HomeKnowledge base › GDPR vs AVG
GDPR

GDPR vs AVG: are they the same law? The difference explained

GDPR vs AVG: the same European law with two names

The GDPR and the AVG are the same law. AVG is simply the Dutch name for the GDPR, the European Regulation 2016/679. Whether you read GDPR, AVG or in France RGPD, it concerns exactly the same rules. For destroying personal data that means one thing: across the whole European Union the same obligations apply around storage limitation, demonstrable destruction and processor agreements.

Many business owners think GDPR and AVG are two separate rules they both have to comply with. That is a misunderstanding that costs time and money. Below you read why two names exist, where the Dutch addition sits and what the law concretely asks of you when you have personal data destroyed.

Is the AVG the same as the GDPR?

Yes, the AVG is the same as the GDPR. They are not two laws side by side but one law with two names. GDPR stands for General Data Protection Regulation, the official English name. AVG stands for Algemene Verordening Gegevensbescherming, the Dutch translation of precisely that same text. The legal reference is Regulation (EU) 2016/679. Whoever complies with the AVG automatically complies with the GDPR, because it is literally the same document with the same articles and the same numbering.

Why are there two names?

The reason is simple. The European Union publishes its legislation in all official languages. Each language version is equally legally valid. The English version is called GDPR, the Dutch version is called AVG. Neither is a derivative or a summary of the other, they are equivalent. Because much professional literature, software and international clients work in English, the term GDPR also took hold in the Netherlands. At the same time the government and the data protection authority consistently use the word AVG. So people use two names interchangeably for the same regulation, which explains the confusion. It is not a stricter or a softer variant, they are merely two labels on exactly the same bottle.

GDPR, AVG and RGPD in one table

The easiest way to remember it is an overview of the names per language. Each column holds the same law.

NameLanguage or regionWhat it is
GDPREnglish, EU-wideGeneral Data Protection Regulation, the English name
AVGDutchAlgemene Verordening Gegevensbescherming, the same law in the Netherlands and Belgium
RGPDFrench and SpanishReglement General / Reglamento General, the same law
DSGVOGermanDatenschutz-Grundverordnung, the same law
Regulation 2016/679OfficialThe legal reference, identical in all languages
UAVGNetherlandsDutch implementation act, national filling-in of open provisions

Only the last row is not a synonym. The UAVG is a separate Dutch law that fills in the regulation on a few points. More on that further down.

One regulation, the same obligations

Because GDPR and AVG are the same text, the obligations are everywhere the same too. Article 5 on storage limitation, article 17 on the right to erasure, article 28 on the processor agreement and article 32 on appropriate measures have the same numbers and the same content across the whole EU. A company in Amsterdam, an office in Paris and a practice in Madrid therefore work with identical rules. That was exactly the legislator's intention. One market deserves one set of privacy rules. For whoever destroys personal data that is welcome, because the requirements on storage limitation, demonstrability and the processor agreement do not change the moment you cross a border. You read the same articles, only in another language.

The small Dutch addition: the UAVG

The regulation leaves member states room for their own filling-in on a few elements. The Netherlands filled in that room with the implementation act for the GDPR, in Dutch the UAVG. It covers matters such as the use of the citizen service number, the age limit for children's consent and the tasks of the data protection authority. The UAVG does not change the GDPR itself, it only arranges the national details the regulation leaves open. For destroying data the UAVG changes little in practice, the main rules come straight from the regulation.

A regulation, not a directive

The word regulation matters here. A European regulation applies directly in every member state, without a country first having to transpose the text into its own legislation. A directive works differently, each country must translate it into national laws, which creates differences. The predecessor of the GDPR was a directive from 1995. That is precisely why privacy rules used to differ per country. The GDPR deliberately chose the form of a regulation, so the rules are everywhere the same. That makes cross-border work easier and explains why a Dutch translation could not become its own, diverging law. The translation had to contain word for word the same obligations as the English original.

What does this mean for destroying data?

For destroying personal data the conclusion is reassuring. You do not have to comply with two systems, only with the GDPR, which the AVG is. Whatever name your client, supplier or software vendor uses, the requirements stay the same. You keep data no longer than needed, you then destroy it in a safe way and you can show it happened. That principle is independent of the name common in your sector. An IT supplier often says GDPR, an accountant says AVG, but the checklist they put in front of you is the same. What this means in the daily practice of SMEs is in GDPR document destruction for SMEs.

Storage limitation: keep no longer than needed

The core for destruction sits in article 5, the principle of storage limitation. Personal data may not be kept longer than necessary for the purpose for which it was collected. Once that purpose is reached and no legal retention duty remains, the data must go. Keeping it just in case is not a valid reason. This principle is identical whether you read an English-language GDPR document or the Dutch AVG. The instruction is everywhere the same: clear out in time.

First the retention period, then destruction

Storage limitation does not mean throwing everything away at once. Some documents you are in fact required to keep, such as tax records kept for seven years. Only once the period has passed may, and must, you destroy. The GDPR itself names no fixed periods, those come from other laws per category of data. So first determine per type of file what the period is and then plan the destruction. A handy overview of common periods is in the GDPR retention periods cheatsheet.

Demonstrable destruction under the GDPR

The GDPR asks not only that you destroy, but that you can show it. That follows from the accountability principle in article 5(2). You must be able to show you follow the rules, including that old data was cleared out neatly. The proof is usually a certificate of destruction, supported by a note in your record of processing. How to make that conclusive is in demonstrable destruction for the GDPR. This requirement too is the same across the whole EU.

