A newly passed bill in the Netherlands has increased the fining power of the Dutch Data Protection Authority (DPA) to up to EUR 810,000 or 10 percent of an organization’s annual worldwide turnover.
On May 27, 2015, the Dutch legislature passed the bill amending the Dutch Data Protection Act (Wet bescherming persoonsgegevens; (WBP)). New fines may be imposed for non-compliance with various obligations of the WBP (as further discussed below). The DPA will have the discretion to decide whether a situation justifies either a fixed fine or a fine relative to a company’s revenue. According to the explanatory memorandum to the bill, the possibility of issuing a fine relative to a company’s turnover is necessary for the DPA to have an effective enforcement tool in place when dealing with (very) large international organizations, for which the threat of a EUR 810,000 fine would not be sufficiently dissuasive.
Currently, the DPA is only authorized to impose an administrative fine of EUR 4,500 for failure to register data processing with the DPA. Additionally, the DPA may impose an enforcement order to remediate non-compliance, which can be made subject to a penalty sum (either singular or incremental). The new sanctioning powers will therefore significantly increase the DPA’s oversight capabilities and will put Dutch data protection enforcement on par with, for instance, the antitrust violations on the European level (which are capped at 10 percent of a company’s worldwide turnover). There is also an uncanny resemblance to the fines proposed in the 2014 version of the General Data Protection Regulation (5 percent of the worldwide turnover or EUR 100 million, whichever higher), which are currently being debated in the European Council and are apparently the cause of major discord between the divergent opinions of Member States on the subject.
The DPA will only be able to issue the new fines if it has issued a binding instruction to the relevant company to remedy any non-compliance with the WBP and if the non-compliance is not remedied within the required time frame, with the exception of violations that are deliberate or caused by serious negligence.
It is yet unclear when the bill will enter into effect; the bill still needs to be published in the Official Gazette, after which it will officially enter into force. According to unofficial reports in the media, this should happen by January 1, 2016; although it is possible that the entry into force could be sooner.
Organizations with operations in the Netherlands are advised to review their overall compliance with the WBP to avoid these significant fines.
THE NEW SANCTIONING POWERS
The DPA will have the authority to impose the following fines:
6th category fine: EUR 810,000 or 10 percent of the organization’s annual worldwide turnover (articles 23(4) and (7) of the Dutch Penal Code)
The DPA will have the power to issue fines for companies’ failure to comply with the following WBP provisions:
- Processing of personal information must be in accordance with the law and done in a proper and careful manner (article 6);
- Collection of personal information must be for specific, explicitly defined and legitimate purposes only (article 7);
- Processing must be based on an appropriate legal basis (article 8);
- Further processing in a way that is incompatible with the purposes for which personal information has been obtained or where this is precluded by an obligation of confidentiality by virtue of office, profession or legal provision is prohibited (articles 9(1) and (4));
- Retention of personal information in a form that allows individuals to be identified for longer than necessary for achieving the purposes for which it was collected or subsequently processed is prohibited (article 10(1));
- Adequate, relevant and not excessive processing is required (article 11);
- Processing by service providers must be done in compliance with the orders of the responsible organization, except where otherwise required by law (article 12);
- Appropriate technical and organizational measures must be implemented to secure personal information against loss or against any form of unlawful processing (article 13);
- Processing of sensitive personal data is prohibited, except as otherwise provided by law (articles 16 and 24);
- Provision of appropriate processing notice to individuals is required (articles 33 and 34(1), (2) and (3));
- The new data breach notification requirements, also established by the bill, must be complied with (new article 34a);
- Various rights of individuals, such as access to, correction, supplementation, deletion or blocking of personal information, must be complied with (articles 35, 36(2), (3) and (4), 38, 39, 40(2) and (3), and 41(2) and (3));
- Requirements pertaining to automated processing of personal information/profiling must be complied with (articles 42(1) and (4)); and
- Requirements pertaining to Cross-border transfers of personal information outside the European Economic Area (EEA) must be complied with (articles 76, 77 and 78(3) and (4)).
4th category fine: EUR 20,250 (article 23(4) of the Dutch Penal Code)
The DPA will have the power to impose fines of up to EUR 20,250 for the following violations of the WBP:
- If an organization that is responsible for processing of personal information is not established in the EU and that organization uses automated or non-automated means located in the Netherlands and fails to designate a person or body in the Netherlands to act on its behalf in accordance with the provisions of the WBP (article 4(3)); and
- If personal information is transferred to a non-EEA country to which transfers are explicitly prohibited by the Dutch Minister of Justice (article 78(2)(a)).