Dutch Data Protection Authority

The Dutch Data Protection Authority, known locally as the Autoriteit Persoonsgegevens, is the independent supervisory authority responsible for overseeing compliance with the General Data Protection Regulation and national data protection laws in the Netherlands. It operates as a public body tasked with protecting the privacy rights of individuals concerning the processing of their personal data. Its core functions include receiving and investigating complaints, providing guidance to organisations and public institutions, and promoting awareness of data protection obligations.

The Authority monitors both private sector companies and public sector entities that process personal data, ensuring they adhere to principles such as lawfulness, fairness, transparency, and purpose limitation. It possesses investigative powers to conduct audits, request information, and order corrective measures when violations are identified. In cases of non‑compliance, the Authority can impose administrative fines, issue binding decisions, and, if necessary, refer matters to the courts for further enforcement.

A distinguishing attribute of the Dutch Data Protection Authority is its active participation in the European Data Protection Board, contributing to consistent application of GDPR across the EU. The Authority also maintains a public register of data processing activities and issues sector‑specific guidelines, particularly on emerging technologies such as artificial intelligence and biometric systems. Its expertise is frequently sought in legislative consultations, where it advises on privacy‑by‑design and privacy‑by‑default approaches to new data‑driven initiatives.

In February 2026, the Authority disclosed that it had been compromised through a zero‑day vulnerability in Ivanti Endpoint Manager Mobile, resulting in unauthorized access to internal work‑related data including names, email addresses, and telephone numbers. The incident was confirmed by the Authority itself and subsequently reported by the Center for Strategic and International Studies, underscoring that even regulatory bodies are not immune to sophisticated cyber threats. Following the breach, the Authority undertook remedial actions to secure its systems and notified affected individuals in accordance with its own breach notification obligations.