Dutch Report Provides a Window on GDPR-Related Complaints and DPA Response
On September 9, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the Dutch DPA) published a report on privacy complaints it received between January 2019 and June 2019. The report reviews the rate of consumer complaint activity since the enactment of the GDPR, the nature of those complaints, and how they are handled by the Dutch data authority.
Overview of the Dutch DPA Report
During the first half of 2019, just over 19,000 individuals and organizations contacted the Dutch DPA with concerns and questions related to the European Union’s (EU) General Data Protection Regulation (GDPR) or other privacy-related concerns. Of these, the Dutch DPA identified 15,313 inquiries as privacy complaints, characterizing the remaining cases as requests for information.
These numbers represent a 59% increase in complaints received this year compared to those received in the last six months of 2018. This uptick results in delays of four to six months in the handling of complaints. Serious complaints, however, are processed more quickly.
Facts and Figures
In the first six months of 2019:
- The Dutch DPA processed 452 international complaints. Among them, 66 were brought directly to the Dutch DPA, whereas the rest were referred by other EU supervisory authorities. During the same period in 2018, the Dutch DPA processed 331 international complaints;
- 36% of the complaints processed related to data subjects’ own personal data;
- 68 of the complaints filed with the Dutch DPA were investigated further, and 8 of these were referred to the enforcement arm of the Dutch DPA;
- 32% of the complaints related to data subjects’ rights, 13% to the transfer of personal data to third parties; 11% to concerns about the absence of a legal basis for the processing of personal data; 10% to direct marketing; and 1% to the processing of children’s personal data;
- 46% of the complaints received involved service providers, 14% the public sector, 13% the IT sector, and 8% the health care sector.
The report also explains how complaints were resolved:
- In 29% of cases, by providing guidance about how to resolve the issue;
- in 10%, by notifying the named company and explaining the applicable requirement;
- in 5%, by preparing actions that may be taken to remediate the violation; and
- once, by mediating the resolution between the claimant and the named company.
The report noted that in certain cases the Dutch DPA may close proceedings when it determines that a complaint does not demonstrate that a violation has occurred. It may also do so when it has determined that the company involved took steps to appropriately respond to and resolve the complaint.
The full report and the press release (in Dutch) are available to the public. If you have questions about the report, or you would like to learn more about how Achieved Compliance can help you address data protection in your company, please contact us.