How we process your complaint

Below, you will find step by step what happens when you file a complaint with the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority. What does the AP do with your complaint? And why does it sometimes take a long time for the AP to process your complaint?

Do you have a complaint about how an organisation deals with your personal data? First, talk to this organisation or ask for a response in writing. You must first file a complaint with the organisation itself, or make a request for access. Does the organisation not respond to your request for access in time? Or do you think that the organisation has not processed your complaint properly? Then you can submit a complaint to the AP.

If you have submitted a complaint, you will always hear from us within three months. Most complaints can be processed with a simple investigation. For some complaints, we conduct an extensive investigation.

1. Preliminary investigation

After we receive your complaint, we will start a preliminary investigation. We look at, among other things:

  • Whether your complaint concerns your personal data.
  • Whether your complaint falls under the GDPR or other privacy legislation, such as the Police Data Act (Wpg).

Does your complaint not meet these requirements? Then we cannot process your complaint. If it does not concern your personal data, we will treat your complaint as a tip-off.

Enough information

During the preliminary investigation, we also check whether you have sent enough information for us to process your complaint. If you provide us with too little information, we will not be able to properly investigate your complaint. Therefore, when submitting your complaint, please include as much evidence as possible of the possible violation. And information showing that you have addressed the organisation yourself about the improper processing of your complaint or request.

On the page Submitting a tip-off or complaint to the AP you will find more information about preparing and submitting your complaint.

Your complaint is always valuable. Every complaint or tip-off is an important signal for us. Complaints give us a good picture of the privacy problems that people experience.

2. How we resolve your complaint

Complaints differ from one to the next. We can resolve your complaint in various ways. We resolve most complaints as follows:

  • We will contact you and explain what you can do yourself to resolve the complaint.
  • We will contact the organisation that is the subject of your complaint. We can do this by calling the organisation or by sending a warning letter. We address the organisation about its working methods and explain the privacy rules. This allows the organisation to take steps itself to comply with the law. Does the organisation have a Data Protection Officer (DPO)? Or is the organisation a member of a sector association? We can then also contact the DPO or sector association.
  • We will mediate between you and the organisation that is the subject of your complaint. We try to initiate a dialogue between you and the organisation that is the subject of your complaint and arrive at a solution quickly.

A common complaint is that a company does not respond to a request for access to someone's personal data. We can then instruct the organisation to respond after all. This often leads to a solution immediately.

Sometimes, we cannot resolve your complaint immediately. For example, because we check whether similar complaints have been received. We will then process these complaints together with yours. This is more effective. It is also possible that we have already started an investigation into the subject of your complaint. For example, due to a previous complaint, tip-off or media report. Your complaint will then be included in this investigation.

3. How we investigate your complaint

We receive thousands of complaints every year. The AP investigates every complaint, but cannot investigate all complaints in the same amount of detail. We have to make choices in that respect. So we can help people as best we can, but without making them wait too long. We use criteria to determine whether we will investigate your complaint in depth, namely:

  • How serious the invasion of your privacy is.
  • Whether the possible violation is still ongoing.
  • What impact the possible violation has on our society.
  • Whether we have sufficient options to take action against the organisation that is the subject of your complaint.
  • Whether the subject of your complaint falls within one of the themes from our annual plan.

4. We keep you informed

Privacy is a fundamental right and your complaint deserves to be processed properly. You will always receive a message about your complaint within three months by email, letter or telephone. Sometimes complaints are processed quickly, but some complaints are very complicated and require a more in-depth investigation. We may also want to process similar complaints together. It may take some time before your complaint is processed.

We will keep you informed about the progress during the handling of your complaint. Do we conduct an extensive investigation and prepare an investigation report? Then we will let you know. 
You do not need to contact us about this yourself. Do you think it is not necessary for us to keep you informed? Please let us know.

5. Extensive investigation

In some cases, we conduct an extensive investigation.

When we start an extensive investigation, we explain to the organisation why we are doing this and what exactly we are going to investigate. We also request information from this organisation. See also the criteria under How we investigate your complaint.

