The Dutch Data Protection Authority (“DPA”) has published its new Fining policy for Administrative Fines. The new policy was drafted in response to the lack of such guidelines at the European level following the entering into force of the General Data Protection Regulation (“GDPR”). In the policy, the DPA elaborates on how the amount of fines for infringements of the GDPR, the Police Data Act, the Judicial and Criminal Records Act and the Telecommunications Act will be calculated. In this blog post, we will discuss the outline of this new policy.
DPA adapts its fining policy
The Fining policy, published on 14 March 2019, pertains to the fines that can be imposed by the DPA for violation of various provisions under the GDPR, the GDPR Implementation Act, the General Administrative Law Act, the Telecommunications Act, the Police Data Act, the Judicial and Criminal Records Act and the elDAS Regulation (Regulation EU No. 910/2014). With this new policy, the DPA has amended its old fining policy, which was revoked on 14 March 2019. According to the DPA, this new policy, in so far as it relates to violations of the GDPR and its implementing legislation, is temporary and applies until the European supervisory authority adopts guidelines at the European level which provide clarity on how the amount of the fines should be determined. These guidelines should ensure that the level of fines for non-compliance with privacy legislation is harmonised throughout the European Union.
Determination of the amount of the fine: structure
First, the new policy makes a distinction between the various legal maximum fines that can be imposed under the aforementioned pieces of legislation. The DPA has created a four-tiered structure within these maximums, categorising the different types of violations. Each category sets a basic amount for the fine and the corresponding bandwidths within which this amount can be altered. Clarification of which violation falls under which category can be found in the annex to the fining policy. The graph below exemplifies the policy for violations of the GDPR. This shows that the fines are most severe for violations that fall under the fourth category. The applied fine bandwidth for this category is between EUR 450,000 and EUR 1,000,000, assuming a basic fine of EUR 725,000.
The amount of the fine in a specific case is determined on the basis of the basic fine, which may be increased or decreased depending on certain factors (Article 7). Examples of such factors include intent, the nature and severity of the infringement, the degree of cooperation with the supervisory authority, and the measures taken by the infringer to limit the damage to the person concerned. The financial capability of the company can also play a role (Article 9). In principle, an increase of the fine will result in a fine no higher than the maximum of the bandwidth of the corresponding category. For the aforementioned example of a fourth-category violation, this would mean that the DPA would (in principle) impose a maximum fine of EUR 1,000,000 for violating the provisions of the GDPR.
Exceptions: higher fines possible
However, it should be remembered that the system discussed above will not always lead to an appropriate fine. Thus, the DPA has created exceptions in the policy that can lead not only to lower fines, but also to fines which surpass the maximum of the bandwidth. The latter applies first when it concerns a repeat offence, in which case the fine can be increased by 50%. Secondly, if the bandwidth and the corresponding basic fine do not allow for an appropriate penalty for a violation of the GDPR, the DPA can forego this structure and impose the maximum fines as set in the GDPR (10 or 20 million euros or a percentage of the total worldwide annual turnover depending on the violation). In our view, the DPA seems to be aiming to keep in line with the very high fines that the European legislator has prescribed for privacy violations under the GDPR.
The DPA’s new fining policy contains no major surprises. With this policy, the DPA takes a large number of factors into account, such as the severity and duration of the infringement, intent, the measures taken and financial capacity, when determining the amount of the fine,. As such, this policy remains in line with the fining policies of other supervisory authorities such as the AFM and the ACM. We have yet to see whether the DPA will use this policy for violations of the GDPR (and its implementing legislation). As soon as guidelines are established at the European level (and it is yet unclear when these will be ready) regarding the determination of the amount of fines for GDPR violations, the new DPA policy will lapse.