Dutch Privacy Complaints Jump 75% as Citizens Press Organizations to Honor Data Rights

Key Takeaways

• Privacy Complaints Surged 75%: The Dutch Data Protection Authority received more than 13,500 complaints and tips in 2025, marking a 75% increase from the previous year and reflecting growing public awareness of privacy rights.
• Access And Deletion Rights Drove Most Complaints: Many complaints involved organizations failing to disclose what personal data they hold, responding late to access requests, or refusing to delete personal information when requested.
• Healthcare Generated The Highest Volume Of Complaints: The healthcare sector received the most complaints, with more than half tied to the Clinical Diagnostics data breach. Business service providers and government organizations followed.
• Regulator Signals Tougher Enforcement: The AP is developing plans to immediately fine organizations that fail to respond to data access requests, indicating a more aggressive approach to enforcing privacy rights.
• Growing Demand Is Straining The Regulator: While the AP reviewed every complaint and intervened directly in roughly one-third of cases, rising complaint volumes have created significant delays and growing concerns about response times.

Deep Dive

According to the Dutch Data Protection Authority (AP), more than 13,500 complaints and tips regarding possible privacy violations were submitted in 2025, a 75% increase from the previous year. The figures were published Monday in the regulator's 2025 Complaints Report.

The largest share of complaints involved organizations that failed to adequately explain what personal data they use or refused to delete data when individuals exercised their rights. The AP also received a significant number of complaints related to data breaches.

"The substantial increase in the number of privacy complaints shows that people know how to find the AP," said Aleid Wolfsen, Chair of the Dutch Data Protection Authority. "And that people are becoming increasingly aware of the importance of protecting their personal data. At the same time, we see that many organizations initially react incorrectly when people want to exercise their privacy rights. And that is worrying."

The Rights People Actually Use

Privacy debates often revolve around artificial intelligence, advertising technology, and cross-border data transfers. The complaints arriving at the AP's doorstep paint a more mundane picture. Many concern access requests. Under privacy law, individuals have the right to know what information an organization holds about them. Organizations are generally required to respond within one month. According to the AP, many fail to do so.

The regulator is now developing plans to immediately fine organizations that do not respond to access requests.

The report describes one complaint involving an international organization established in the Netherlands that required individuals to pay a substantial fee before they could view their own personal data. The AP concluded that the practice unlawfully hindered people from exercising their rights. The organization received an official warning and ended the practice.

The episode serves as a reminder that privacy enforcement is often less about sophisticated technology than basic compliance with rules that have existed for years.

Healthcare Tops the List

The healthcare sector generated the highest number of complaints in 2025. More than half of those complaints related to the data breach at Clinical Diagnostics, according to the AP. Healthcare was followed by business service providers and government organizations. Complaints involving government entities drew particular attention from the regulator.

The AP noted concerns about cases in which government organizations were alleged to have processed personal data without a valid reason. Such complaints carry additional weight because public authorities frequently handle large volumes of sensitive information. Citizens, unlike consumers dealing with private companies, generally cannot choose whether to engage with government services.

That lack of choice creates a different relationship between the individual and the organization holding the data. It also raises the stakes when questions arise about how that information is being used.

A Regulator Under Pressure

Not every complaint becomes an investigation. In roughly one-third of cases, the AP intervened by explaining legal requirements to organizations or helping the parties reach a solution. Those matters were resolved without the need for further investigation.

The authority conducted 29 in-depth investigations into complaints involving Dutch organizations during 2025. Slightly more than one-third of domestic complaints could not be investigated, including cases where the AP lacked legal authority to intervene. Other cases were closed after an initial review found no ongoing violation.

Every complaint is reviewed, the regulator said, not only to determine whether a violation occurred but also to identify recurring problems appearing across sectors. That task is becoming more difficult. The AP acknowledged that the growing volume of complaints has made it increasingly challenging to provide timely responses. Long waiting times remain a concern.

The irony is hard to miss. More people are exercising the rights privacy laws were designed to protect. The success of that awareness is creating new pressure on the authority responsible for enforcing those rights in the first place.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.