Source: Autoriteit Persoonsgegevens
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP) published its 2025 annual report on 2 April 2026, giving an overview of its enforcement work and priorities over the past year. The report shows the AP focused on acting faster and more visibly across five main areas: algorithms and AI, freedom and security, big tech, data trading and the digital government.
According to the Autoriteit Persoonsgegevens, the authority concluded agreements in sanction cases against various organisations, aiming to resolve clear violations without lengthy legal procedures. In other cases, the AP used lighter-touch interventions such as explanatory conversations and warnings to get organisations to change their practices.
Among the issues addressed, the AP warned many organisations to update their cookie banners or stop using tracking software altogether. It also warned chatbots that were giving incorrect voting advice, and took action where organisations were reusing government information without a legal basis or sharing medical data without proper safeguards.
On the big tech front, the AP called on users of LinkedIn and Meta to adjust their privacy settings to prevent their data from being used to train AI models. The AP also informed the Dutch parliament (Tweede Kamer) that police are retaining data for longer than the law permits.
Free website scan covering GDPR, copyright, accessibility, security, and more.
Scan your site freeThe EDPB adopted its work programme for 2026-2027 during its latest plenary on 12 February 2026, focusing on easing compliance and strengthening cooperation.
To support organisations working with political advertising, the AP published a guide for reducing the use of personal data in that context. The authority also conducted extra visits to municipalities as part of its oversight work.
The AP's report makes clear that cookie banners and tracking software remain active enforcement priorities. If your website uses analytics tools, advertising trackers or third-party cookies, it is worth checking whether your cookie banner meets current requirements. You can use our GDPR compliance checklist as a starting point.
The focus on data trading and AI also signals that the AP is paying close attention to how personal data flows between systems and platforms. If you use any automated tools or third-party services that process customer data, reviewing your privacy policy requirements is a sensible step.
For a broader picture of what non-compliance can mean for a small business, see our guide on GDPR fines for small businesses.
The AP's 2025 report confirms that cookie banners and tracking tools are among the authority's active enforcement concerns, meaning even small websites are not outside its scope. If you have not reviewed your cookie settings or privacy policy recently, now is a practical moment to do so. Taking small, concrete steps to align with the rules is exactly the kind of behaviour the AP says it wants to encourage through its guidance work.
Source: Autoriteit Persoonsgegevens
De Autoriteit Persoonsgegevens ontving in 2025 ruim 13.000 privacyklachten en signalen, een stijging ten opzichte van 7100 in het jaar daarvoor.
The European Data Protection Board (EDPB) has announced a major coordinated enforcement action for 2026, focused on how businesses inform people about the use of their personal data. According to the