On March 14, 2019, the Autoriteit Persoonsgegevens, the Dutch data protection authority (the “Dutch DPA”), published its fining policy (the “Policy”) for violations of the European Union (EU) General Data Protection Regulation (“GDPR”) and the Dutch law implementing GDPR (“Implementation Act”). The Policy is important because it is the first example of a national fining policy under the GDPR.
GDPR Fining Policy
Organizations in breach of GDPR can be fined the higher of €10 million or 2% of global turnover for the previous financial year. However, for more severe infringements of the basic principles for data processing, including conditions for consent, as well as the data subjects’ fundamental rights under Articles 12-22 of the GDPR, a fine of the higher of €20 million or 4% of global turnover, whichever is greater, may be imposed.
The Dutch DPA has created a four-tiered structure for the penalties it will administer based on the severity of the violation. While the Dutch DPA has set default fines for violations in each category, it also has set a range to be applied depending on the specifics of an infringement. When calculating a fine, the Dutch DPA will start from the basic fine and increase or decrease the amount depending on the specific factors of the case.
The first category of fines involves simple violations, namely not sufficiently keeping records of the responsibilities of processors or joint controllers, or not publishing the contact details of the Data Protection Officer (DPO).
In the second category, examples include not fulfilling certain requirements for processing, such as not concluding data processing agreements with processors, not sufficiently securing personal data, not conducting impact assessments, or guaranteeing the DPO’s independence.
The third category refers to violations of transparency, notably failure to disclose data breaches, and not cooperating with the Dutch DPA.
The fourth category pertains to the unlawful processing of special categories of data - including the national identification number - unlawful profiling, and non-compliance with specific orders from the Dutch DPA.
The DPA will only impose punishments higher than the above-mentioned structure should a category four penalty be deemed “not appropriate.” However, Art. 83 GDPR at para. 1 authorizes each supervisory authority to ensure that the imposition of administrative fines arising from infringements of the GDPR is in each individual case “effective, proportionate and dissuasive.”
Under Article 83 of the GDPR, factors that the Dutch DPA will take into account in applying the above-mentioned fines leaning toward the higher or lower end include:
- the nature, gravity and duration of the violation;
- the nature, scope or purpose of the processing involved;
- the number of data subjects affected and the level of damage suffered by them;
- the intentional or negligent character of the violation;
- actions taken by the controller or processor to mitigate the damage;
- the degree of responsibility of the controller or processor and any technical and organisational measures implemented by them;
- relevant previous infringements by the controller or processor;
- the level of cooperation with the supervisory authority to remedy the infringement and mitigate the possible adverse effects of the infringement;
- the categories of personal data affected by the infringement;
- the manner the supervisory authority found out about the violation, namely whether the controller or processor notified the supervisory authority;
- measures previously ordered against the controller or processor regarding the same subject-matter, and compliance with those measures;
- adherence to approved codes of conduct or approved certification mechanisms; and
- any other aggravating or mitigating factors, namely financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
In terms of enforcement history, the Dutch DPA collected an incremental penalty of €48,000 from TGB, a private bank in the Netherlands, for repeatedly not complying with a subject access request. It also imposed a penalty of €40,000 to the National Police due to a lack of control of the log files in a regular and proactive manner.
The Dutch DPA also recently published guidance regarding so-called “cookie walls” (the “Guidance”). The Dutch DPA’s conclusion is that it is not compliant with the GDPR for website pop-ups to block users from access to the site unless they consent to the use of tracking cookies. This is an important conclusion for any organization with an EU facing website.
Under GDPR Recital 32, “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data”. The Guidance takes the view that a cookie wall means that consent is not-freely given as the user has no choice but to consent in order to access the website. The Dutch DPA suggests websites should offer meaningful options for users to access a website without consenting to tracking cookies, such as a on the basis of a payment for access model.
Lessons for Canadian Organizations
Organizations processing data of EU citizens should take into account that the GDPR applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not, and regardless of the company’s location, as long as the activities relate to offering goods or services to EU citizens, and the monitoring of behaviour takes place within the EU, irrespective of whether payment is required.
The Dutch DPA’s clarification of its approach towards fining organizations under the GDPR is welcome because it helps define the parameters of the playing field. Organizations in Canada and around the world should be cognizant of both the Dutch DPA’s GDPR fining policy and guidance regarding cookie wall as they continuously improve their compliance programs.