects which processing activities genuinely pose lower privacy risks. The consultation period closes on August 10, 2026. Interested parties can submit feedback by emailing st-mkb@autoriteitpersoonsgegevens.nl.
Following the consultation, the AP will refine the list based on received input and publish a summary of responses (without identifying information). The revised list will then be submitted to the European Data Protection Board (EDPB) for advice. After receiving the EDPB's guidance, the AP will finalise the list, publish it in the Staatscourant (Dutch Official Journal) and on its website, at which point it becomes officially valid.