On December 13, 2018, the Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”) (the “Dutch DPA”) published a report on the complaints it has received since the EU General Data Protection Regulation (“GDPR”) became applicable on May 25, 2018 (the “Report”). The GDPR gives data subjects the right to lodge a complaint with the relevant national supervisory authority when they believe that their personal data is processed in a way violative of the GDPR (see article 77 of the GDPR).
Facts and Figures
In the past six months, (between May 25, 2018 and November 25, 2018), 22,679 individuals have contacted the Dutch DPA to obtain more information about the GDPR or to file a complaint. The Dutch DPA has received 9,661 complaints from data subjects, of which 44% are pending.
The Report states that 32% of the complaints relate to infringements of data subjects’ rights, such as the right of access and the right to erasure. Fifteen percent of the complaints are grounded in what data subjects consider to be overreach in data collection—that more personal data is gathered than is necessary to achieve the purpose(s) underlying the collection. An additional 12% of complaints allege companies impermissibly share individuals’ personal data , because they do so without informing the data subject of such sharing or by disregarding the data subject’s wishes.
The Dutch DPA also indicated that it has been involved in 331 international complaints concerning companies with cross-border activities or with several establishments in Europe. The Dutch DPA indicated that 176 of these were filed directly with the Dutch DPA, and that it acted as lead supervisory authority for a total 21 of the complaints. Separately, the Dutch DPA acted as a concerned supervisory authority in 119 international complaints; 36 complaints were transferred to the Dutch DPA by other national supervisory authorities as they related to companies established in the Netherlands.
Handling of the Complaints
The Report indicates that, in most cases, the Dutch DPA has responded to complaints by (1) sending a letter to the named company explaining the applicable requirement; (2) initiating a mediation; or (3) discussing the alleged violation with the company and actions to remediate such violation. The Dutch DPA indicated that most companies then adapted their behavior. According to the Report, 11 investigations stemming from complaints have been initiated.
To date, the Dutch DPA has primarily focused on resolving alleged rights violations and obliging companies to take remediating measures. The Report indicates, however, that in the future, complaints will more often lead to investigations and sanctions.
Most Affected Sectors
According to the Report, most complaints were filed against business service providers (i.e., 41 % of the complaints), companies in the IT sector (12%), the government (10%), financial institutions (9%) and companies in the health care sector (9%).