Dutch Archive Barometer 2026
How does the Netherlands stand in 2026 when it comes to the risk around confidential paper and archives? There are plenty of single figures, but they are scattered across different reports. The Dutch Archive Barometer brings them together. No survey of our own and no estimated numbers, but a synthesis of public figures from the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) on data breaches, their causes, the sectors that leak the most and the fines that follow. Together they form a barometer that shows where the risk really lies. And that is not where most people think.
The barometer at a glance
Five indicators set the reading of the barometer. Each indicator comes straight from a public report of the Autoriteit Persoonsgegevens. Below is the overall picture first, then we take each indicator in turn.
The common thread is immediately visible. The big risk is neither exciting nor digital. It is paper, it is human and it is largely preventable. Below you can read, indicator by indicator, what the figures say.
Indicator 1. The scale remains large
Across the whole of 2024 the Autoriteit Persoonsgegevens received 37.839 data breach reports. That number has hovered around the tens of thousands for years and is not falling. Behind that total sit bulk reports, small incidents and a few large cases. The message of the barometer is not that the number is exploding, but that it stays stubbornly high. In the Netherlands a data breach is not a rare exception but daily practice.
Important to know. These are only the reported breaches. Some incidents are never reported, because they go unnoticed or because people are unaware of the reporting duty. The real number is therefore higher than 37.839. The barometer measures what is visible, and that is already substantial.
Indicator 2. Paper is the biggest cause
Ask any random business owner where a data breach comes from and the answer is nearly always the same. Hackers. Yet that picture does not match the figures. When the Autoriteit Persoonsgegevens looks at the cause of data breaches reported by organisations, in about 41 percent of cases it concerns a letter or parcel with personal data. Delivered to the wrong address, gone missing or returned unopened. That is by far the most reported category.
Source. Autoriteit Persoonsgegevens, data breach report first half of 2024. Percentages rounded. The other category bundles, among other things, verbal disclosure and lost equipment.
Email to the wrong recipient accounts for about 18 percent. The category everyone thinks of, the cyberattack, is responsible for about 5 percent of the reports. Paper and post together are therefore many times larger than the cyber image that makes the newspaper. The full analysis is in data breaches in the Netherlands, paper is the biggest cause.
Indicator 3. Healthcare leaks the most
Not every industry leaks equally. The Autoriteit Persoonsgegevens tracks which sectors the reports come from, and that picture is strikingly stable. Year after year the same sector sits at the top. Healthcare. In 2024 there were 6.873 data breach reports from the health and welfare sector, more than from any other industry.
Source. Autoriteit Persoonsgegevens, data breach report 2024. These are the sectors with the most reports. The total of 37.839 also contains many bulk reports and reports from other sectors.
What these three sectors have in common is that they process large volumes of sensitive personal data, on paper and digitally. The full breakdown and what you can do per industry is in data breaches by sector, healthcare leads.
Indicator 4. Most of it was avoidable
There is a figure in the report that gets too little attention, but that is hopeful for every organisation. In most data breaches the cause did not lie in bad luck, but in policy. In about 40 percent of cases there was policy, but it was not followed. In about 33 percent suitable policy was missing entirely. Only a small part, about 15 percent, concerned incidents that were genuinely unavoidable.
Source. Autoriteit Persoonsgegevens, data breach report 2024. Percentages rounded. The remaining part falls under other causes.
Add the first two together and you arrive at about 73 percent that could have been prevented with better policy and better execution. That is the heart of the barometer. The largest part of the risk is not fate, but a matter of doing what you had set out to do.
Indicator 5. The fine also comes for dull mistakes
The largest GDPR fines in the Netherlands concern international data flows and prohibited technology. The highest so far is the fine of 290 million euros for Uber in 2024. Such amounts are exceptional and say little about an average organisation. More interesting for the barometer are the fines for ordinary, avoidable mistakes. Keeping data too long, reporting a data breach too late, security not in order. Those are exactly the mistakes that a filing cabinet full of old paper causes.
Source. Fine decisions of the Autoriteit Persoonsgegevens, published on autoriteitpersoonsgegevens.nl. A selection of fines for security, data breaches reported too late and keeping data too long. Amounts rounded.
