The Autoriteit Persoonsgegevens (AP) said it had received 27,871 complaints during 2019, up 79% from the volume of complaints registered with it the year before, and that complaints triggered it to investigate in 138 cases.
The regulator said that in 25 of the cases it investigated it found a breach of the GDPR. It passed those cases over to its enforcement department to determine what action to take against the organisations found to be in breach.
Businesses can be fined up to 4% of their annual global turnover, or €20m if greater, for serious breaches of the GDPR.
According to the AP, almost two-thirds of the complaints it received in 2019 came from the business sector, which includes retail companies, energy suppliers and telecoms providers, as well as from the public and financial services sectors.
The regulator said that 29% of the complaints it received concerned alleged breaches of privacy rights, such as the right of access to, or the erasure of, personal data. A further 15% of the complaints were about unsolicited advertising.
In its complaints report, the AP said that the volume of complaints it has been receiving is greater than it is currently able to deal with, and admitted that has caused a backlog. It said that it typically takes it more than six months to address complaints it receives, though "serious complaints are dealt with more quickly" via the prioritisation policy it introduced in early 2019.
To better address the volume of complaints, the AP said it needs "more capacity". It has welcomed a study commissioned by the Dutch Ministry of Justice and Security which is exploring the capacity needs of the regulator and associated funding considerations. The study is expected to be completed in May.
Resource constraints were also flagged by Hamburg's data protection watchdog as it published its annual report for 2019 on 13 February. It said there was a 25% increase in data protection complaints submitted to it last year, representing a further rise from the doubling of complaints it saw in 2018 after the GDPR first took effect.
Johannes Caspar, Hamburg commissioner for data protection, said: "If the current resources do not manage to answer the requests within a reasonable time frame, a negative impression of data protection will remain with the data subjects. With additional, temporary staff, it has recently been possible to keep inputs and outputs roughly in balance. This additional staff must be made permanent. In addition, the steady increase in the number of cases and the considerable backlogs make further reinforcement necessary."
Last year it was reported that Ireland's data protection commissioner had expressed her disappointment at the budget that has been allocated to the regulator by the Irish government amidst an upturn in its workload since the GDPR took effect.
