AInora
Back to Blog
NetherlandsAutoriteit PersoonsgegevensUAVGComplianceVoice AI

AI Voice Agents in the Netherlands: AP Compliance Guide 2026

JB
Justas ButkusFounder, Ainora
··13 min read

Important Disclaimer

This article provides general guidance on Dutch compliance considerations for AI voice systems. It is not legal advice. Consult a Dutch DPO (Functionaris voor de Gegevensbescherming) or specialised legal counsel before deploying any AI calling system in the Netherlands.

AI voice agents deployed in the Netherlands must comply with three primary regimes: GDPR, the Dutch Uitvoeringswet Algemene verordening gegevensbescherming (UAVG), and the EU AI Act — supervised by the Autoriteit Persoonsgegevens (AP). For commercial outbound calling, the Bel-me-niet Register historically governed telemarketing — but the Netherlands moved to a full opt-in regime on 1 July 2021 under amendments to the Telecommunicatiewet, supervised by ACM (Autoriteit Consument en Markt).

€20M
Max GDPR Fine (Art. 83)
Source: EUR-Lex
1 Jul 2021
Date Netherlands Switched to Opt-In Telemarketing
Source: Overheid.nl Telecommunicatiewet
€525k
ACM Fine to Energy Telemarketer 2023
Source: ACM
72h
AP Breach Notification Window
Source: AP

The Netherlands is the strictest large EU economy for outbound consumer telemarketing. Since 2021 the country operates a true opt-in regime: no business may call a consumer (mobile or fixed line) for commercial purposes without prior, freely given, specific, informed and unambiguous consent. AI voice agents follow exactly the same rule.

Key Dutch compliance terms

AP
Dutch data protection authority. Issues binding sanctions, publishes binding guidance, and supervises GDPR + UAVG enforcement. Source
UAVG
Dutch implementation act for GDPR. Adds Netherlands-specific rules on minors, employee data, and BSN (citizen service number) processing. Source
Telecommunicatiewet
Dutch Telecommunications Act. Article 11.7 since 1 July 2021 prohibits unsolicited commercial calls to consumers without prior consent. Source
ACM
Dutch Consumer and Market Authority. Enforces the Telecommunicatiewet telemarketing rules; can sanction up to EUR 900,000 per infraction. Source
Bel-me-niet Register
Historic Dutch do-not-call register, operational until July 2021. Now largely superseded by the opt-in regime for consumer calls. Source

What Is the Dutch Compliance Framework for AI Voice?

Three layers govern every AI voice call to or from the Netherlands: (1) GDPR for personal data processing; (2) the UAVG for Dutch-specific overlays; and (3) the Telecommunicatiewet (Article 11.7) for any commercial outbound calling. The EU AI Act adds the transparency layer from 2 August 2026. The AP supervises GDPR/UAVG; the ACM supervises Telecommunicatiewet enforcement; the two authorities cooperate on cross-cutting cases.

The Dutch baseline is more restrictive than the EU average in two places. First, consumer telemarketing requires prior opt-in consent (not opt-out), with no grandfathered customer base — even existing customers can only be called if they gave specific consent to receive marketing calls. Second, the UAVG limits processing of national identifiers (BSN, Burgerservicenummer) to use cases with explicit statutory authorisation — making voice agents that read or verify a BSN by phone effectively impossible outside healthcare and government contexts.

Who Is the Autoriteit Persoonsgegevens?

The Autoriteit Persoonsgegevens (AP) is the Dutch supervisory authority under GDPR Article 51. It investigates complaints, issues binding sanctions, publishes guidance, and represents the Netherlands on the EDPB.

The AP has been particularly vocal on AI. Its 2024 report on generative AI and 2024 preliminary findings on LLM web scraping set the tone: the AP expects controllers to perform a full Data Protection Impact Assessment (Article 35 GDPR) before any AI deployment that processes personal data at scale, voice agents included.

A 2024 AP advisory specifically noted concerns about emotion-detection and persuasive AI techniques in customer-facing systems, signalling future enforcement focus.

How Does the UAVG Implement GDPR in the Netherlands?

The UAVG (in force 25 May 2018) is the Dutch national implementing act. Key additions:

  • Article 5 UAVG — Children's consent. Children must be 16 or older to consent to information society services (above the GDPR default of 16, matching the highest Member State threshold).
  • Article 30 UAVG — BSN restrictions. The Burgerservicenummer (citizen service number) may only be processed where explicitly authorised by law. This blocks most commercial voice agents from collecting BSN.
  • Article 22 UAVG — Special categories. Codifies sectoral exceptions for health, welfare, and employment data; AI deployments in those sectors must check both UAVG and GDPR Article 9 bases.
  • Article 23 UAVG — Criminal data. Restricts processing of criminal-conviction data more tightly than GDPR; relevant for collections and fraud voice agents.
  • Articles 33-40 UAVG — AP enforcement. Sanctions, including the power to issue binding orders and impose periodic penalty payments (last onder dwangsom).