The fine for the municipality of Enschede stands out, because it was about data that was simply kept too long. That is the mistake lurking in almost every archive. An extensive analysis of these fines is in GDPR fines in the Netherlands, what the figures teach you.
What the barometer means for your organisation
Line up the five indicators and the picture is clear. Data breaches stay stubbornly high, paper is the biggest cause, the data-intensive sectors leak the most, most of it was avoidable and the fine also falls for dull mistakes such as keeping data too long. For an average organisation that all points in the same direction. The biggest, most underestimated risk is not on your screen, but in your filing cabinet.
That is good news, because that side is exactly the one you hold in your own hands. You can never fully rule out a cyberattack, but a stack of paper past its retention period you can clear out. If you recognise the risk in your own archive, read 6 signs your archive is a GDPR risk. If you want to tackle the stack structurally, then the step-by-step plan to clear out your archive helps.
Methodology and sources
Honesty belongs with a barometer, so here is exactly how it comes about. The Dutch Archive Barometer is not our own research among respondents. We have not estimated, modelled or filled in a single number ourselves. Every indicator is an existing, public figure from the Autoriteit Persoonsgegevens, brought together into an overall picture.
- Number of reports and sectors. From the annual data breach report 2024 of the Autoriteit Persoonsgegevens.
- Causes of data breaches. From the interim report on the first half of 2024, in which the AP breaks down the reports by cause.
- Avoidability. From the same AP reports, which examine whether there was policy and whether it was followed.
- GDPR fines. From the public fine decisions on autoriteitpersoonsgegevens.nl.
All percentages and amounts are rounded. Where the AP uses a margin or range, we have kept to the conservative reading. The underlying figures can be checked on the site of the Autoriteit Persoonsgegevens. When the AP publishes new annual figures, we update this barometer.
Remove the biggest cause at your own end?
The barometer shows where the risk lies. Paper that is past its retention period and yet keeps lying around. Tell us how many boxes or binders may go and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate as proof for your GDPR file. No call-out fees within 20 km of Amsterdam.
Request a quoteFrequently asked questions
What is the Dutch Archive Barometer 2026?
It is an overview that brings together public figures on data breaches, their causes, the leading sectors and the GDPR fines into a picture of the paper and archive risk in the Netherlands. The barometer does not measure anything itself, but bundles existing figures from the Autoriteit Persoonsgegevens into a clear overall picture.
Where do the figures come from?
From the public reports of the Autoriteit Persoonsgegevens. These are the annual data breach report 2024, the interim report on the first half of 2024 and the published fine decisions. All percentages and amounts are rounded and traceable to those sources.
Is this a survey of DeSnipperaar's own?
No. The barometer is emphatically not our own research among respondents. It is a synthesis of publicly available figures. We have not estimated or filled in a single number ourselves. Every indicator comes from a public report of the Autoriteit Persoonsgegevens.
According to the barometer, what is the biggest cause of data breaches?
Paper and post. In about 41 percent of the data breach reports by organisations it concerns a letter or parcel with personal data that is delivered to the wrong address, goes missing or comes back unopened. That is by far the most reported category, well above email and far above the cyberattack.
What can my organisation do with these figures?
The figures show where the risk really lies. Not in the cyber image, but in physical personal data on paper and in policy that is not followed. Map your paper flow, check retention periods and have documents that may go demonstrably destroyed with a certificate. More on that in demonstrable destruction for the GDPR.
Conclusion
The Dutch Archive Barometer 2026 tells a simple story with public figures. Data breaches stay high, paper is the biggest cause, healthcare leaks the most, most of it was avoidable and the fine also falls for keeping data too long. The exciting cyber image that demands the attention is, in numbers, the smallest category. The real risk is dull, physical and largely clearable. Whoever maps their own paper flow, guards retention periods and has surplus paper demonstrably destroyed removes precisely the biggest cause at their own end.
Read also: go deeper into the three main indicators in paper is the biggest cause, data breaches by sector and GDPR fines in the Netherlands.
Remove the biggest cause at your own end? Request a quote via desnipperaar.nl or first read how the certificate of destruction forms your proof. We collect the sensitive paper sealed.