On 19 February 2019, the Dutch Data Protection Authority (Dutch DPA) has come up with its own policy for determining the levels of administrative fines
On the basis of the guidelines of the art. 29 working party of what now is the EDPB (European Data Protection Board) and the stipulations on imposing and setting administrative fines as laid down in the GDPR, the Dutch DPA has now formulated its own policy. This to achieve a consistent approach when administrative fines are imposed. The policy adequately reflects all of the principles listed in the EDPB guidelines, which are intended to come to a common understanding of the assessment criteria laid down in article 83 (2) of the GDPR.
In the context of the GDPR and related Dutch privacy legislation, such as the Telecommunication Act, the Dutch DPA has defined four categories with specific ranges and basic fines for each type of legislation.
In the annex of the policy, the type of GDPR infringement is related to a specific GDPR article and these infringements are divided in categories I, II, III, IV (cat I €0 to €200,000, basic fine 100,000, cat II €120,000-€500,000, basic fine €250,000, cat III €300,000-€750,000, basic fine €525,000, cat IV €450,000-€1,000,000, basic fine €725,000). These are relatively low fines, considering the maximum fines listed in article 83 of the GDPR.
The basic fines can be increased or reduced, depending on the relevant factors in article 7 of this policy. These relevant factors are:
- The nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of persons affected and the extent of the damage suffered by them.
- The deliberate or careless nature of the infringement.
- The measures taken by the controller or the processor to limit the damage to the data subjects involved.
- The extent to which the controller or the processor is responsible, considering the technical and organizational measures that had to be taken under articles 25 and 32 of the GDPR.
- Previous infringements, where relevant, by the controller or the processor.
- The level of cooperation with the Dutch DPA to remedy the infringement and reduce the possible, negative consequences of it.
- The categories of personal data affected by the infringement.
- The manner in which the Dutch DPA has been notified of the infringement and whether the controller or the processor has reported the infringement.
- In how far the controller or the processor has complied with any previous measures imposed by the Dutch DPA, as referred to in article 58 (2) of the GDPR.
- Compliance with approved codes of conduct in accordance with article 40 of the GDPR or with approved certification mechanisms referred to in article 42 of the GDPR.
- Any other circumstances that may be regarded as aggravating or mitigating factors, such as financial gains realised, or losses avoided, whether or not directly arising from the infringement.
If the specific infringement category in a specific case does not result in what is considered an appropriate fine, the Dutch DPA may either opt for a fine in a specific range or in a higher or lower category or increase the fine by 50%.
In very special circumstances, either the maximum fine of €10 million or € 20 million under article 83 of the GDPR may be imposed or a fine amounting to 2 or 4 per cent of the company’s annual turnover in the relevant financial year. In these situations the Dutch DPA acts outside the limits of the specific ranges referred to in its own policy.
The financial situation of an offender may lead to reduced fines. In case of accumulated infringements, the maximum fine for the most severe infringement will be applicable.
The Dutch DPA is the first DPA who has defined its own policy and perhaps it will inspire the DPAs in other EU countries.