Short Reads

Dutch Data Protection Authority publishes new fining policy

Nieuw boetebeleid van de Autoriteit Persoonsgegevens

Dutch Data Protection Authority publishes new fining policy

21.06.2019 NL law

The Dutch Data Protection Authority ("DPA") has published its new Fining policy for Administrative Fines. The new policy was drafted in response to the lack of such guidelines at the European level following the entering into force of the General Data Protection Regulation ("GDPR"). In the policy, the DPA elaborates on how the amount of fines for infringements of the GDPR, the Police Data Act, the Judicial and Criminal Records Act and the Telecommunications Act will be calculated. In this blog post, we will discuss the outline of this new policy.

Read this article in Dutch 

DPA adapts its fining policy

The Fining policy, published on 14 March 2019, pertains to the fines that can be imposed by the DPA for violation of various provisions under the GDPR, the GDPR Implementation Act, the General Administrative Law Act, the Telecommunications Act, the Police Data Act, the Judicial and Criminal Records Act and the elDAS Regulation (Regulation EU No. 910/2014). With this new policy, the DPA has amended its old fining policy, which was revoked on 14 March 2019. According to the DPA, this new policy, in so far as it relates to violations of the GDPR and its implementing legislation, is temporary and applies until the European supervisory authority adopts guidelines at the European level which provide clarity on how the amount of the fines should be determined. These guidelines should ensure that the level of fines for non-compliance with privacy legislation is harmonised throughout the European Union.

Determination of the amount of the fine: structure

First, the new policy makes a distinction between the various legal maximum fines that can be imposed under the aforementioned pieces of legislation. The DPA has created a four-tiered structure within these maximums, categorising the different types of violations. Each category sets a basic amount for the fine and the corresponding bandwidths within which this amount can be altered. Clarification of which violation falls under which category can be found in the annex to the fining policy. The graph below exemplifies the policy for violations of the GDPR. This shows that the fines are most severe for violations that fall under the fourth category. The applied fine bandwidth for this category is between EUR 450,000 and EUR 1,000,000, assuming a basic fine of EUR 725,000.

tabel

The amount of the fine in a specific case is determined on the basis of the basic fine, which may be increased or decreased depending on certain factors (Article 7). Examples of such factors include intent, the nature and severity of the infringement, the degree of cooperation with the supervisory authority, and the measures taken by the infringer to limit the damage to the person concerned. The financial capability of the company can also play a role (Article 9). In principle, an increase of the fine will result in a fine no higher than the maximum of the bandwidth of the corresponding category. For the aforementioned example of a fourth-category violation, this would mean that the DPA would (in principle) impose a maximum fine of EUR 1,000,000 for violating the provisions of the GDPR.

Exceptions: higher fines possible

However, it should be remembered that the system discussed above will not always lead to an appropriate fine. Thus, the DPA has created exceptions in the policy that can lead not only to lower fines, but also to fines which surpass the maximum of the bandwidth. The latter applies first when it concerns a repeat offence, in which case the fine can be increased by 50%. Secondly, if the bandwidth and the corresponding basic fine do not allow for an appropriate penalty for a violation of the GDPR, the DPA can forego this structure and impose the maximum fines as set in the GDPR (10 or 20 million euros or a percentage of the total worldwide annual turnover depending on the violation). In our view, the DPA seems to be aiming to keep in line with the very high fines that the European legislator has prescribed for privacy violations under the GDPR.

Conclusion

The DPA's new fining policy contains no major surprises. With this policy, the DPA takes a large number of factors into account, such as the severity and duration of the infringement, intent, the measures taken and financial capacity, when determining the amount of the fine,. As such, this policy remains in line with the fining policies of other supervisory authorities such as the AFM and the ACM. We have yet to see whether the DPA will use this policy for violations of the GDPR (and its implementing legislation). As soon as guidelines are established at the European level (and it is yet unclear when these will be ready) regarding the determination of the amount of fines for GDPR violations, the new DPA policy will lapse.

Team

Related news

21.02.2020 NL law
Podcast: Data en financiële instellingen

Short Reads - In deze podcast praten Roderik Vrolijk en Frederiek Fernhout van Stibbe in Amsterdam en Joran Iedema van Stibbe StartsUP-deelnemer Dyme over Fintech, PSD2 en het gebruik van data door financiële instellingen. Aan de ene kant biedt nieuwe regelgeving zoals PSD2 nieuwe mogelijkheden, aan de andere kant neemt de regeldruk en het toezicht op bescherming van persoonsgegevens toe.

Read more

24.01.2020 NL law
Can the government refrain from imposing enforcement measures if it is not within the offender’s power to comply with a standard?

Short Reads - What should be done if a stakeholder makes a request to the government for enforcement to rectify violations in a scenario where the offender does not have full power to comply because of a reliance on third parties? The Administrative Division of the Dutch Council of State ruled on 23 January 2019 that an administrative body cannot simply reject an enforcement request in such a situation, but must consider whether, for example, the imposition of an order subject to a penalty payment may provide an incentive for the actual termination of the violation.

Read more

15.01.2020 NL law
Consultatiereactie 'Wet plan van aanpak witwassen'

Short Reads - Soeradj Ramsanjhal, Karlijn van den Heuvel, Djoe Kuils, Rogier Raas, Judica Krikke en Muriël Rosing hebben een reactie ingediend op het concept wetsvoorstel ‘Wet plan van aanpak witwassen’. Dit wetsvoorstel is 2 december 2019 in consultatie gegaan en bevat verschillende voorgestelde wijzigingen van de Wet ter voorkoming van witwassen en financieren van terrorisme en de Wet op de economische delicten. 

Read more

06.02.2020 NL law
Wet zorgplicht kinderarbeid gepubliceerd in het Staatsblad

Short Reads - Op 13 november 2019 is de Wet zorgplicht kinderarbeid in het Staatsblad gepubliceerd. Op grond van deze wet geldt voor elke onderneming die aan Nederlandse eindgebruikers goederen verkoopt of diensten levert dat gepaste zorgvuldigheid moet worden betracht om te voorkomen dat die goederen en/of diensten met behulp van kinderarbeid tot stand zijn gekomen. Het is nog niet bekend wanneer de wet in werking zal treden.

Read more

This website uses cookies. Some of these cookies are essential for the technical functioning of our website and you cannot disable these cookies if you want to read our website. We also use functional cookies to ensure the website functions properly and analytical cookies to personalise content and to analyse our traffic. You can either accept or refuse these functional and analytical cookies.

Privacy – en cookieverklaring