Privacy & Information Security Law Blog

On September 9, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a report on the privacy complaints it received between January 2019 and June 2019 (the “Report”).

Read the full Report and the press release (in Dutch).

Overview

During the first half of 2019, 19,020 individuals and organizations have contacted the Dutch DPA with EU General Data Protection Regulation or privacy-related issues and concerns. From this number, the Dutch DPA identified 15,313 cases as privacy complaints, while the remaining cases were identified as requests for information. This represents a 59% increase compared to the number of complaints received in the last six months of 2018, which results in a four to six month delay in the complaint handling process – though serious complaints are processed faster.

Facts and Figures

In the first six months of 2019, the Dutch DPA has processed:

• 452 international complaints versus 331 in the second half of 2018. Among the 452 international complaints, 66 were introduced directly to the Dutch DPA, whereas the others were indirectly referred to the Dutch DPA by other EU supervisory authorities.
• 36% of the complaints processed related to data subjects’ own personal data.
• 68 of the complaints filed to the Dutch DPA resulted in further investigations, eight of which were transferred to the enforcement department of the Dutch DPA to determine the measures that should be taken.
• 32% of the complaints related to data subjects’ rights, 13% to the transfer of personal data to third parties, 11% to the absence of legal basis to justify the processing of personal data, 10% to direct marketing, and 1% to the processing of personal data of children.
• 46% of the complaints received affect the service provider sector, 14% the public sector, 13% the IT sector, and 8% the health care sector.

In addition, the Report explains how the complaint process was resolved in those cases:

• In 29% of the cases, by providing guidelines on how to resolve the issue;
• In 10% of the cases, by sending a letter to the named company explaining the applicable requirement;
• In 5% of the cases, by discussing the alleged violation with the company and actions to remediate the violation; and
• Once, by mediating between the claimant and the named company.

In specific cases, the Dutch DPA may also prematurely close the proceedings, for example, when the assessment of the complaint does not show an infringement or when the complaint was already remediated by the company.