Does GDPR apply to small businesses and freelancers?

Yes. GDPR does not make distinctions based on company size. If you process personal data, you are bound by GDPR as a data controller. This applies to freelancers and micro-businesses too. For smaller organisations, some obligations are lighter. For example, you are not required to appoint a Data Protection Officer unless you process special categories of personal data at large scale.

What is the difference between GDPR and the Dutch UAVG?

GDPR is the European regulation that applies directly in all EU member states. The UAVG is the Dutch law that supplements GDPR on specific points, such as the minimum age for children's consent (16 in the Netherlands) and the designation of the Dutch Data Protection Authority as the supervisory authority. For most practical compliance questions, the distinction is not relevant. Complying with GDPR means you are largely complying with the UAVG as well.

Do I need to do anything about the EU AI Act as a small SMB?

Yes, if you use AI systems. Businesses that use AI tools, including via SaaS platforms, are "deployers" under the AI Act and have obligations, particularly for high-risk AI systems. If you use ChatGPT, a CV screener, a CRM with lead scoring, or other AI tools, the AI Act applies. Most small businesses fall in the minimal or limited risk category, which carries fewer obligations.

What does ePrivacy regulate and how is it different from GDPR?

ePrivacy specifically covers electronic communications and tracking. GDPR governs the processing of personal data in general. ePrivacy adds specific rules for cookies and tracking on websites, for direct marketing by email or SMS, and for the confidentiality of electronic communications. The two laws overlap partially. If you process personal data through cookies, both ePrivacy and GDPR apply.

Who enforces EU privacy laws in the Netherlands?

The Autoriteit Persoonsgegevens (AP) is the Dutch supervisory authority for GDPR, the UAVG, and ePrivacy. The AP handles complaints from citizens, conducts investigations, and can impose fines. For the AI Act, the enforcement structure is still being built. In the Netherlands, this is expected to involve the AP or a related supervisory body.

Which EU data protection laws apply to your business?

GDPR, AI Act, Compliance, SMB

6/9/2026

You start researching GDPR compliance. Then someone tells you that you also need to think about the AI Act. Then a customer mentions ePrivacy. And then there is the UAVG, the Autoriteit Persoonsgegevens, and something about NIS2.

Are these all separate things you need to comply with? And where do you even begin?

This article gives you an overview. Which European privacy laws exist, which ones are relevant to your business, and what does each one require in practice?

GDPR: the baseline for anyone processing personal data

GDPR is the starting point. If you process personal data of people in the EU, and you almost certainly do if you have a business with customers, employees, or a website, then GDPR applies to you.

GDPR sets rules for:

What personal data you may collect and for what purpose
The lawful basis for processing (consent, contract, legitimate interest, legal obligation)
How long you may keep the data
The rights of data subjects (access, correction, deletion)
What security measures you must take
What to do in the event of a data breach

GDPR applies regardless of the size of your organisation. A freelancer with a client list falls under GDPR. A three-person startup with a website falls under GDPR. There is no threshold based on number of employees or revenue.

What does differ based on size: larger or specific organisations are required to appoint a Data Protection Officer (DPO). For most small SMBs, this is not the case.

The foundation of GDPR compliance is the processing register: an overview of all activities through which you process personal data.

The Dutch UAVG: the national implementation of GDPR

The UAVG (Uitvoeringswet Algemene Verordening Gegevensbescherming) is the Dutch law that supplements GDPR. GDPR is an EU regulation that applies directly, but it leaves member states room to fill in certain points at national level. The UAVG fills in that space for the Netherlands.

Practical implications for Dutch businesses:

The minimum age for children's consent is 16 in the Netherlands (GDPR allows each member state to set it between 13 and 16)
The Autoriteit Persoonsgegevens (AP) is designated as the national supervisory authority
There are specific implementing rules for the public sector, media, and scientific research

For most SMBs, the distinction between GDPR and the UAVG is not relevant in practice. Complying with GDPR means you are largely complying with the UAVG as well. You do not need to treat them as two separate projects.

The EU AI Act: for anyone using or developing AI systems

The EU AI Act entered into force in August 2024. The law is being phased in: the first obligations are already active (prohibited AI practices), and the most significant provisions for high-risk AI become enforceable from August 2026.

The AI Act applies to:

Providers: organisations that develop or place AI systems on the market
Deployers: organisations that use AI systems from others in their operations

As an SMB, you are most likely a deployer. That means you are using an AI tool (via SaaS or an API) in your business processes.

