Dutch Asylum Agency Updates Privacy Rules for Reception Centre Residents
Netherlands, 3 May 2026
The Central Agency for the Reception of Asylum Seekers has revised its privacy policy, detailing how personal data from asylum seekers in Dutch reception centres is collected and processed. The comprehensive update covers residents of all facility types and explains data handling practices required under European privacy legislation. Significantly, the policy reveals that COA processes sensitive personal information including ethnic origin, religious beliefs, and health data, whilst collaborating with multiple government agencies and healthcare partners. The agency retains resident files for 20 years after case closure, highlighting the extensive scope of data collection in the asylum process.
Extensive Data Categories Collected
The updated privacy statement reveals the breadth of information COA processes during asylum procedures. Standard personal data includes legal identification numbers, contact details, address information, document data, personal characteristics, financial data, communication records, and legal procedural information [1]. Beyond these routine categories, COA also handles sensitive personal data that requires heightened protection under European privacy law. This includes information revealing race or ethnic origin, religious or philosophical beliefs, biometric data for identification purposes, health data, and criminal records [1]. The comprehensive scope of data collection reflects the complex administrative requirements of managing asylum seekers throughout their stay in Dutch reception facilities.
Government and Healthcare Partnerships
COA operates within an extensive network of government agencies and service providers, sharing asylum seeker data across multiple organisations. The agency receives and shares information with services under the Ministry of Justice and Security, including the Return and Departure Service (DT&V), Immigration and Naturalisation Service (IND), and Dutch Police [1]. Healthcare partnerships include GezondheidsZorg Asielzoekers (GZA) and MediFirst, whilst other collaboration extends to the Royal Military Police (KMar), International Organization for Migration (IOM), Stichting Nidos, Vluchtelingenwerk Nederland, Veilig Thuis, and EMM [1]. This data sharing network also encompasses municipalities, banks, transport providers, and educational institutions, demonstrating the integrated approach to asylum seeker support services [1].
Data Retention and Processing Timeframes
The privacy policy establishes clear timeframes for data handling and retention across different categories of information. COA commits to processing data requests within one month, though this period may extend to three months in exceptional circumstances [1]. For long-term storage, the agency maintains resident file data for 20 years after case closure, whilst financial records are retained for 7 years [1]. The privacy statement itself was formally adopted by COA’s board on 27 August 2019, providing the legal framework for current data processing practices [1]. These retention periods reflect both administrative necessity and compliance with Dutch data protection requirements for government agencies managing asylum procedures.
Legal Framework and Resident Rights
COA processes personal data based on specific legal grounds outlined in the General Data Protection Regulation (AVG), including fulfilling legal obligations, protecting vital interests, performing tasks of public interest, or obtaining individual consent [1]. The agency has committed to transparent data handling by not employing fully automated individual decision-making processes [1]. Asylum seekers seeking information about their data processing rights or wishing to contact the agency can reach COA through info@coa.nl, whilst privacy-specific enquiries should be directed to the Data Protection Officer at fgcoa@coa.nl [1]. The agency’s postal address for formal correspondence is Postbus 30203, 2500 GE Den Haag [1]. For broader privacy rights and complaints, residents may also contact the Dutch Data Protection Authority through www.autoriteitpersoonsgegevens.nl [1].