Dutch Data Protection Authority Complaints Report 2025: Dutch privacy complaints hit record high

Last week, the Dutch data protection authority (the AP) published its annual Complaints Report, setting out the privacy complaints and tips it received throughout 2025 and how it handled them. The numbers are striking, and the signals the AP sends deserve careful attention from any organisation that processes personal data in the Netherlands.

What the report reveals

In 2025, the AP recorded a striking surge in privacy complaints: a rise of more than 75% compared to 2024, bringing the total to over 13,500 complaints and tips about possible GDPR violations. Of these, 5,077 were formal written complaints, a 93% increase compared to 2024, and 6,052 were tips, up 65% year-on-year. The increase signals a growing public awareness of privacy rights, but equally reflects that Dutch citizens continue to run into real privacy problems in practice.

The majority of complaints concerned the exercise of GDPR rights, in particular the right of access and the right to erasure. Complaints about unlawful processing and data breaches followed in second and third place. The sectors generating the most complaints were healthcare, business services and the public sector, respectively.

A prominent example in the healthcare sector was the data breach at Clinical Diagnostics, a medical laboratory processing samples for the national cervical cancer screening programme and for private clinics and general practitioners. The breach, which came to light in the summer of 2025, generated over 400 complaints to the AP, representing more than half of all healthcare-sector complaints that year. Complainants reported receiving little information about what had happened and many felt their situation was not adequately acknowledged, given that highly intimate medical data had been exposed.

The scale of the increase created real pressure on the AP. Despite additional efforts, it proved more difficult for the AP to provide a timely response to complaints. This operational tension is itself a signal to organisations: the AP has had to make sharper choices about what to investigate and when to impose sanctions, meaning that organisations still committing identifiable, systemic violations are more likely to attract scrutiny.

Across the complaints and tips received in 2025, three recurring problem areas stand out: the right of access, camera surveillance in the workplace, and the use of cookies and tracking software. We discuss each in more detail below. 

Rising enforcement focus on the right of access

The AP observed that organisations regularly fail to respond to access requests at all, or fail to do so on time. Under Article 15 GDPR, organisations must respond within one month, with a two-month extension available for complex requests, provided the individual is informed within the first month that additional time is needed. The AP launched a formal investigation into compliance with the access right in early 2026 and will assess this summer whether a sanctions-based enforcement approach, including fines, is needed to achieve durable improvement.

Organisations should therefore treat access requests as a standard business process rather than an ad hoc exercise. At a minimum, this means having a documented workflow and policy with clear ownership, timelines and criteria for assessing complexity. The AP has also signalled that, where systemic non-compliance continues, it is willing to move beyond warnings and mediation.

Camera surveillance in the workplace is a growing enforcement priority

Just like the last few years, the AP received a significant number of complaints about camera use in 2025. While most related to cameras operated by private individuals, such as doorbell cameras and home security systems, the AP also observed an increase in complaints about workplace camera surveillance, including situations in which employees were confronted with their conduct based on camera footage.

Following a complaint about Arriva, a public transport company, the AP investigated the use of cameras in buses and found that drivers may not be permanently filmed at their fixed workplace. Camera surveillance may only be deployed where strictly necessary for safety purposes and may not be used for structural monitoring or performance assessment of employees, even if footage is only reviewed retrospectively. The AP engaged with Arriva, agreed concrete measures, and required technical adjustments to the cameras, revised internal protocols and updated instructions for staff.

Cookie and tracking software compliance remains a live enforcement risk

In 2025, the AP received over 400 complaints and tips about tracking software, including cookies. Complaints covered websites where it was impossible to refuse cookies and websites that placed tracking cookies without any cookie banner at all. In response, the AP sent more than 200 warning letters to organisations whose cookie banners did not comply with the applicable rules and called on those organisations to review and correct their banners.

The AP has indicated it will continue monitoring this area, making periodic compliance reviews essential. Companies should review and, where needed, redesign their cookie and tracking practices as a priority. In practical terms, this includes, among other things:

• Ensuring that users can refuse non-essential cookies as easily as they can accept them (for example, no “accept all” button without an equivalent “reject all” option); and

• Not placing tracking cookies before valid consent has been obtained, and avoiding pre-ticked boxes or implied consent.

The AP's enforcement approach is evolving

The AP investigates every complaint proportionately, prioritising quick interventions, such as explaining the rules, mediating between parties and securing behavioural change, over formal sanctions. Where further investigation is warranted, the AP applies a risk-based framework, weighing societal impact and whether the problem is structural. This enables the AP to deploy available resources as effectively as possible.

However, this picture now appears to be changing. The AP has, for example, issued a formal reprimand to an organisation that failed to provide full and timely access to personal data, and reprimanded an internationally operating organisation based in the Netherlands for charging a fee for exercising the right of access. The number of new appeal cases reached a record high of 83 in 2025, 15% more than in 2024 and 73% more than in 2023. 

This growing volume of objections and appeals shows that individuals are increasingly prepared to challenge both AP decisions and organisational practices, a trend that is likely to accelerate if the AP implements the fines-based approach to access right violations it has signalled.

What's next?

The AP’s 2025 Complaints Report points to three clear areas of concern: the right of access, workplace camera surveillance, and cookies and tracking technologies. Based on the complaint data and the AP's own signals, we expect the second half of 2026 to bring intensified enforcement across all three areas, particularly where the AP identifies structural or repeated non-compliance. For organisations processing personal data in the Netherlands, this is the right moment to review these risk areas proactively.

If you would like to discuss what the report means for your organisation or benchmark your current approach, please contact us. For a closer look at how the AP handles data breaches in practice, see our earlier analysis of the Odido data breach.