What Lawful Basis Applies to AI Voice Calls in the Netherlands?

Call typePrimary lawful basisAdditional Dutch rule
Inbound customer serviceArticle 6(1)(b) — contract performanceAP guidance on transparency notices
Inbound appointment bookingArticle 6(1)(b) — contract performanceDisclose AI nature (EU AI Act Art. 50)
Outbound B2C marketingArticle 6(1)(a) — prior opt-in consentTelecommunicatiewet Art. 11.7 — opt-in mandatory since 2021
Outbound B2B marketingArticle 6(1)(f) — legitimate interestRecipient must have soft opt-out channel
Outbound debt collectionArticle 6(1)(b) or 6(1)(f)Wki (Wet kwaliteit incassodienstverlening) registration since 2024
Call recording for QAArticle 6(1)(f) — legitimate interestWorks Council co-decision required for monitoring
Sensitive data (health, etc.)Article 9(2)(a) — explicit consentUAVG Article 22 sectoral overrides may apply

The Dutch B2C opt-in rule is uniquely strict. The amendment to Article 11.7 Telecommunicatiewet that took effect 1 July 2021 removed the prior opt-out mechanism for consumers. There is no "existing customer relationship" carve-out for cold calls; consent must be specific to telemarketing and must be demonstrable on demand. AI outbound marketing to Dutch consumers without prior recorded consent is unlawful per call.

How Does the Bel-me-niet Register Work?

The Bel-me-niet Register was the Dutch national do-not-call register from 2009 to 2021. With the move to opt-in, its consumer function became largely redundant (you cannot legally cold-call consumers regardless of register status), but the register continues to provide a unified rights-exercise mechanism for consumers to manage their consent.

The practical implications today:

  • Inbound consumer calls do not implicate the register.
  • Outbound B2C calls require prior opt-in regardless of register status — checking the register is not a defence.
  • Outbound B2B calls may still rely on legitimate interest, with recipients having the right to opt out via the register or directly with the controller.
  • Records of consent (timestamp, source, scope, withdrawal channel) must be retained for at least 5 years for ACM audit.

How Does the ACM Regulate Voice Telemarketing?

The ACM enforces the Telecommunicatiewet's commercial-communications rules. Sanction powers include administrative fines up to EUR 900,000 per infraction, periodic penalty payments, and public naming of offenders.

Notable ACM actions:

  • Energiedirect 2023 — EUR 525,000 fine for unlawful telemarketing calls without proper opt-in.
  • Pretium Telecom — Multiple sanctions for misleading and unsolicited consumer calling.
  • Coordinated 2024 enforcement targeting solar-panel and home-improvement telemarketers using AI-assisted dialer technology, with several sanctions concluded.

ACM does not distinguish between human and AI outbound calls in its enforcement framework: the obligation is on the legal entity initiating the campaign. If a Dutch consumer receives an unconsented AI marketing call, the controller is liable regardless of which technology placed the call.

Disclose Recording at Call Start

Recording must be disclosed in Dutch at the start of the call, with the controller's identity, the specific purposes, the lawful basis, and where the full privacy notice can be consulted. Generic disclosures ("dit gesprek wordt opgenomen") are insufficient without purpose specification.

Works Council Co-Decision (Art. 27 WOR)

Under Article 27 of the Wet op de ondernemingsraden (WOR), deployment of any system that monitors worker performance (including AI-assisted call QA) requires the prior consent of the Works Council (ondernemingsraad). Skipping this step exposes the controller to both AP and labour-law sanctions.

Retention

The AP's standard expectation is 30 days for QA recordings, with longer retention permitted only when justified. Permanent retention violates Article 5(1)(e) GDPR.

How Does the EU AI Act Apply to Voice Agents in the Netherlands?

The EU AI Act applies directly in the Netherlands. The AP has been designated coordinating authority for AI matters that involve personal data, with the Rijksinspectie Digitale Infrastructuur (RDI) covering non-personal AI oversight (see the government overview).

For Dutch voice deployments:

  • Article 5 — Prohibited practices. Subliminal manipulation, exploitation of vulnerabilities, and untargeted scraping of facial images are banned.
  • Article 50 — Transparency. Dutch-language AI disclosure at call start is the AP's expected pattern. The disclosure must be made before any data exchange.
  • Article 6 + Annex III — High-risk classification. Voice agents used in credit scoring, employment, education access, or essential services may be high-risk, triggering full conformity assessment.

What Has the AP Decided About Automated Calling?

Relevant AP decisions and guidance:

  • Uber 2024 — EUR 290 million sanction for unlawful US transfers of driver personal data, the largest ever in the Netherlands. Confirms AP appetite for nine-figure fines on data architecture violations.
  • 2024 LLM training-data investigation — Preliminary findings questioning the lawful basis for web-scraping by foundation-model providers.
  • 2024 DPIA-on-generative-AI guidance — Sets out AP expectations for any controller deploying generative AI, including voice agents.

