The Dutch DPA’s policy rules for determining administrative fines
Co-authored with ICTLC Senior Associate Caroline Poerbodipoero
The Dutch Data Protection Authority (‘DPA’), ‘Autoriteit Persoonsgegevens’, has issued policy rules on the establishment of administrative fines for GDPR infringements (as well as for infringements of Dutch data protection law).
The Dutch DPA categorized the different possible GDPR infringements, ranging from I (less severe) to IV (most severe). Infringements of the principles, illegitimate processing of special categories of data, illegitimate use of national identification numbers, unlawful automated individual decision-making (including profiling) and failure to cooperate with the DPA are considered to be the most severe offences, followed by – among others – failure to notify data breaches, non-compliance with data subject rights, non-compliance with consent requirements and illegitimate transfers.
For each of the four categories, the DPA has set a baseline as well as a minimum and maximum fine amount:
|Category I||fine range between € 0 and € 200,000||Basic fine |
|Category II||fine range between € 120,000 and € 500,000||Basic fine |
|Category III||fine range between € 300,000 and € 750,000||Basic fine |
|Category IV||fine range between € 450,000 and € 1,000,000||Basic fine |
The baseline will be the starting point from which the DPA will decide on the amount for a fine, within the minimum and maximum amounts set for a given category. Depending on the circumstances as also mentioned in art. 83 subsection 2 GDPR, the DPA may go above or beneath the baseline amount within a category. In its determination of fines, the DPA also takes into account the financial capacity of the undertaking involved, so as to avoid bankruptcies.
If the fines established for the category in which the infringement is classified are not considered appropriate (e.g., they are disproportionately high or not dissuasive enough), the DPA can determine the fine according to the amounts established for the category either directly above or below the category in consideration. If the maximum fine established for category IV does not suffice, the DPA can fine higher amounts which may be up to the maximum amounts mentioned in the GDPR. These maximum fines are € 10 million (or for an undertaking up to 2% of the total world-wide annual turnover in the preceding financial year, whichever is higher) or – depending on the infringement – even € 20 million/4% of the annual turnover. In case of multiple infringements relating to the same or similar processing activities, the total fine shall not be higher than the maximum fine established for the most severe infringement.
The maximum administrative fine for the most severe category is € 1 million, which is much lower than the maximum fines which can be imposed under the GDPR. It appears that the Dutch DPA is of the opinion that these lower fines should normally already be dissuasive enough. The maximum fines mentioned in the GDPR would indeed seem astronomically high for the average company or institution. It is, therefore, very welcome that the Dutch DPA established more realistic fines, which provide actual guidance in regular cases. It seems also reasonable to draw a line at € 1 million. Very severe infringements by multinationals, will usually require a more tailor-made approach, that is not easily captured by a policy.
As of today, the Dutch DPA has not imposed any fines under the GDPR. However, they mentioned that this will soon change and it will be interesting to see how this policy will be applied in practice. It is important to realize that imposing fines is just one of the enforcement measures they can take. The DPA already indicated that they will likely choose to impose fines together with one or more corrective measures (such as incremental penalties) in order to combine an element of compensation and punishment with actual pressure to stop the infringement itself.
This policy has been established in the absence of shared guiding principles from the European Data Protection Board and will be used until guidance at the European level is published. The Dutch DPA takes part in a European taskforce which is developing this guidance. The DPA could certainly have some serious influence at European level, since the President of the Dutch DPA, Mr. Aleid Wolfsen, recently became the Vice-President of the EDPB. However, it should also be noted that the methodology used by the DPA is similar to the previous methodology that they had in place before the GDPR entered into force. Therefore, it could quite well also just be a temporary policy, rather than a forerunner of the European guidance.
Please note that:
‘Algemene verordening gegevensbescherming’ = GDPR
‘Uitvoeringswet’ = Implementing law
‘behoudens’ = except
‘lid’ = subsection