The Netherlands Authority for Consumers and Markets (ACM) considers it important to handle your personal data with care, and to properly inform you on how we do so. On this page, you will find what steps we take to protect your data.

What is personal data?

Personal data is any information that relates to an identified or identifiable living individual, for example, your name, your address or email address. You can find more information on the definition of personal data on the Dutch Data Protection Authority's website (in Dutch).

  • Find more information on what is considered personal data  on the Dutch Data Protection Authority's website (in Dutch).

Why do we process personal data?

Processing personal data is necessary for us in order to perform our statutory tasks. For example, it helps us determine who is responsible for a violation, or it helps us investigate problems that consumers and businesses have reported to us.

How long do we keep your data?

We only keep your data for as long as this is necessary for the data-processing purpose. For example: have we completed our investigation? And we no longer need the data? In that case, we will delete the data in question. In that process, we also take into account the Dutch Public Records Act of 1995.

Do we share your data with third parties?

Carrying out our statutory tasks could lead to us sharing data, including personal data, with third parties, for example, with other regulators (European and non-European ones), the Dutch Public Prosecution Service (in Dutch: Openbaar Ministerie) or judicial authorities. We only do so if such is permitted by law.

How do we secure your personal data?

ACM follows strict security standards as set by the Dutch central government. ACM, in its capacity as regulator, has also taken additional technical and organizational measures in order to protect your personal data against loss, theft, or misuse.

How do we obtain personal data?

We process personal data as a result of carrying out our legal duties. Examples include:

  • If we investigate a company, and, in that context, gather administrative information or emails, these will often contain personal data;
  • If you report a cartel to our Leniency Office, we will process your personal details;
  • We collect various kinds of information for our investigations, including personal data found through public sources on the internet, using Open Source Intelligence, among other methods;
  • We record your personal details if you ask a question to or file a report with ACM or ConsuWijzer. ConsuWijzer is ACM's consumer information portal.

What information do we record if you contact ACM or ConsuWijzer yourself?

Did you, as a consumer, reach out to ACM through ConsuWijzer? Are you a business owner and do you have any questions about your rights as buyer of an energy or telecom product? Or would you like to submit a report or tip-off? We will always record your name, email address and telephone number, but you can also add your address, postal code, place of residence, and company. It is also possible to add information of others who support your complaint. We also make a recording of telephone conversations with ConsuWijzer. We do this solely for the purpose of improving our service.

How long do we keep your personal data after you have contacted us?

ACM keeps your data for a maximum of 10 years after you have made contact with us, insofar your data is necessary for the processing purpose. The recorded telephone conversations with ConsuWijzer are kept for 6 months. We will delete your data after that period.

Why do we keep your personal data after you have contacted us?

We keep your personal details for two reasons:

  1. Have you contacted us before? We will be able to see what was discussed in the previous conversation.
  2. The information you provide is important for carrying out our regulatory and enforcement tasks. Further investigation is often necessary in order to determine whether a company follows the rules. In some cases, we may call you, and ask you to give a statement.

The Data Protection Officer (DPO)

ACM has designated a Data Protection Officer and registered them with the Dutch Data Protection Authority. The DPO is independent, and enforces compliance with and application of the General Data Protection Regulation (GDPR) and the GDPR Implementation Act within the organization. You can contact ACM's DPO at

What rights do you have if your personal data are processed?

You have the right to request that ACM provide access to your stored personal data and/or to improve, supplement, delete or censor, and/or restrict this data. You also have the right to object against the processing of your personal details. More information regarding your rights can be found on the Dutch Data Protection Authority's website.

You can file a complaint with the Dutch Data Protection Authority about the way ACM processes your personal data.

Do you require further information?

Do you have any questions or complaints regarding this privacy statement, or regarding the way we handle personal data? We are happy to answer your questions.

Would you like to know more about the General Data Protection Regulation (GDPR)? Please visit the Dutch Data Protection Authority's website.

  • More information on privacy and the statutory rules can be found on the AP’s website  (in Dutch).