Short Reads

Dutch Data Protection Authority publishes new fining policy

Nieuw boetebeleid van de Autoriteit Persoonsgegevens

Dutch Data Protection Authority publishes new fining policy

21.06.2019 NL law

The Dutch Data Protection Authority ("DPA") has published its new Fining policy for Administrative Fines. The new policy was drafted in response to the lack of such guidelines at the European level following the entering into force of the General Data Protection Regulation ("GDPR"). In the policy, the DPA elaborates on how the amount of fines for infringements of the GDPR, the Police Data Act, the Judicial and Criminal Records Act and the Telecommunications Act will be calculated. In this blog post, we will discuss the outline of this new policy.

Read this article in Dutch 

DPA adapts its fining policy

The Fining policy, published on 14 March 2019, pertains to the fines that can be imposed by the DPA for violation of various provisions under the GDPR, the GDPR Implementation Act, the General Administrative Law Act, the Telecommunications Act, the Police Data Act, the Judicial and Criminal Records Act and the elDAS Regulation (Regulation EU No. 910/2014). With this new policy, the DPA has amended its old fining policy, which was revoked on 14 March 2019. According to the DPA, this new policy, in so far as it relates to violations of the GDPR and its implementing legislation, is temporary and applies until the European supervisory authority adopts guidelines at the European level which provide clarity on how the amount of the fines should be determined. These guidelines should ensure that the level of fines for non-compliance with privacy legislation is harmonised throughout the European Union.

Determination of the amount of the fine: structure

First, the new policy makes a distinction between the various legal maximum fines that can be imposed under the aforementioned pieces of legislation. The DPA has created a four-tiered structure within these maximums, categorising the different types of violations. Each category sets a basic amount for the fine and the corresponding bandwidths within which this amount can be altered. Clarification of which violation falls under which category can be found in the annex to the fining policy. The graph below exemplifies the policy for violations of the GDPR. This shows that the fines are most severe for violations that fall under the fourth category. The applied fine bandwidth for this category is between EUR 450,000 and EUR 1,000,000, assuming a basic fine of EUR 725,000.

tabel

The amount of the fine in a specific case is determined on the basis of the basic fine, which may be increased or decreased depending on certain factors (Article 7). Examples of such factors include intent, the nature and severity of the infringement, the degree of cooperation with the supervisory authority, and the measures taken by the infringer to limit the damage to the person concerned. The financial capability of the company can also play a role (Article 9). In principle, an increase of the fine will result in a fine no higher than the maximum of the bandwidth of the corresponding category. For the aforementioned example of a fourth-category violation, this would mean that the DPA would (in principle) impose a maximum fine of EUR 1,000,000 for violating the provisions of the GDPR.

Exceptions: higher fines possible

However, it should be remembered that the system discussed above will not always lead to an appropriate fine. Thus, the DPA has created exceptions in the policy that can lead not only to lower fines, but also to fines which surpass the maximum of the bandwidth. The latter applies first when it concerns a repeat offence, in which case the fine can be increased by 50%. Secondly, if the bandwidth and the corresponding basic fine do not allow for an appropriate penalty for a violation of the GDPR, the DPA can forego this structure and impose the maximum fines as set in the GDPR (10 or 20 million euros or a percentage of the total worldwide annual turnover depending on the violation). In our view, the DPA seems to be aiming to keep in line with the very high fines that the European legislator has prescribed for privacy violations under the GDPR.

Conclusion

The DPA's new fining policy contains no major surprises. With this policy, the DPA takes a large number of factors into account, such as the severity and duration of the infringement, intent, the measures taken and financial capacity, when determining the amount of the fine,. As such, this policy remains in line with the fining policies of other supervisory authorities such as the AFM and the ACM. We have yet to see whether the DPA will use this policy for violations of the GDPR (and its implementing legislation). As soon as guidelines are established at the European level (and it is yet unclear when these will be ready) regarding the determination of the amount of fines for GDPR violations, the new DPA policy will lapse.

Team

Related news

01.09.2020 NL law
Toezichthouders aan de poort

Articles - Het kan iedere financiële onderneming overkomen: in de bus vindt men een verzoek om informatie te verstrekken aan een van  de financiële toezichthouders, De Nederlandsche Bank (DNB) of de Autoriteit Financiële Markten (AFM). Een dergelijk verzoek leidt al snel tot onrust binnen de onderneming. Ingrid Viertelhauzen en Maciek Bednarski bespreken de reikwijdte van de inlichtingenbevoegdheid en plaatsen hier enkele kanttekeningen bij.

Read more

20.08.2020 NL law
Conclusie Wattel: heroverweging van (niet)handhavingsbesluiten moet leiden tot een doeltreffend resultaat

Short Reads - Bij de vraag of het in heroverweging (alsnog) handhavend moet optreden door middel van het opleggen van herstelsancties, moet een bestuursorgaan beoordelen of tot een effectieve handhaving en evenredige sanctionering kan worden gekomen. Dat concludeert staatsraad advocaat-generaal Wattel in zijn conclusie van 11 maart 2020. Het bestuursorgaan moet in die beoordeling alle relevante feiten, omstandigheden en ontwikkelingen betrekken.

Read more

01.09.2020 NL law
Handhavingsbesluiten van financiële toezichthouders bestuursrechtelijk aanvechten

Articles - Financiële toezichthouders (Stichting Autoriteit Financiële Markten (AFM), De Nederlandsche Bank (DNB) en de Autoriteit Consument en Markt (ACM)) hebben een breed arsenaal aan formele sancties en informele maatregelen tot hun beschikking om normconform gedrag bij marktpartijen te bewerkstelligen. Voorbeelden daarvan zijn: een last onder dwangsom, een bestuurlijke boete, een aanwijzing, een waarschuwing, een normoverdragend gesprek en de publicatie van sancties.

Read more

28.08.2020 NL law
Hoge Raad verduidelijkt verhouding tussen toezichts- en opsporingsbevoegdheden

Short Reads - Bedrijven en personen die onderwerp zijn van een onderzoek kunnen geconfronteerd worden met bestuursrechtelijk toezicht óf strafrechtelijke opsporing. Deze twee typen onderzoeken moeten van elkaar worden onderscheiden, maar lopen in de praktijk soms door elkaar heen. De vraag is wanneer een opsporingsambtenaar niet meer van zijn toezichtsbevoegdheden gebruik mag maken als ook mogelijke strafbare feiten in beeld komen?

Read more