Now serving complaint #6241…

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has published guidelines on how it will prioritize the handling of complaints filed with it under the EU General Data Protection Regulation (GDPR).

Criteria include:

  1. How harmful is the alleged violation for the individual(s)? This depends on nature of data and nature of the violation.
  2. What is the broader social significance? For example, does the case involve processing of personal data by governments and in healthcare, trade in personal data, unreported data leaks and data leaks caused by serious shortcomings in security.
  3. To what extent will the DPA be able to act effectively, taking into consideration other complaints filed with it and its available manpower and budget?

If a complaint scores high on several criteria, there may be more reason for further investigation by the DPA. In exceptional circumstances, however, further investigation can be started with a low score on all criteria.

Read the full guidelines.