  • We usually ask the organisation for written information. We will use this information to create an investigation report and make a decision about your complaint.
  • Sometimes, we also conduct on-site investigations. This means we visit the organisation. We will use the information we collect during this visit, as well as the written information, to create an investigation report. We will then make a decision about your complaint.

An on-site investigation

During an on-site investigation, our employees will visit the organisation that is the subject of your complaint. Our employees collect relevant information and check the organisation's systems, among other things. We may also interview directors and employees.

Does the organisation fail to cooperate? We can then instruct the organisation to do so anyway. 
After our investigators have collected information , they start analysing it. We will investigate whether the complaint is justified. We must first determine whether the organisation processes personal data. And if so, which personal data these are and on what basis the organisation processes them.

We also determine whether the organisation has violated the GDPR or other privacy legislation. And if so, to what extent. Sometimes, it is complicated to analyse all the information and figure out what is going on. And of course, the investigation must be done carefully. That takes time.

National or European investigation

Are the organisation's (European) headquarters located in the Netherlands? Then we will handle the complaint. Otherwise, we will forward the complaint to the data protection authority in the country where the organisation has its (European) headquarters. If your complaint is processed internationally, we will remain your point of contact. We will therefore keep you informed of the progress. We do not conduct the investigation ourselves.

Is another European data protection authority processing your complaint? Or have people from other European countries also filed a complaint about the organisation and we are investigating? We will then work together with other European supervisory authorities to process your complaint as best as possible.

The investigation report

Once the extensive investigation is completed, we will prepare a report. This report contains the results and which possible violations of the GDPR (or other privacy legislation) we have identified.

The organisation that is the subject of the complaint will then be given the opportunity to respond to our investigation report and give its opinion. Most organisations provide their legal view by letter, but this can also be done during a meeting at our office. We can still adjust the report based on the legal view. Afterwards , we determine which measures are necessary.

Various measures

Has the organisation about which you are complaining violated privacy legislation? We can then impose various measures on the organisation to ensure the violation stops:

  • An invitation for dialogue. We address the organisation about its working methods and explain the privacy rules. This allows the organisation to take steps itself to comply with the law.
  • A reprimand. For a minor, less serious violation of the GDPR, we may issue a reprimand to an organisation. This means we condemn the violation of the GDPR. We will impose a reprimand if this is more appropriate than a fine.
  • Enhanced supervision. We can also place an organisation under enhanced supervision. This gives an organisation the opportunity to resolve the problems we have identified. The organisation will not immediately receive a fine or another measure. The organisation must share a progress report with us on a regular basis.
  • An order subject to a penalty. With this, we oblige an organisation to stop violating the law. If this does not happen within the time frame we have set, the organisation must pay a sum of money. We can also impose an order, without a penalty. The organisation is given a period within which it must stop violating the law. Does the organisation fail to do so? We can then impose another measure, such as a fine.
  • A processing ban. With this, we prohibit an organisation from processing certain (types of) personal data.
  • A fine. With this, we punish the organisation for committing one or more serious violations.

Has the organisation about which you are complaining not violated privacy legislation? In that case, we will of course not impose any measures and we will close the investigation.

Continue reading: Fines and other sanctions from the AP

6. Objecting to the result

You may not agree with how we have processed your complaint. Or the organisation about which the complaint is made does not agree with our decision. Therefore, both you and the organisation can object to our decision regarding your complaint. The letter with our decision will state whether you can lodge an objection with us. And if so, how.

You can object within six weeks after the decision was taken. This period starts on the day after the date on which we sent the decision to you. That is the date at the top of the letter. We have six weeks to respond to your objection. We can extend this period by six weeks if necessary. We can also extend the period after this, if you agree. You do not have to agree to this.

After receiving your objection, we may call you to discuss your objections. We will then see if we can find a solution right away. To do this, both you and the organisation about which the complaint is made must be willing to consult with each other. If this doesn't work, we will deal with the substance of your objection.

Continue reading: Lodging an objection

7. Appeal

Do you disagree with our decision on your objection? You can then appeal to the administrative court. You don't need a lawyer for this. The organisation that is the subject of the investigation report can also appeal against our decision on the objection.

Visit the website of De Rechtspraak to find out how to lodge an appeal.