Source: Autoriteit Persoonsgegevens
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP) published its 2025 annual report on 2 April 2026, giving an overview of its enforcement work and priorities over the past year. The report shows the AP focused on acting faster and more visibly across five main areas: algorithms and AI, freedom and security, big tech, data trading and the digital government.
According to the Autoriteit Persoonsgegevens, the authority concluded agreements in sanction cases against various organisations, aiming to resolve clear violations without lengthy legal procedures. In other cases, the AP used lighter-touch interventions such as explanatory conversations and warnings to get organisations to change their practices.
Among the issues addressed, the AP warned many organisations to update their cookie banners or stop using tracking software altogether. It also warned chatbots that were giving incorrect voting advice, and took action where organisations were reusing government information without a legal basis or sharing medical data without proper safeguards.
On the big tech front, the AP called on users of LinkedIn and Meta to adjust their privacy settings to prevent their data from being used to train AI models. The AP also informed the Dutch parliament (Tweede Kamer) that police are retaining data for longer than the law permits.
To support organisations working with political advertising, the AP published a guide for reducing the use of personal data in that context. The authority also conducted extra visits to municipalities as part of its oversight work.
The AP's report makes clear that cookie banners and tracking software remain active enforcement priorities. If your website uses analytics tools, advertising trackers or third-party cookies, it is worth checking whether your cookie banner meets current requirements. You can use our GDPR compliance checklist as a starting point.
The focus on data trading and AI also signals that the AP is paying close attention to how personal data flows between systems and platforms. If you use any automated tools or third-party services that process customer data, reviewing your privacy policy requirements is a sensible step.
For a broader picture of what non-compliance can mean for a small business, see our guide on GDPR fines for small businesses.
The AP's 2025 report confirms that cookie banners and tracking tools are among the authority's active enforcement concerns, meaning even small websites are not outside its scope. If you have not reviewed your cookie settings or privacy policy recently, now is a practical moment to do so. Taking small, concrete steps to align with the rules is exactly the kind of behaviour the AP says it wants to encourage through its guidance work.
Source: Autoriteit Persoonsgegevens
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkA large Belgian tech company received a total fine of 176,000 euro from the Belgian Data Protection Authority for failing to timely delete the mailbox of a former female employee.
Dutch legal blog Ius Mentis explains that GDPR makes it legally impossible to obtain valid consent for personal data use through terms of service or general conditions, and that Article 7(2) GDPR…
On 19 March 2026, the CJEU ruled in Case C-526/24 (Brillen Rottler) that a data subject's first DSAR can be refused as 'excessive' under Article 12(5) GDPR if the controller can demonstrate abusive…