Your Complaint and the Dutch Data Protection Authority

Fact sheet number 7B, March 2007

This fact sheet is intended for the data subject, i.e. the individual whose personal data is being used.

This fact sheet will answer the following questions:

Which steps must precede your submission of a complaint to the Dutch DPA?
In which situations will the Dutch DPA decide to handle a complaint?
What does the complaints handling procedure entail?
How will you be kept up-to-date on the status of your case?
How is the complaints handling procedure concluded?
Can the Dutch DPA award compensation?
Which sanctioning powers does the Dutch DPA have?

You have a complaint about the way in which a company or institution (hereinafter: organisation) is using your personal data. Your complaint might be that the organisation has disclosed your data to another party without good reason, or has failed to adequately protect your data. If you believe that your personal data have been used unlawfully, you will be able to submit a complaint to this effect to the Dutch Data Protection Authority (Dutch DPA) [College bescherming persoonsgegevens (CBP)].

If you are involved in a conflict pertaining to the exercising of your rights, for example the right to access or correct your data, the Dutch DPA will be able to mediate. For more information, please see the fact sheet entitled Mediation by the Dutch DPA in Respect of Your Data [Bemiddeling door het CBP inzake uw gegevens].

read the publication in full (19 KB)

What to do first
Many organisations and branches of industry have put complaints procedures in place, as part of which a complaints committee assesses complaints according to a predetermined procedure. Where this applies to the organisation using your data, it must inform you of its complaints procedure. The organisation or trade association in question might also have appointed a data protection officer, to whom you will be able to address your complaint.

Under Dutch DPA policy, a complaint on the use of personal data will only be accepted once you have given the organisation in question the opportunity to respond to your complaint in writing. An organisation will not always be required by law to respond within a certain period of time, but you can request that the organisation respond within a certain period (e.g. four weeks). If the other party fails to respond within the period applicable, or fails to do so to your satisfaction, you will be able to submit your complaint to the Dutch DPA. If you opt to submit your complaint to the Dutch DPA, ensure that you provide all information relevant to the handling of your complaint (for example, copies of your letters, responses received from the other party). Please note that Dutch DPA’s handling of complaints is free.

The Dutch DPA’s acceptance of a complaint
After receiving your complaint, the Dutch DPA will first establish whether or not it has the authority to deal with it. An important criterion at this stage is that the complaint submitted must pertain to the use of personal data to which the Wet bescherming persoonsgegevens [Dutch Data Protection Act], the Wet politieregisters [Police Files Act], the Wet gemeentelijke basisadministratie persoonsgegevens [Municipal Database (Personal Files) Act] or the Wet justitiële en strafvorderlijke gegevens [Judicial Data and Criminal Records Act] apply.

Even where the Dutch DPA has the authority to deal with a complaint, it may decide not to do so. This might apply where the documents show that the organisation acts fairly and lawfully, where the organisation has already offered to rectify or redress the situation, or when the handling of the complaint by another body is more obvious. You might think of a conciliation board, disciplinary tribunal or a judge. The Dutch DPA may also decide not to investigate a complaint where the violation committed by the organisation would not appear to be of a sufficiently serious nature or if it expects that an investigation will not lead to another result. Furthermore the Dutch DPA will not start an investigationwhere this would require disproportionate efforts or when the complaint is not attuned to the areas of attention to which it gives priority.

Where the Dutch DPA decides not to handle a particular complaint, you will be informed of this as soon as possible and, where applicable, be referred to an organisation that will be able to help you.

Handling complaints
Where the Dutch DPA decides to handle your complaint, your complaint will be submitted to the other party in a letter, together with a number of questions. The other party will be requested to respond to this letter within a certain period of time (usually three weeks). In general, a copy of the correspondence between you and the Dutch DPA will also be attached to the letter referred to above. Normally, you will receive a copy of all correspondence between the other party and the Dutch DPA.

Where the other party raises new issues, the Dutch DPA will, where appropriate, ask you to respond. The length of time needed for mediation will depend on the promptness with which you and the other party respond to the Dutch DPA’s questions, amongst other things.

Information on complaint handling
Since you will generally receive a copy of all correspondence between the Dutch DPA and the other party, you will be able to closely follow the complaints handling process. However, should you have any questions, please contact the person responsible for dealing with your complaint. His or her name will be indicated in the top right-hand corner of letters that you receive from the Dutch DPA. When contacting the person responsible for dealing with your complaint, please have your case number at hand; this will enable him/her to help you without delay. Your case number is the number indicated under Reference (z2001-0829, for example) at the top of all Dutch DPA correspondence addressed to you.

The Dutch DPA’s decisions on complaints
Once all relevant information is available and both parties have sufficiently clarified their positions, the Dutch DPA will generally prepare a report on its preliminary findings in the case. These preliminary findings will be sent to the controller who will be asked for a reaction. The data subject will receive a copy of the preliminary findings. The controller is expected to give his reaction within two weeks. The Dutch DPA will then prepare its final report, which will set out the findings obtained by it during its investigation, a conclusion on the complaint submitted and, where possible, a recommendation. The decision made may be published (often anonymised). Visit our website for a selection of Dutch DPA decisions.

Court order or compensation
Often a Dutch DPA report setting out its findings is sufficient to achieve the satisfactory resolution of a given complaint. However, in some cases a controller will fail to observe the recommendation made by the Dutch DPA. You may then consider submitting your case to a court of law. You will need to appoint a lawyer to act on your behalf. You may request that the court issue the controller with a court order. The court could, for example, demand that the controller takes measures to rectify the consequences of a particular act. The court is also able to award compensation to the complainant; the Dutch DPA does not have these powers.

The Dutch DPA’s sanctioning powers
If a controller refuses to end or amend data processing that contravenes current legislation, the Dutch DPA has the power to enforce compliance with the statutory regulations applicable. Under certain circumstances, the Dutch DPA is able to impose a penalty on the controller or apply administrative coercion.

By keywords

Quick links