Facts and figures about the AP
Here you will find facts and figures about the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, such as its budget, number of employees and other figures.
Note: at this time, not all linked English information is complete. For full information, please see the Dutch page.
The AP in figures
| 2021 | 2022 | 2023 | 2024 | |
|---|---|---|---|---|
| budget (in millions of euros) | 26.9 | 29.2 | 37.5 | 46.3 |
| employees in FTE (permanent, temporary and seconded) | 169 | 183 | 252 | 320 |
| data breach reports received1 | 24,866 | 21,151 | 25,694 | 37,839 |
| data breach reports handled2 | 37,475 | |||
| complaints received3 | 18,914 | 13,113 | 12,307 | 8,521 |
| complaints handled4 | 7,634 | |||
| investigations | 27 | 41 | 16 | 19 |
| imposed fines (number plus total amount in millions of euros)5 | 11 (6.4) | 13 (6.7) | 8 (243.2) | 6 (336) |
| order subject to a penalty | 2 | 2 | 3 | 4 |
| reprimands | 3 | 10 | 5 | 7 |
| legislative tests | 106 | 106 | 87 | 83 |
| questions from DPOs | 1,309 | 901 | 670 | 613 |
| requests for information3 | 3,000 | 1,842 | 2,278 | 3,978 |
| mediation interviews and other supervisory interventions | 677 | 2,213 | ||
| prior consultations | 10 | 4 | 3 | 5 |
| permits and model protocols | 264 | 324 | 507 | 833 |
| objections | 186 | 110 | 115 | 169 |
| appeals (to a higher court) | 66 | 47 | 40 | 60 |
1. The number of victims of data breaches is much higher than the number of reports. For instance, the AP received 1,309 reports of data breaches in 2023 regarding cyber attacks that had a total number of victims of approximately 20 million. See the AP's data breach reports for more information.
2. In 2024, we began not only listing the total number of data breach reports received, but also the number of reports that have been handled.
3. We add up national and international complaints. There are two possible causes for the drop in complaints files in 2024. Since 2024, we have begun asking people who fill out our complaint form whether they have already reported their complaint to the organisation itself. Such as by reporting it to the Data Protection Officer (DPO), if the organisation has one. That way, people are encouraged to first report their complaint to the organisation itself before submitting a complaint to the AP directly. This is a desirable development because it means we do not need to refer complainants back first. It also allows some of the complaints to be resolved directly. Secondly, we no longer automatically count an instance of telephone contact as a complaint. Many people we speak to via telephone do not want to submit a complaint, but simply have a question about the GDPR or privacy. We have thus begun registering these calls separately. This may have led to a sharp rise in the number of requests for information between 2023 and 2024.
4. In 2024, we began not only listing the total number of complaints received, but also the number of complaints that have been handled. The number of complaints handled is higher than the number of complaints received, because the remaining complaints from 2023 were also handled in 2024.
5. A decision to impose a fine on an organisation may consist of multiple fines for different (partial) violations. Also, not all fines imposed have yet been made public. See Fines and other sanctions for an overview of the fines already published.
See the AP annual reports for more figures and information (in Dutch).
Publications on AP capacity and budget (in Dutch)
- AP position paper on a strong digital rule of law (20 November 2024)
- AP letter to government formation informers (4 April 2024)
- Letter to the parliamentary inquiry committee on Fraud Policy and Services: A future-proof AP (27 November 2023)
- AP position paper May 2021 (19 May 2021)