Short Reads

Dutch Data Protection Authority publishes new fining policy

Nieuw boetebeleid van de Autoriteit Persoonsgegevens

Dutch Data Protection Authority publishes new fining policy

21.06.2019 NL law

The Dutch Data Protection Authority ("DPA") has published its new Fining policy for Administrative Fines. The new policy was drafted in response to the lack of such guidelines at the European level following the entering into force of the General Data Protection Regulation ("GDPR"). In the policy, the DPA elaborates on how the amount of fines for infringements of the GDPR, the Police Data Act, the Judicial and Criminal Records Act and the Telecommunications Act will be calculated. In this blog post, we will discuss the outline of this new policy.

Read this article in Dutch 

DPA adapts its fining policy

The Fining policy, published on 14 March 2019, pertains to the fines that can be imposed by the DPA for violation of various provisions under the GDPR, the GDPR Implementation Act, the General Administrative Law Act, the Telecommunications Act, the Police Data Act, the Judicial and Criminal Records Act and the elDAS Regulation (Regulation EU No. 910/2014). With this new policy, the DPA has amended its old fining policy, which was revoked on 14 March 2019. According to the DPA, this new policy, in so far as it relates to violations of the GDPR and its implementing legislation, is temporary and applies until the European supervisory authority adopts guidelines at the European level which provide clarity on how the amount of the fines should be determined. These guidelines should ensure that the level of fines for non-compliance with privacy legislation is harmonised throughout the European Union.

Determination of the amount of the fine: structure

First, the new policy makes a distinction between the various legal maximum fines that can be imposed under the aforementioned pieces of legislation. The DPA has created a four-tiered structure within these maximums, categorising the different types of violations. Each category sets a basic amount for the fine and the corresponding bandwidths within which this amount can be altered. Clarification of which violation falls under which category can be found in the annex to the fining policy. The graph below exemplifies the policy for violations of the GDPR. This shows that the fines are most severe for violations that fall under the fourth category. The applied fine bandwidth for this category is between EUR 450,000 and EUR 1,000,000, assuming a basic fine of EUR 725,000.

tabel

The amount of the fine in a specific case is determined on the basis of the basic fine, which may be increased or decreased depending on certain factors (Article 7). Examples of such factors include intent, the nature and severity of the infringement, the degree of cooperation with the supervisory authority, and the measures taken by the infringer to limit the damage to the person concerned. The financial capability of the company can also play a role (Article 9). In principle, an increase of the fine will result in a fine no higher than the maximum of the bandwidth of the corresponding category. For the aforementioned example of a fourth-category violation, this would mean that the DPA would (in principle) impose a maximum fine of EUR 1,000,000 for violating the provisions of the GDPR.

Exceptions: higher fines possible

However, it should be remembered that the system discussed above will not always lead to an appropriate fine. Thus, the DPA has created exceptions in the policy that can lead not only to lower fines, but also to fines which surpass the maximum of the bandwidth. The latter applies first when it concerns a repeat offence, in which case the fine can be increased by 50%. Secondly, if the bandwidth and the corresponding basic fine do not allow for an appropriate penalty for a violation of the GDPR, the DPA can forego this structure and impose the maximum fines as set in the GDPR (10 or 20 million euros or a percentage of the total worldwide annual turnover depending on the violation). In our view, the DPA seems to be aiming to keep in line with the very high fines that the European legislator has prescribed for privacy violations under the GDPR.

Conclusion

The DPA's new fining policy contains no major surprises. With this policy, the DPA takes a large number of factors into account, such as the severity and duration of the infringement, intent, the measures taken and financial capacity, when determining the amount of the fine,. As such, this policy remains in line with the fining policies of other supervisory authorities such as the AFM and the ACM. We have yet to see whether the DPA will use this policy for violations of the GDPR (and its implementing legislation). As soon as guidelines are established at the European level (and it is yet unclear when these will be ready) regarding the determination of the amount of fines for GDPR violations, the new DPA policy will lapse.

Team

Related news

14.08.2019 NL law
Wijziging Arbowetgeving in aantocht: tegengaan arbeidsmarktdiscriminatie bij werving en selectie

Short Reads - In haar kamerbrief van 11 juli 2019 heeft Staatssecretaris Van Ark van SZW aangekondigd dat zij na de zomer van 2019 een wetsvoorstel aan de Raad van State wil aanbieden dat ten doel heeft om arbeidsmarktdiscriminatie tegen te gaan. Dit voorstel heeft gevolgen voor het wervings- en selectieproces van werkgevers én voor partijen zoals wervings- en selectiebureaus en online platforms die dergelijke diensten verlenen aan werkgevers. Daartoe zullen de Arbeidsomstandighedenwet en de Wet allocatie arbeidskrachten door intermediairs naar verwachting worden gewijzigd.

Read more

19.08.2019 EU law
Enable “likes” and bear joint-controllership

Articles - The Court of Justice of the European Union recently ruled, in Case C-40/14 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV,  that a website operator that features “Like” social-media plugin from Facebook likely qualifies as joint-controller with Facebook for its website visitors’ personal data collection and transmission to Facebook.

Read more

09.08.2019 NL law
Bedrijfsgrootte is van invloed op de hoogte van de Arboboete: bij parttimers lagere boetes

Short Reads - Op 7 november 2018 deed de Afdeling een voor de praktijk van arboboetes belangrijke (eind)uitspraak. Zij bepaalt dat bij het bepalen van de omvang van een bedrijf of instelling onderscheid gemaakt dient te worden tussen een fulltime of parttime dienstverband. Die omvang wordt bepaald door uit te gaan van het totaal aantal medewerkers in een bedrijf of instelling op basis van een fulltime werkweek van 38 uur. Dat betekent dat afhankelijk van het aantal parttimers en de duur van hun dienstverband lagere Arboboetes zullen worden opgelegd.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring