Is there a legal obligation to secure a website??

Yes, there is a legal obligation to protect  personal data against loss and misuse.  It is stated in the Dutch Personal Data Protection Act (Wet Bescherming Persoonsgegevens [Wbp]):

“The person responsible for data processing must implement appropriate technical and organisational measures to protect personal data against loss or unlawful processing. These technical and organisational measures must ensure an appropriate level of security. Regarding the latter, think of the encryption of personal data. Security must always be adequate. This means also that you will have to check periodically whether your system requires adaptation, for example due to technological developments."

This obligation concerns all parts of data processing. The exact text can be found at: http://english.justitie.nl/themes/personal-data/ 

---

If I don't comply with the Dutch Personal Data Protection Act , what are the consequences, what about liability?

If you don't comply with the Dutch Personal Data Protection Act, the authorities may impose an administrative fine at a maximum of  € 4,500.- . In case you will be held responsible for the loss of privacy information or insufficient protection against unauthorised use, you also have to pay full damages or the claims of persons involved. 

---

Is there another way to comply with the Dutch Personal Data Protection Act, besides the use of a SSL certificate?

No there is no other way. Please read the text from the Dutch Data Protection Authority:

In order to comply with the security standard laid down in Article 13 of the Wbp when publishing personal data on the Internet, and in view of the current status of technology and the clarification of (legal) norms in previous judgements of the Dutch DPA, controllers must comply with the following five obligations:

1. Avoid unnecessary publication of personal data.
2. Block specific pages containing personal data from search engines.
3. Use passwords or another appropriate method to restrict the target group.
4. Ensure that data transfer is secure by means of the SSL protocol *.
5. Secure machine(s) and underlying databases against unauthorised access by third parties.

* Secure Sockets Layer (SSL) is a standard protocol that makes use of ‘public key encryption’ technology to provide a secure service between Internet servers, in which the privacy of the communication, the integrity of the communication and the verification and/or the identification of the sender/recipient are all safeguarded.

---

Do I have to secure my site even if I only have one contact form?

Yes you do. The Dutch Personal Data Protection Act states personal data as follows: "any item of data relating to an identified or identifiable natural person". You have to take all measures to protect personal data against any form of misuse.  

---

My site is hosted on a foreign web server. Do I have to comply with the Dutch law?

Yes you have to comply. If the site owner (company or individual) is situated in the Netherlands, the Dutch Personal Data Protection Act applies, no matter if the site is hosted outside the territory of the Netherlands, for example in the United States.

---

My site contains highly sensitive information. If I use a Lite SSL certificate, will this be in accordance with the Dutch Personal Data Protection Act?

Protection should always be sufficient to ensure an appropriate level of security. If your site contains highly sensitive personal data, you have to provide a high level of security. We would advice to use an Extended Validation (EV) SSL certificate, which provides a high  level of security.