Last week, the chairman of the Dutch Personal Data Protection Authority (Autoriteit Persoonsgegevens, “AP”), Aleid Wolfsen, announced that several investigations around data breaches are pending and that the first serious fine is just a matter of time.

Mr. Wolfsen is optimistic about the impact of the upcoming General Data Protection Regulation (“GDPR”), effective from May 25, 2018. Data subjects’ rights are boosted up and the responsibilities for companies significantly increased, Wolfsen says. Furthermore, the possibilities for the AP to step up the level of enforcement and to impose “draconian fines” will further expand. Under the GDPR, fines of up to EUR 20 million or 4% of the worldwide annual turnover may be imposed, whilst the maximum amount is substantially lower under current Dutch data privacy laws.

Although the AP has not imposed any fines in 2016, changes are imminent. Mr. Wolfsen indicated that almost 4,000 cases of data breaches have been notified to the AP and that several investigations are still pending. Investigations relate to cases where the protection of personal data is “drastically insufficient”. It is therefore to be expected that the first fines will follow in due course.