The Netherlands Authority for Consumers and Markets (ACM) considers it important to handle your personal data with care, and to properly inform you on how we do so. On this page, you will find what steps we take to protect your data.

What is personal data?

Personal data is any information that relates to an identified or identifiable living individual, for example, your name, your address or email address. You can find more information on the definition of personal data on the Dutch Data Protection Authority's website (in Dutch).

  • Find more information on what is considered personal data  on the Dutch Data Protection Authority's website (in Dutch).

Why do we process personal data?

Processing personal data is necessary for us in order to perform our legal duties. For example, it helps us determine who is responsible for a violation, or it helps us investigate problems that consumers and businesses have reported to us.

How long do we keep your data?

We only keep your data for as long as this is necessary for the data-processing purpose. For example: have we completed our investigation? And we no longer need the data? In that case, we will delete the data in question. In that process, we also take into account the Dutch Public Records Act of 1995.

Do we share your data with third parties?

Carrying out our legal duties could lead to us sharing data, including personal data, with third parties, for example, with other regulators (European and non-European ones), the Dutch Public Prosecution Service (in Dutch: Openbaar Ministerie) or judicial authorities. We only do so if such is permitted by law.

How do we secure your personal data?

ACM follows strict security standards as set by the Dutch central government. ACM, in its capacity as regulator, has also taken additional technical and organizational measures in order to protect your personal data against loss, theft, or misuse.

How do we obtain personal data?

We process personal data as a result of carrying out our legal duties. Examples include:

  • If we investigate a company, and, in that context, gather administrative information or emails, these will often contain personal data;
  • If you report a cartel to our Leniency Office, we will process your personal details;
  • We collect various kinds of information for our investigations, including personal data found through public sources on the internet, using Open Source Intelligence, among other methods;
  • We record your personal details if you ask a question to or file a report with ACM or ConsuWijzer. ConsuWijzer is ACM's consumer information portal.

What information do we record if you contact ACM or ConsuWijzer yourself?

Did you, as a consumer, reach out to ACM through ConsuWijzer? Are you a business owner and do you have any questions about your rights as buyer of an energy or telecom product? Or would you like to submit a report or tip-off? We will always record your name, email address and telephone number, but you can also add your address, postal code, place of residence, and company. It is also possible to add information of others who support your complaint. We also make a recording of telephone conversations with ConsuWijzer. We do this solely for the purpose of improving our service.

How long do we keep your personal details after you have contacted us?

ACM keeps your data for a maximum of 10 years after you have made contact with us, insofar your data is necessary for the processing purpose. The recorded telephone conversations with ConsuWijzer are kept for 6 months. We will delete your data after that period.

Why do we keep your personal details after you have contacted us?

We keep your personal details for two reasons:

  1. If you call or email us again, we will be able to see what was discussed in the previous conversation.
  2. The information you provide is important for carrying out our regulatory and enforcement tasks. Further investigation is often necessary in order to determine whether a company follows the rules. In some cases, we may call you, and ask you to give a statement.

The Data Protection Officer (DPO)

ACM has designated a Data Protection Officer and registered them with the Dutch Data Protection Authority. The DPO is independent, and enforces compliance with and application of the General Data Protection Regulation (GDPR) and the GDPR Implementation Act within the organization. You can contact ACM's DPO at

What rights do you have if your personal details are processed?

You have the right to request that ACM provide access to your stored personal details and/or to improve, supplement, delete or censor, and/or restrict this data. You also have the right to object against the processing of your personal details. More information regarding your rights can be found on the Dutch Data Protection Authority's website.

You can file a complaint with the Dutch Data Protection Authority about the way ACM processes your personal details.

Social Media/External Platforms

When carrying out our duties on social media, we use external platforms such as Twitter and WhatsApp. We believe it is important to note that we have no influence over the way that these platforms use your personal data. We advise you not to share any sensitive details with us through these platforms. Furthermore, this type of information is not necessary for carrying out our duties.

Do you require further information?

Do you have any questions or complaints regarding this privacy statement, or regarding the way we handle personal data? We are happy to answer your questions.

Would you like to know more about the General Data Protection Regulation (GDPR)? Please visit the Dutch Data Protection Authority's website.

  • More information on privacy and the statutory rules can be found on the AP’s website  (in Dutch).