The baker wants your address, the swimming pool your telephone number: medium-sized and small businesses (SMEs) demand that customers reveal much more personal information than is necessary.

This is risky and prohibited, according to the Dutch Data Protection Authority (AP).

But the regulator does not slap companies on the fingers, which means that ignorant customers become the victims.

"It regularly goes wrong," acknowledges spokesman Quinten Snijders of the AP about the data hunger of SMEs.

The regulator is resolute: companies may not demand more personal information than the entrepreneur necessarily needs.

It is best for a restaurant to ask for your name, e-mail address and telephone number when you make a reservation, says Snijders as an example.

"But your address, gender or date of birth are not relevant. The restaurant is therefore not allowed to request it."

The more personal information a company has about you, the greater the consequences if that information ends up on the street.

That risk is always there.

“Companies are often lousy with cybersecurity,” says Rutger Leukfeldt.

He heads a group of researchers at The Hague University of Applied Sciences that focuses on cybersecurity in SMEs.

Every year, tens of thousands of medium-sized and small companies are confronted with a data breach, according to figures from the Central Bureau of Statistics (CBS).

Sometimes personal data ends up on the street due to an internal error.

But in half of the cases, a hacker manages to gain access to the data.

“Entrepreneurs underestimate the risk,” Leukfeldt says.

"They say: 'As an SME, I'm not that interesting? Why would they catch me?'

That is a misconception. Criminals first look at where they can get in and only then what can actually be gained."

Supervisor does not check data hunger of SMEs

"Ultimately, the consumer bears the brunt," Leukfeldt says.

"Every time it happens, you know that your data has been stolen from somewhere. Criminals use it to better carry out their attacks. Some you can recognize as scams, but others are not."

As a result, victims can end up losing hundreds or thousands of euros.

The rules to save as little as possible exist to reduce that risk.

"What you don't have cannot leak out," Snijders of the AP sums it up.

Nevertheless, maintaining the data hunger of SMEs is not a priority at the AP.

The regulator focuses on major incidents and "malicious companies engaged in data trading".

This does not usually include SMEs, says Snijders.

The AP does not have an infinite capacity and therefore prefers to opt for information to explain the privacy rules to SMEs, says the spokesperson.

Companies struggle with the privacy law: entrepreneurs don't make it their priority and they don't always understand how to interpret the law for their situation.

To provide clarity, the AP may approve codes of conduct.

This should make it clear to a specific group of entrepreneurs what they are and are not allowed to do.

The regulator is involved in that process with nine industry associations, but so far only a code of conduct for the ICT sector has been approved.

People can protect themselves

As long as there are companies that demand more data than necessary, the customer can only protect themselves.

Those who are aware of the risks can prevent a company from storing data unnecessarily.

For example, by looking for ways other than ordering online, such as calling or visiting.

Privacy advocates sometimes advise people who still want to order online to enter fake details.

If you simply come to pick up a cake or go for an afternoon swim, it doesn't matter whether the bakery or the swimming pool has an address or telephone number that does not exist.

If that information leaks out, it is of no use to a criminal.

See also: Why it is indeed a concern that your private data is out on the street