On March 14, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a press release announcing its policy (in Dutch) for calculating administrative fines (the “Policy”).
The Dutch DPA has the power to impose administrative fines for violations of the EU General Data Protection Regulation (“GDPR”), the Dutch law implementing the GDPR, the Police Data Act, the Judicial Data and Criminal Records Act, the Telecommunications Act, the Electronic Identification, Authentication and Trust Services (eIDAS) Regulation and the General Administrative Law Act.
The Policy provides insight into how the Dutch DPA will use its fining powers. The Dutch DPA divided qualifying infringements into three or four categories. It assigned each category a specific penalty bandwidth (i.e., a range between a minimum fine and a maximum fine), as well as a basic fine. When calculating a fine, the Dutch DPA will start from the basic fine (i.e., 50% of the sum of the minimum and maximum amount of the bandwidth) and increase or decrease the amount depending on various case-specific factors. The Dutch DPA will, in particular, take into account (1) the nature, the seriousness and duration of the violation; (2) the number of data subjects affected; (3) the extent of the damage and of the data compromised; (4) the intentional or negligent nature of the violation; (5) the measures adopted to mitigate the damages; (6) the measures that were implemented to ensure compliance with the GDPR, including information security measures; (7) prior violations; (8) the level of cooperation with the DPA; (9) the types of data involved; (10) how the DPA became aware of the violation, including whether (and if so, to what extent) the data controller or processor reported the violation; (11) adherence to approved codes of conduct or certification mechanisms; and (12) any other applicable aggravating or mitigating factors, such as any profits gained or losses avoided. In certain cases, the Dutch DPA may also consider the financial situation of the data controller or processor. In the event of repeated offenses, the Dutch DPA will generally increase the fine by 50% without exceeding the maximum fine laid down by law.
The maximum amount identified for the most severe violation of the GDPR (i.e., category IV infringements, such as failing to abide by the requirements for processing sensitive personal data) is €1,000,000. The Policy, however, allows for flexibility to impose a higher fine, if the Dutch DPA decides that the maximum amount identified for the relevant bandwidth is inappropriate punishment in a particular case.
The Dutch DPA will apply this Policy in the absence of any guidelines for calculating administrative fines at an EU level.