The processor agreement when outsourcing

If you outsource the destruction, article 28 prescribes a processor agreement. Until the moment of shredding the data is still legible, so the destroyer processes personal data on your behalf. The agreement covers, among other things, the security measures, the confidentiality and what happens to the data afterwards. Ask for the agreement before the first job starts, not after. Without a signed document you are in breach yourself. A destruction partner that knows the law has a standard agreement ready.

Appropriate measures up to destruction

Article 32 requires appropriate technical and organisational measures to protect personal data. That duty of care does not end at the bin, but only when the document is physically illegible. A box full of files standing unattended in the hallway for days does not meet it. Sealed collection and a closed chain from collection to destruction does. That way you protect the data until the last moment. The DIN 66399 standard sets out how finely it must be shredded, with P-5 for ID numbers and special data.

The certificate as proof in any EU language

The certificate of destruction is your most important piece of evidence, regardless of the name the law carries in your country. It states the date, the quantity and the DIN level applied. For data carriers the serial numbers are on it too. At an inspection or a question from a client you immediately show what happened. Because the rules are EU-wide identical, such a certificate counts just as well with a Dutch as with a foreign supervisor. What exactly belongs on it is in the certificate of destruction explained.

Data breach: the same 72 hours across Europe

The reporting duty in a data breach is everywhere the same too. A serious data breach you report within 72 hours to the supervisor, in the Netherlands the data protection authority. Whether you speak of a GDPR breach or an AVG data breach, it is the same obligation with the same deadline. Paper ending up unshredded on the street is just as much a data breach as a hacked database. If you can show data was already destroyed, that reduces the damage. The full step-by-step plan is in reporting a data breach in 72 hours.

Does this apply outside the Netherlands?

Yes. If you work with clients or branches in other EU countries, the same rules apply there under another name. In France and Spain the law is called RGPD, in Germany DSGVO, but the obligations around keeping and destroying are identical. A destruction certificate valid in the Netherlands therefore also meets requirements elsewhere in the EU. For a company that works across the border that is a big advantage. You do not have to set up a separate destruction procedure per country, one working method covers the whole Union. A foreign client asking for proof accepts the same certificate. The language on the document does not matter, the content counts.

Common misconceptions about GDPR and AVG

The confusion around the two names regularly leads to mistakes. The most common we list here.

  • Two separate laws. Some businesses think they must comply separately with the GDPR and with the AVG. It is the same law, so that is needless double work.
  • The GDPR is stricter. A persistent idea is that the English GDPR weighs heavier than the Dutch AVG. The text is identical, so the strictness is too.
  • The AVG applies only in the Netherlands. The AVG is the Dutch edition of an EU-wide regulation. Outside the Netherlands that same law is only called differently.
  • The GDPR names a fixed retention period. The law names no number of years but requires storage limitation. The concrete periods come from other laws.

Whoever separates these points prevents a supplier or client imposing unwarranted requirements. You can calmly explain that GDPR and AVG mean the same thing.

In short: what the law asks of you

Whether you speak of GDPR, AVG or RGPD, for clearing out personal data it comes down to four steps.

  1. Determine the retention period per category of data and stick to it.
  2. Destroy after expiry to the right DIN level, P-5 for ID numbers and special data.
  3. Record a processor agreement if you outsource the destruction.
  4. Keep the certificate for at least 5 years as proof in your GDPR file.

These four steps apply across the whole European Union, regardless of the name the law carries in a country. One working method therefore suffices, even if you work across the border.

Have it destroyed GDPR-compliant with a certificate?

Tell us what you have and you get a fixed price in advance. We collect it sealed within 20 km of Amsterdam with no call-out fee, destroy it to the right DIN level and you receive a certificate as proof for your GDPR file. Available nationwide via pooled routes.

Request a quote

Frequently asked questions

Is the AVG the same as the GDPR?

Yes. AVG is simply the Dutch name for the GDPR, the European Regulation 2016/679. It is one and the same law, with the same articles and the same obligations.

What is the difference between GDPR and AVG?

There is no substantive difference. GDPR is the English name, AVG the Dutch, RGPD the French and Spanish, DSGVO the German. The text and obligations are identical across the EU.

What is the UAVG?

The UAVG is the Dutch implementation act for the GDPR. It does not change the GDPR but fills in national details the regulation leaves open, such as the citizen service number.

Does the GDPR set a retention period for destruction?

The GDPR names no fixed periods but requires storage limitation. You keep personal data no longer than needed and then destroy it demonstrably, the same way across the EU.

Do I have to comply with both the GDPR and the AVG?

No, that is double work. It is the same law. Whoever complies with the AVG automatically complies with the GDPR, because it is literally the same text.

Conclusion

GDPR and AVG are not two laws but one, with an English and a Dutch name for the same European regulation. In France and Spain that same law is called RGPD, in Germany DSGVO. The only truly Dutch addition is the UAVG, which only fills in the open points. For destroying personal data this means you can focus on one set of rules. Keep no longer than needed, then destroy to the right level and keep the certificate as proof. That way you comply across the whole EU, under whatever name the law appears.

See also the pillar destroying confidential documents and the related articles on shredding versus incineration, preventing identity fraud and separating confidential paper waste.


Have data destroyed GDPR-compliant? Request a quote via desnipperaar.nl. You receive a fixed price in advance and a certificate as proof for your GDPR file.