Supervision of the processing of personal data by courts and the Procurator General's Office at the Supreme Court

Complaints filed

In 2025, nine complaints were filed with the Procurator General at the Supreme Court, two more than in 2024. The number of complaints received in previous years was four (2023), five (2022), eleven (2021), seven (2020), twelve (2019) and six (2018).

One complaint was withdrawn; all other complaints filed in 2025 were resolved in that year.

Five complaints (including the one later withdrawn) were filed by the same complainant. They complained about the privacy statements of the Judiciary and the Supreme Court, about the content of the Regulation on the supervision of the processing of personal data by the courts and the Procurator General's Office at the Supreme Court, and about a District Court's decision not to expedite a case. It was replied that these are not complaints within the meaning of Article 7 of the Regulation on the supervision of the processing of personal data by the courts and the Procurator General's Office at the Supreme Court. Further complaints concerned the handling of access requests as referred to in Article 15 GDPR. In response, it was explained why the Procurator General sees no reason to bring an action before the Supreme Court.

Another complaint concerned the rejection of a request for erasure and reversal of a judgment in preliminary relief proceedings. The court administration rejected the request citing the applicable statutory provisions, including the Dutch Public Records Act 1995 (Archiefwet 1995), from which it follows that the court is required by law to permanently retain the judgment. The response to the complaint was that the court administration's assessment was found to be carefully considered and not incorrect. Additionally, the processing of personal data in a judgment in preliminary relief proceedings by permanently retaining it is based on the necessity of performing a task carried out in the public interest.

In another case, it was complained that a judgment published on rechtspraak.nl had not been sufficiently pseudonymised because the complainant's personal details were still visible and had also appeared on a third-party website. The complainant first raised this with the court administration. The court administration wrote, among other things, that it had accidentally failed to remove the complainant's name from the judgment on publication. Apologies were issued and the publication was corrected. It also wrote, in summary, that the administration is not responsible for the publication of judgments by third parties. The response to the complaint was that the court administration's assessment was found to be carefully considered and not incorrect.

In response to a complaint concerning a possible data breach, it was written that it was no longer possible to determine whether there was a data breach. Finally, there was one complaint which, although filed as a "complaint concerning the processing of personal data", was found not to relate to the processing of personal data.

Claim

During the reporting year, the Procurator General brought an action under the Regulation on the supervision of the processing of personal data by courts and the Procurator General's Office at the Supreme Court. The cause was a complaint concerning a news report published on rechtspraak.nl. The news report concerned a judgment in a criminal case of sexual abuse of minors. The complaint was that the report contained a factual inaccuracy. It was further complained that the information could be traced back to the data subject and that it had put her in a negative light. The action sought for the Supreme Court to conduct an investigation into how the court administration processed the personal data in the news report. The Procurator General asked the Supreme Court to consider upholding the complaint, except in so far as it challenged the substance of the judgment. The Supreme Court rendered judgement on 19 December 2025 (ECLI:NL:HR:2025:1980).

Data breaches

During the reporting year, 517 violations of the GDPR, in the sense of data breaches, were registered. Occasionally, the data breaches led to the implementation of internal control measures. This number is significantly higher than in 2024 (393), 2023 (262), 2022 (175), 2021 (208) and 2020 (197). Eleven data breaches occurred at the Supreme Court, two fewer than in 2024. The other data breaches took place at 15 courts and at IVO Rechtspraak, the ICT service provider for the Judiciary. As in previous years, of the data breaches that occurred in 2025, the majority of cases (361) involved displaying, sending or handing over personal data to an individual when this was not intended. Other cases concerned, among other things, stolen or lost data carriers and/or paper containing personal data (24), and personal data that was published accidentally (121).

During the reporting year, a data breach was reported concerning the register of ancillary activities of judicial officers. The report concerned data that is no longer in the register because the person left employment. It was found that the data could still be accessed through a link on a third-party website. IVO Rechtspraak took action to plug this data breach.

There are differences between courts in the number of data breach reports. A higher number of data breach reports at a court need not indicate a lower level of data protection than at a court with fewer reports. The difference may also be related to the extent to which the organisation is alert to data breaches and/or the assessment of whether a data breach poses a risk that requires reporting to the supervisory authority.