Dutch DPA published GDPR-fining structure
Published on 22nd Mar 2019
Under the GDPR, the amount of potential fines are substantially increased (up to maximum EUR 20 million). The Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (AP), has recently published its fining policy (the Policy) under the GDPR.
‘Four-category’ structure
In essence, the AP has created a ‘four category’ structure for the fines it will administer based on the seriousness of the breach. Each category contains a bandwidth with a minimum and maximum amount. Within these bandwidths, the AP determined a 'base fine’ which it uses as the starting point in determining the fine in each individual case. The base fine consists of the minimum of the bandwidth plus half of the bandwidth.
Category I | Fine bandwidth between € 0 and € 200.000 | Base fine: € 100.000 |
Category II | Fine bandwidth between € 120.000 and € 500.000 | Base fine: € 310.000 |
Category III | Fine bandwidth between € 300.000 and € 750.000 | Base fine: € 525.000 |
Category IV | Fine bandwidth between € 450.000 and € 1.000.000 | Base fine: € 725.000 |
This base fine may subsequently be increased or decreased by the AP, based on a number of factors, inter alia:
- the seriousness and the duration of the infringement;
- the purposes of the processing;
- the categories of data and number of affected data subjects;
- the extent of the damage suffered and measures taken to limit the damage;
- the intentional or negligent nature of the infringement;
- previous relevant breaches;
- the extent to which there has been cooperation with the supervisory authority in order to remedy the infringement and to limit its possible negative consequences; and
- any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains made or losses avoided, whether directly or indirectly resulting from the infringement.
Although the four categories as determined by the AP are substantially lower than the maximum fines that may be imposed under the GDPR, the Policy allows the AP to impose a fine up to the maximum as determined in the GDPR, if it is of the opinion that the maximum amount of the applicable category does not constitute a sufficient fine in a relevant case. However, in such cases the AP will have to substantiate why it is of the opinion that the maximum amount of the applicable category is not a sufficient penalty in an individual case.
GDPR clauses by fine category
The Policy contains various annexes that set out in which category the offence should fall.
Failure to comply with ‘minor’ obligations of the GDPR fall within category 1, such as failure to put a data processing agreement in writing, failure to seek the views of data subjects as part of a DPIA and failure to publish the contact details of the DPO.
Most GDPR breaches fall within category 2 and 3, including principles relating to processing and lawfulness of processing, transparency, data subject rights privacy by design and default, engaging processors, security of processing and data breach notifications.
Unsurprisingly, failure to comply with GDPR clauses on processing of special categories of data, automated decision-making, processing national identification number and unlawful processing of criminal data fall within the highest category (category 4).
The AP notes the Policy will be updated if and when the European Data Protection Board (EDPB) publishes its uniform policy on GDPR fines.
You can find the Dutch version of the Policy here.