AP publiceert jaarverslag 2022 en jaarplan 2023

News Update Privacy & Data Protection

Dutch DPA publishes Annual Report 2022 & Plan 2023
30 May 2023

On 17 May, the Dutch Data Protection Authority (Dutch DPA) published its Annual Report 2022 and Annual Plan 2023. In this News Update, we look at the Dutch DPA's activities in 2022 and its upcoming plans.

Annual Report 2022

The annual report highlights the Dutch DPA's key results in 2022. In 2022, the Dutch DPA fined 13 violations, laid down in 8 enforcement decisions, including the following:

In addition, the Dutch DPA imposed two orders subject to a penalty and issued ten reprimands in 2022. Aside from these enforcement actions, the Dutch DPA also provided guidance, such as developing tools for organisations, answering questions from the public and organisations, and cautioning organisations to change their procedures.

Data breaches

The Dutch DPA received over 21,000 data breach notifications in 2022, down 15% from 2021. The Dutch DPA itself also notified four data breaches that had occurred within its own organisation in 2022.

Data breach supervision is risk based, centring on data breaches that present major risks for victims. Relevant risk factors in 2022 included cyberattacks, as well as data breaches that had not been notified to the Dutch DPA in spite of requirements. The Dutch DPA will explore this issue further in its data breach report to be published soon.

Complaints and investigations

  • The Dutch DPA received around 12,500 complaints in 2022, around 10,000 of which it considers 'tips'. Overall, the number of complaints submitted dropped by over 30% from 2021. 
  • The Dutch DPA initiated 45 investigations in total, including 17 international investigations.
  • It closed 110 objection cases in 2022 but only 9 were declared well-founded. In addition, 47 appeals came to a close, with the Dutch DPA being ruled against in 4 cases.

Annual Plan 2023: supervision in a digital society

In 2023, the Dutch DPA will focus on algorithms and AI, Big Tech and freedom and security.

Algorithms and AI

The Dutch DPA specifically monitors the transparent, lawful and privacy-friendly development of algorithms and AI. In addition, it will prioritise investigations of complaints and data breach notifications in those areas in 2023. 

Big Tech

The Dutch DPA especially wants to ensure that Big Tech companies handle personal data properly. To this end, it will identify and analyse signals, give priority to victims' complaints about Big Tech companies and, if necessary, initiate accelerated proceedings.

Freedom and security

In 2023, the Dutch DPA particularly seeks to ensure a justifiable balance between freedom and security in personal data processing. Specifically, the Dutch DPA states that investigations on this point will be completed in 2023 and that the granting of permits for personal data processing in criminal investigations will receive particular attention. 


The Annual Report 2022 and Annual Plan 2023 emphasise the Dutch DPA's limited options due to budgetary reasons. The authority is unable to perform all its statutory duties properly and effectively while running an adequate organisation. In concrete terms, this means it cannot promptly handle all complaints, properly look into all data breaches, proactively give legislation advice and efficiently settle requests for binding corporate rules (BCRs). The waiting period for such requests is now more than seven years.

Written by:
Thomas de Weerd

Key Contact

Advocaat | Partner

Key Contact

Advocaat | Senior Associate

Key Contact

Advocaat | Associate