What happened
The Dutch privacy and data protection authority, Autoriteit Persoonsgegevens, received more than 13,500 complaints in 2025 about individuals or organizations that may not have complied with the General Data Protection Regulation.
The number of complaints increased by more than 75% compared to 2024. The regulator believes the sharp rise was driven by growing public awareness of privacy rights and by people encountering more privacy problems.
Most complaints involved organizations that did not disclose which personal data they used or refused to delete data after people submitted data removal requests.
The regulator also received complaints about privately owned cameras, including doorbell cameras and security cameras. Workplace camera surveillance was another area of concern, including cases where employees were reprimanded for their performance based on camera footage.
More than 400 complaints involved tracking software, including cookies. People complained that they could not refuse cookies or that websites did not display cookie banners.
The healthcare sector received the most complaints, driven by a cyberattack on Clinical Diagnostics, a medical research lab whose IT systems were hacked by the Nova ransomware extortion group. The attackers stole personal information from 850,000 participants in a cervical cancer screening program, and Clinical Diagnostics paid an undisclosed ransom to resolve the issue.
After healthcare, the Dutch privacy watchdog received many complaints about corporate service providers and government entities.
Who is affected
Individuals in the Netherlands are affected by the rise in privacy complaints, particularly those whose personal data is handled by healthcare providers, corporate service providers, government entities, employers, website operators, and organizations using surveillance cameras or tracking software.
The Clinical Diagnostics cyberattack affected 850,000 participants in a cervical cancer screening program. Employees may also be affected by workplace camera surveillance when footage is used to assess or reprimand performance.
Why CISOs should care
The increase in Dutch privacy complaints shows that privacy rights are becoming more visible to the public and more likely to trigger regulatory attention. Organizations that fail to disclose personal data use, respond properly to deletion requests, or manage tracking technologies may face complaints even when no cyberattack occurs.
For CISOs, the healthcare-related complaints show how a single breach can drive major privacy scrutiny. The Clinical Diagnostics incident involved stolen personal information from 850,000 screening program participants and became a major factor in healthcare receiving the most complaints.
The complaints about workplace surveillance and tracking software also show that privacy risk extends beyond breach response. Camera footage, cookies, and data removal requests can all become compliance issues when organizations do not clearly define, disclose, and govern how personal data is collected and used.
3 practical actions
- Review privacy request handling for data access and deletion: Most complaints involved organizations that did not disclose which personal data they used or refused to delete data when people submitted removal requests. CISOs should coordinate with privacy and legal teams to confirm that personal data requests are tracked, answered, and fulfilled within required timelines.
- Assess surveillance and monitoring practices before complaints arise: The regulator received complaints about doorbell cameras, security cameras, and workplace camera surveillance, including cases where employees were reprimanded based on footage. Organizations should review where cameras are used, why footage is collected, who can access it, and whether employees and visitors are properly informed.
- Tighten governance over cookies and tracking software: More than 400 complaints involved tracking software, including cookies, with concerns about users being unable to refuse cookies or missing cookie banners. Security and privacy teams should review cookie banners, consent controls, and tracking scripts to ensure users have clear choices and that tracking behavior matches disclosed practices.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.