The obligations depend on the risk class of the AI system:

Minimal risk (e.g. spam filters, recommendation systems): almost no additional obligations
Limited risk (e.g. chatbots): transparency obligation toward users
High risk (e.g. CV screeners, credit assessment, surveillance systems): extensive documentation, human oversight, risk management, and registration

The practical question for you as an SMB: which AI tools do you use? Are there systems that make decisions affecting people? If yes, the AI Act is actively relevant.

Start with an AI inventory to know what you have. From there you can determine which obligations apply.

ePrivacy: for anyone using cookies, email, or phone marketing

The ePrivacy Directive is the law that specifically covers electronic communications and tracking. In the Netherlands, it is implemented through the Telecommunications Act.

ePrivacy rules touch three areas that almost every SMB will recognise:

Cookies and tracking. For non-essential cookies on your website (analytics tools, advertising cookies, social media buttons), you need consent from the visitor. That is the reason for the cookie banner. Essential cookies (for the basic functioning of the website) are not covered by this requirement.

Direct marketing by email or SMS. For email marketing to individuals, you need opt-in consent. Someone must have actively indicated that they want to receive messages. This applies to B2C marketing. For B2B marketing to business email addresses, the rules are slightly more flexible, but there are still limits.

Confidentiality of communications. Electronic messages are confidential. You cannot monitor employee communications without a lawful basis and transparency.

Note: the ePrivacy Regulation intended to replace the directive is still under discussion in the EU legislature as of 2026. Until it is in force, the existing directive via national law still applies.

NIS2 and the Dutch Cyberbeveiligingswet: for larger organisations in critical sectors

NIS2 is the European directive for the security of network and information systems. The Dutch implementation (Cyberbeveiligingswet) is expected in the first half of 2026.

NIS2 applies to organisations with 50 or more employees or more than EUR 10 million in revenue that are active in one of 18 designated sectors, including energy, healthcare, transport, digital infrastructure, and managed IT services.

For most small SMBs, NIS2 does not apply directly. However, customers who are in scope for NIS2 may ask you for evidence of your security practices as part of their supply chain obligations.

This article does not go deeper into NIS2. If you want to know whether your business is in scope, read our article on checking your NIS2 status.

How do you know which laws apply to your business?

Four quick questions to help you identify the relevant laws:

Do you process personal data of people in the EU? If yes: GDPR and UAVG apply. This is almost always the case if you have customers, employees, or a website.

Do you use AI systems in your business operations? If yes: EU AI Act applies as a deployer. Build an inventory and determine the risk class per system.

Do you use cookies on your website or send email marketing? If yes: ePrivacy rules via national telecommunications law apply. Review your cookie banner and opt-in procedures.

Do you have 50 or more employees and work in a regulated sector? If yes: check whether you fall under NIS2. If no: check whether you have customers who are in scope and are therefore likely to ask you questions.

For most Dutch SMBs, the practical picture is: GDPR and UAVG as the baseline, the EU AI Act if they use AI tools, and ePrivacy if they have a website with cookies or send email marketing.

What is the Autoriteit Persoonsgegevens and what does it do?

The Autoriteit Persoonsgegevens (AP) is the Dutch supervisory authority for GDPR, the UAVG, and ePrivacy. The AP:

Issues guidance and interpretation on how the rules apply in the Netherlands
Handles complaints from citizens about suspected GDPR violations
Conducts investigations into organisations on its own initiative
Can impose fines of up to EUR 20 million or 4% of global annual turnover for the most serious violations

The AP also publishes accessible guidance on its website (autoriteitpersoonsgegevens.nl, available in Dutch). If you are uncertain about how a GDPR rule applies in your situation, the AP website is a reliable first source.

A practical priority order

If you are not sure where to begin, follow this sequence:

Step 1: GDPR. Build a processing register. Know which personal data you process, for what purpose, and on what lawful basis.

Step 2: If you use AI tools, build an AI inventory and determine which obligations apply per system under the AI Act.

Step 3: Review your website for cookie consent and your email lists for valid opt-ins (ePrivacy).

Step 4: If you have customers asking NIS2 questions, make sure you have basic security documentation that can answer those questions.

ComplianceHive helps you document your obligations under GDPR and the AI Act in one platform. Try free for 30 days.

This article is general information and not legal advice. Consult a qualified lawyer or privacy specialist for an assessment specific to your situation.