Source: Security.NL
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) reportedly received more than 13,000 privacy complaints and signals in 2025, up from 7,100 the year before. According to Security.NL, which reported on the AP's 2025 annual report, this sharp rise shows that more people in the Netherlands are aware of their rights under the GDPR (AVG) and know how to report concerns.
According to Security.NL, a significant share of the complaints related to a data breach at Clinical Diagnostics, in which sensitive data belonging to more than 900,000 people was stolen. People who filed complaints reportedly said they received little information about what had happened and felt their concerns were not taken seriously. Some women reported feeling unsafe because their home addresses had been leaked.
Following the breach, the AP reportedly started a supervisory process involving Clinical Diagnostics and Bevolkingsonderzoek Nederland, focused on ensuring that victims were properly informed. The fact sheet notes that the outcome of this process has not been stated.
According to Security.NL, of the more than 13,000 complaints and signals received in 2025, more than 11,000 were handled. Around two thousand complaints are still waiting to be processed. The AP has reportedly acknowledged that waiting times are increasing, which it describes as an important concern.
To handle complaints more efficiently, the AP reportedly began making faster telephone contact with people and organisations to resolve issues directly. The authority also says it is increasingly using on-site supervisory visits to address situations affecting large numbers of people in one go.
If your business collects personal data, such as customer names, email addresses or health information, you are required under the GDPR (AVG) to handle that data responsibly and to inform people clearly if something goes wrong. The growing number of complaints shows that people are increasingly willing to report concerns to the AP, so it is worth checking that your privacy practices are in order. You can use our GDPR compliance checklist and privacy policy guide as a starting point.
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkA large Belgian tech company received a total fine of 176,000 euro from the Belgian Data Protection Authority for failing to timely delete the mailbox of a former female employee.
Dutch legal blog Ius Mentis explains that GDPR makes it legally impossible to obtain valid consent for personal data use through terms of service or general conditions, and that Article 7(2) GDPR…
On 19 March 2026, the CJEU ruled in Case C-526/24 (Brillen Rottler) that a data subject's first DSAR can be refused as 'excessive' under Article 12(5) GDPR if the controller can demonstrate abusive…