What does this cover?

The competence of the Dutch Data Protection Authority (DDPA) to impose administrative fines will be considerably extended as of 1 January 2016. On this date, a new law enters into force enabling the DPA to impose fines up to EUR 810.000 or 10% of the offender’s net revenue. To provide those who are responsible for processing personal data with insight into when and how large a fine might be imposed when in breach of the law, the DDPA published on 22 October 2015 draft guidelines for public consultation (Guidelines).

The Guidelines introduce three categories of administrative fines, capped by respectively at EUR 810.000, EUR 450.000 and EUR 20.250. Further, each category is split into two or three bands. The Guidelines set out which categories will apply to which parts of which legislation, including certain articles and/or paragraphs of the Dutch Data Protection Act, the Dutch Telecommunications Act and legal provisions regarding processing of police and judicial personal data.

The highest category of fines can be imposed if for example the data protection principles (e.g. legal basis, purpose limitation and data security), the prohibition to process special categories of personal data (i.e. sensitive personal data) or profiling rules are breached. The DDPA cannot however impose fines in respect of all provisions of the Dutch Data Protection Act;  it can no longer impose fines for not fulfilling the duty to notify processing of personal data, nor can the DDPA impose fines for infringements such as the lack of a data protection agreement. The Guidelines do not clarify whether the DDPA can nevertheless impose fines in such cases, where they involve the violation of other provisions (such as the data protection principles).

In case of a punishable violation, the DDPA first determines the ‘basic fine’ within a band of the designated category. A fine can be increased or decreased within the limits of the band depending upon the seriousness of the violation. The factors the DDPA take into account for such assessment include:

  • the nature and scope of the violation;  
  • the duration of the violation;  
  • the impact of the violation on data subjects and/or society;  
  • the extent to which the violation can be imputed to the offender; and  
  • the circumstances under which the violation was committed, including the (financial) circumstances of the offender.  

The responsiveness of offenders and their attitude towards the DDPA may also impact the amount of the fine. Fines can be increased if the offender has committed the same or a similar offence before (by 50%), or if the offender counters or hinders the DDPA’s investigation. On the other hand, a fine can be decreased if offenders:

  • cooperate in a way that is more far-reaching than they are legally required to do;  
  • stop the violation of their own volition either before or after it becomes aware of the DDPA’s investigation;  
  • indemnify those harmed.  

The DDPA retains the power to deviate from the band if it would not provide a ‘suitable punishment’. This includes being able to impose a maximum fine of 10% of the offender’s yearly net revenue if a fine of EUR 810.000 under the highest category is not deemed sufficient.

Despite now having increased competence to impose fines, this competence is significantly restricted as the DDPA has to provide in most cases a ‘binding instruction’ in advance. Therefore, offenders are given the opportunity to repair their violation(s) before having to pay any fine.  The DDPA can only directly impose administrative fines if the violation was committed intentionally, or was the result of gross negligence. 

What action could be taken to manage risks that may arise from this development?

Financial services companies should keep up to date with the developments in this area because once implemented it may pose an increased financial risk of data protection law violations.

Please note the deadline for submitting comments on the Guidelines has now passed.  Financial services companies should await the final version of the guidelines which should become available shortly. 

Submitted by Nicole Wolters Ruckert and Leonie von Sloten of Kennedy Van der Laan – Amsterdam, The Netherlands in partnership with DAC Beachcroft.