Short Reads

Dutch Data Protection Authority publishes new fining policy

Nieuw boetebeleid van de Autoriteit Persoonsgegevens

Dutch Data Protection Authority publishes new fining policy

21.06.2019 NL law

The Dutch Data Protection Authority ("DPA") has published its new Fining policy for Administrative Fines. The new policy was drafted in response to the lack of such guidelines at the European level following the entering into force of the General Data Protection Regulation ("GDPR"). In the policy, the DPA elaborates on how the amount of fines for infringements of the GDPR, the Police Data Act, the Judicial and Criminal Records Act and the Telecommunications Act will be calculated. In this blog post, we will discuss the outline of this new policy.

Read this article in Dutch 

DPA adapts its fining policy

The Fining policy, published on 14 March 2019, pertains to the fines that can be imposed by the DPA for violation of various provisions under the GDPR, the GDPR Implementation Act, the General Administrative Law Act, the Telecommunications Act, the Police Data Act, the Judicial and Criminal Records Act and the elDAS Regulation (Regulation EU No. 910/2014). With this new policy, the DPA has amended its old fining policy, which was revoked on 14 March 2019. According to the DPA, this new policy, in so far as it relates to violations of the GDPR and its implementing legislation, is temporary and applies until the European supervisory authority adopts guidelines at the European level which provide clarity on how the amount of the fines should be determined. These guidelines should ensure that the level of fines for non-compliance with privacy legislation is harmonised throughout the European Union.

Determination of the amount of the fine: structure

First, the new policy makes a distinction between the various legal maximum fines that can be imposed under the aforementioned pieces of legislation. The DPA has created a four-tiered structure within these maximums, categorising the different types of violations. Each category sets a basic amount for the fine and the corresponding bandwidths within which this amount can be altered. Clarification of which violation falls under which category can be found in the annex to the fining policy. The graph below exemplifies the policy for violations of the GDPR. This shows that the fines are most severe for violations that fall under the fourth category. The applied fine bandwidth for this category is between EUR 450,000 and EUR 1,000,000, assuming a basic fine of EUR 725,000.

tabel

The amount of the fine in a specific case is determined on the basis of the basic fine, which may be increased or decreased depending on certain factors (Article 7). Examples of such factors include intent, the nature and severity of the infringement, the degree of cooperation with the supervisory authority, and the measures taken by the infringer to limit the damage to the person concerned. The financial capability of the company can also play a role (Article 9). In principle, an increase of the fine will result in a fine no higher than the maximum of the bandwidth of the corresponding category. For the aforementioned example of a fourth-category violation, this would mean that the DPA would (in principle) impose a maximum fine of EUR 1,000,000 for violating the provisions of the GDPR.

Exceptions: higher fines possible

However, it should be remembered that the system discussed above will not always lead to an appropriate fine. Thus, the DPA has created exceptions in the policy that can lead not only to lower fines, but also to fines which surpass the maximum of the bandwidth. The latter applies first when it concerns a repeat offence, in which case the fine can be increased by 50%. Secondly, if the bandwidth and the corresponding basic fine do not allow for an appropriate penalty for a violation of the GDPR, the DPA can forego this structure and impose the maximum fines as set in the GDPR (10 or 20 million euros or a percentage of the total worldwide annual turnover depending on the violation). In our view, the DPA seems to be aiming to keep in line with the very high fines that the European legislator has prescribed for privacy violations under the GDPR.

Conclusion

The DPA's new fining policy contains no major surprises. With this policy, the DPA takes a large number of factors into account, such as the severity and duration of the infringement, intent, the measures taken and financial capacity, when determining the amount of the fine,. As such, this policy remains in line with the fining policies of other supervisory authorities such as the AFM and the ACM. We have yet to see whether the DPA will use this policy for violations of the GDPR (and its implementing legislation). As soon as guidelines are established at the European level (and it is yet unclear when these will be ready) regarding the determination of the amount of fines for GDPR violations, the new DPA policy will lapse.

Team

Related news

18.06.2021 NL law
FAQ: Wat houdt het Wetsvoorstel elektronische gegevensuitwisseling in de zorg (Wegiz) in en wat is de verhouding tot de AVG?

Short Reads - (Digitale) gegevensuitwisseling in de zorg is een actueel thema. Illustratief is een item bij EenVandaag van april 2021 waarin de analoge werkwijze bij gegevensuitwisseling in de zorg wordt aangekaart, maar ook dit artikel in het NRC van afgelopen maand waarin verslag werd gedaan van een datalek waardoor duizenden gevoelige patiëntgegevens op straat kwamen te liggen. 

Read more

04.05.2021 NL law
Participatie en privacyregels: hoe te combineren onder de Omgevingswet?

Short Reads - In het stelsel van de Omgevingswet (Ow) is een belangrijke rol bedacht voor participatie bij de totstandkoming van besluiten. Het beoogde resultaat: tijdig belangen, meningen en creativiteit op tafel krijgen en daarmee een groter draagvlak en kwalitatief betere besluitvorming bereiken. Door een grotere betrokkenheid van meer personen gaan overheden en initiatiefnemers ook meer persoonsgegevens verwerken. Dit brengt privacyrisico’s met zich mee. Wat regelt de Ow op het gebied van privacy, de verwerking van persoonsgegevens en datagebruik?

Read more

18.05.2021 NL law
Kroniek: De bestuursrechtelijke aspecten van de AVG

Articles - Tom Barkhuysen, Steven Bastiaans, Fenneke Buskermolen en Fatma Çapkurt (Universiteit Leiden) schreven samen de eerste editie van de nieuwe jaarlijkse NTB kroniek: de bestuursrechtelijke aspecten van de AVG. Hierin bespreken zij onder meer de meest relevante (bestuursrechtelijke) jurisprudentie van het afgelopen jaar op het gebied van de AVG.

Read more

08.04.2021 NL law
Voorzieningenrechter Afdeling: beroep van een niet-belanghebbende toch ontvankelijk wegens het Varkens in nood-arrest

Short Reads - De voorzieningenrechter van de Afdeling bestuursrechtspraak van de Raad van State gaat in een recente uitspraak op voorhand uit van de ontvankelijkheid van een beroep van een persoon die een zienswijze heeft ingediend over een ontwerp-inpassingsplan. Dit terwijl de betreffende persoon geen feitelijke gevolgen van het plan ondervindt en dus geen belanghebbende is.

Read more