16.10.2025
2 min
469
Amsterdam-based crypto exchange Bitvavo has confirmed that the company’s management had access to customer accounts and personal data for several years. The access was valid until spring 2024, raising serious questions about compliance with privacy and data protection regulations.
Bitvavo representatives explained that in the early years of the company’s existence, management had technical access to user data, as they helped with account registration and customer support. According to the spokesperson, at that time the company was “much smaller,” so such access was supposedly justified.
However, legal experts say that such a practice contradicts European data protection law. As noted by Professor Gerrit-Jan Zwenne of Leiden University, access to personal information should be limited to those employees who need it to perform specific tasks — for example, in the financial monitoring department or support service. Excessive management powers, in his opinion, pose a serious risk and violate the principle of minimizing access.
Additional resonance was caused by reports about the company’s former CEO Mark Nieuwelstein, who, according to Dutch media, discussed access to client data in correspondence with a person convicted of investment fraud. Nieuwelstein himself denies that he actually reviewed user databases and claims that he was only “generally trying to help.” After this incident, the company launched an internal investigation into possible privacy violations on his part.
The Bitvavo crypto exchange, founded in the Netherlands, is one of the largest European cryptocurrency exchange platforms. The company operates under the supervision of De Nederlandsche Bank (DNB) and declares full compliance with the requirements of the GDPR. After publications in the media, Bitvavo representatives stated that today the company’s security system has multi-level access control and automatic detection of unauthorized login attempts.
The Bitvavo incident has once again demonstrated how important it is to strictly regulate access to personal data, even in startups. What starts as a “temporary measure” in a small company can later grow into a large-scale problem for user privacy. At a time when the crypto market is becoming increasingly regulated, such violations risk significantly undermining trust in the industry.
