Companies must adhere to many laws and regulations. This also applies to the storage and processing of personal data, but there are also other laws and regulations that affect the organization of IT systems.

The General Data Protection Regulation (GDPR) is well known for most companies, but there are many more laws and regulations that affect organizations and computer crime, which are not always related to the storage and processing of personal data.

That is why we also deal with a number of other important laws that affect the organization of your IT systems, which should not be forgotten, in this blog. But, we also give a number of tips to comply with the GDPR.

Wet computercriminaliteit (Dutch Computer Crime Act)

It is not always possible to prosecute a criminal who has provided access to a computer. If you are able to find out who the criminal is, which is usually not the case, they can be prosecuted by the Dutch Computer Crime Act. However, this is only possible when there is a computer breach.

A computer breach only occurs with:

  • Breaking the security
  • A technical intervention
  • False signals or a false key
  • The assumption of a false quality

This means that a potential criminal always must know that he is about to enter a forbidden zone. If there is not a sign of a forbidden zone, one does not speak of a computer breach and no prosecution can be initiated. Because it is also possible that an unauthorized person accidentally accesses a computer or a computer system.

Therefore companies must ensure good access security and strong encryption on their IT systems to have the basic security in order.

Periods of retention

There are various laws that set the minimum and maximum retention periods for documents and/or data. For example the Burgelijk Wetboek (Dutch Civil Code), Algemene wet bestuursrecht (Dutch General Administrative Law Act) and Algemene wet rijksbelastingen (Dutch General Tax Act).

A summary of a number of the Dutch retention periods:

  • Annual accounts, auditor reports etc. must be kept for a minimum of 7 years from the date of preparation.
  • The subsidy administration must be kept for a minimum of 10 years from the date of administration.
  • The ledger, administration of debtors, administration of creditors, purchase and sales administration, stock administration and payroll administration must be kept for 7 years from January 1 after the preparation.
  • Employment contracts must be deleted after 2 years after the termination of the employment, but personal data of employees (name, address and civil status) must be kept for 7 years after termination of the employment.

It is important to organize your IT systems to comply with these periods. If you cannot provide the data when requested, you risk a high fine.


Then, as promised the tips about the GDPR. As you may know, the GDPR is a regulation that protects citizens with regard to the processing of their personal data. Personal data is all data about an identified or identifiable person. If you as a company do not comply with this regulation, you risk a fine, therefore a number of do’s and don’ts:


  • The right thing, be fair and transparent, about what you do with the data.
  • Use only the necessary data.
  • Maintain accurate and reliable records.
  • Protect and ensure the data is not shared unless it is legally necessary.


  • Use it any other way, you said you were going to do.
  • Keep personal data if you are not using it.
  • Keep personal data if the customer wants it removed.
  • Keep application letters and other correspondence of applications longer than 4 weeks without permission and not longer than 1 year with permission of the applicant.
  • Keep records of security camera’s longer than 4 weeks or until the incident is handled.

In addition, it is required by law to report every data breach to the Dutch Data Protection Authority (AP). If it turns out that privacy-sensitive data is not securely stored or processed, this will result in administrative sanctions by the AP for up to 4% of the worldwide turnover or € 20 million (!).

Above a number of laws and regulations are stated, that influence the organization of IT systems. If you do not meet these requirements, you risk a high fine, there is a chance that you will be hacked and that your data will be leaked. In addition, it is possible that criminals may not be prosecuted because they were not ‘’warned’’.

Do you want more information about the laws and regulations that your company must comply with? Do not hesitate to contact us!


NOTE: This is a translation of the Dutch blog if there is a misunderstanding according to the interpretation of the translated word or sentences the Dutch translation is always right. Also, Dutch law is used as a basis of this blog.