AP-Aligned Vendor Checklist

  • EU/EEA data residency for raw audio, transcripts, and model inputs.
  • GDPR Article 28 DPA available in Dutch on request.
  • Native Dutch language support (TTS + STT + dialogue model).
  • Configurable layered transparency notice at call start (controller, purpose, full-notice URL).
  • Dutch AI-disclosure phrase configurable and spoken on every interaction.
  • For outbound: documented consent-management integration — no campaign launches without verifiable prior opt-in records under Telecommunicatiewet Art. 11.7.
  • Configurable retention defaulting to 30 days for QA recordings.
  • BSN-blocking: vendor must support refusing to capture, store, or transmit BSN-like 9-digit identifiers unless the deployment is explicitly authorised under Dutch law.
  • Data subject access and erasure workflows that complete within GDPR 30-day window in Dutch.
  • Sub-72-hour AP notification capability for breaches.
  • Documented support for Works Council co-decision: vendor provides materials in Dutch that allow the controller to brief its ondernemingsraad before go-live.
  • EU AI Act readiness: system card, GPAI provenance, transparency disclosure, per-use-case risk classification.

The Dutch Layered Transparency Opening

A practical AP-aligned opening for an AI voice agent in Dutch looks like: "Goedendag, u spreekt met [name], een geautomatiseerde assistent van [Controller]. Dit gesprek kan worden opgenomen voor [purpose]. Uw gegevens worden verwerkt op grond van de AVG; de volledige privacyverklaring vindt u op [URL]. Hoe kan ik u helpen?" This combines AI Act Art. 50, AVG Art. 13, and the AP's expectation of a layered notice.

Frequently Asked Questions

Frequently Asked Questions

Inbound — yes, provided transparency and lawful basis are in order. Outbound consumer marketing — only with prior explicit opt-in consent under Telecommunicatiewet Article 11.7. AI does not change the rule; an unconsented AI marketing call to a Dutch consumer is unlawful per call regardless of the recipient's status on any register.

No. Since 1 July 2021 the Telecommunicatiewet requires prior explicit consent for any commercial communication to a consumer telephone subscriber. The AP and ACM have consistently held that legitimate interest is not an acceptable lawful basis for B2C marketing calls in the Netherlands.

EUR 290 million against Uber in 2024 for unlawful US transfers of driver personal data, imposed by the AP. The maximum under GDPR Article 83 is EUR 20 million or 4% of global annual turnover. The Uber sanction was scaled by global revenue, showing that headline statutory limits are not the operational ceiling for very large controllers.

Yes, both as a matter of practical effectiveness (Dutch consumers must understand the disclosure for it to be valid) and under EU AI Act Article 50 (which requires natural persons to be informed they are interacting with an AI system in a way they can understand). Dutch-language disclosure at call start is the AP's expected pattern.

In almost all commercial contexts, no. UAVG Article 30 restricts BSN processing to use cases where Dutch law explicitly authorises it. Outside healthcare, government, and a small number of regulated sectors, asking for or storing a BSN by voice would be unlawful. Vendors should support technical BSN-blocking by default for Dutch deployments.

The Wki entered into force 1 April 2024, introducing a registration and quality regime for debt-collection service providers. AI voice agents used in collections are subject to the controller's Wki obligations: registration, quality standards, complaint handling, and worker qualification requirements. The Justis (Dutch screening agency) administers the register.

When recordings are used for staff performance monitoring or AI-assisted QA, Article 27 of the Wet op de ondernemingsraden requires the prior consent of the Works Council (ondernemingsraad). Workers must also be informed in advance. Skipping the OR step exposes the controller to both AP and labour-court sanctions; the latter can include reversal of performance-related decisions made on the basis of unlawful monitoring.

The AP's expectation is 30 days for QA recordings, extended only when justified by a specific need such as dispute resolution. The retention period must be documented in the Record of Processing Activities (Article 30 GDPR) and enforced by automated deletion. The Dutch civil-law limitation period is up to 5 years for many consumer disputes, but that does not justify default 5-year retention of all recordings.

JB
Justas Butkus

Founder & CEO, AInora

Building AI digital administrators that replace front-desk overhead for service businesses across Europe. Previously built voice AI systems for dental clinics, hotels, and restaurants.

View all articles

Ready to try AI for your business?

Hear how AInora sounds handling a real business call. Try the live voice demo or book a consultation.

Try Voice DemoBook Consultation

Related Articles

GDPR-Compliant AI Voice Agents for B2B Cold Calling (DACH 2026)

How to deploy AI voice agents under GDPR with the right lawful basis, consent, and four compliance patterns.

AI Debt Collection Netherlands: Wki Quality Act

How the Wki and AP compliance interact with AI voice debt collection in the Netherlands.

AI Receptionist for Dutch Medical Practices (Huisarts)

Vertical guide for AI deployment in Dutch GP practices and clinics.