On 19 February 2019, the Dutch Data Protection Authority (Dutch DPA) has come up with its own policy for determining the levels of administrative fines

 in IT-recht, Privacy

On the basis of the guidelines of the art. 29 working party of what now is the EDPB (European Data Protection Board) and the stipulations on imposing and setting administrative fines as laid down in the GDPR, the Dutch DPA has now formulated its own policy. This to achieve a consistent approach when administrative fines are imposed. The policy adequately reflects all of the principles listed in the EDPB guidelines, which are intended to come to a common understanding of the assessment criteria laid down in article 83 (2) of the GDPR.

In the context of the GDPR and related Dutch privacy legislation, such as the Telecommunication Act, the Dutch DPA has defined four categories with specific ranges and basic fines for each type of legislation.

In the annex of the policy, the type of GDPR infringement is related to a specific GDPR article and these infringements are divided in categories I, II, III, IV (cat I €0 to €200,000, basic fine 100,000, cat II €120,000-€500,000, basic fine €250,000, cat III €300,000-€750,000, basic fine €525,000, cat IV €450,000-€1,000,000, basic fine €725,000). These are relatively low fines, considering the maximum fines listed in article 83 of the GDPR.

The basic fines can be increased or reduced, depending on the relevant factors in article 7 of this policy. These relevant factors are:

  • The nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of persons affected and the extent of the damage suffered by them.
  • The deliberate or careless nature of the infringement.
  • The measures taken by the controller or the processor to limit the damage to the data subjects involved.
  • The extent to which the controller or the processor is responsible, considering the technical and organizational measures that had to be taken under articles 25 and 32 of the GDPR.
  • Previous infringements, where relevant, by the controller or the processor.
  • The level of cooperation with the Dutch DPA to remedy the infringement and reduce the possible, negative consequences of it.
  • The categories of personal data affected by the infringement.
  • The manner in which the Dutch DPA has been notified of the infringement and whether the controller or the processor has reported the infringement.
  • In how far the controller or the processor has complied with any previous measures imposed by the Dutch DPA, as referred to in article 58 (2) of the GDPR.
  • Compliance with approved codes of conduct in accordance with article 40 of the GDPR or with approved certification mechanisms referred to in article 42 of the GDPR.
  • Any other circumstances that may be regarded as aggravating or mitigating factors, such as financial gains realised, or losses avoided, whether or not directly arising from the infringement.

If the specific infringement category in a specific case does not result in what is considered an appropriate fine, the Dutch DPA may either opt for a fine in a specific range or in a higher or lower category or increase the fine by 50%.

In very special circumstances, either the maximum fine of €10 million or € 20 million under article 83 of the GDPR may be imposed or a fine amounting to 2 or 4 per cent of the company’s annual turnover in the relevant financial year. In these situations the Dutch DPA acts outside the limits of the specific ranges referred to in its own policy.

The financial situation of an offender may lead to reduced fines. In case of accumulated infringements, the maximum fine for the most severe infringement will be applicable.
The Dutch DPA is the first DPA who has defined its own policy and perhaps it will inspire the DPAs in other EU countries.

Recente berichten
  • 9 december 2019

    Wet arbeidsmarkt in balans (WAB) en slapende dienstverbanden

    Marion Hagenaars
    Met ingang van 1 januari 2020 treedt de Wet arbeidsmarkt in balans (WAB) in werking. Het doel van deze wet is om de balans tussen vaste en flexibele arbeidsovereenkomsten te verbeteren. Opnieuw wijzigt het arbeidsrecht op belangrijke onderdelen. Verder heeft de Hoge Raad zich recent uitgelaten over de slapende dienstverbanden. In dit bericht wordt achtereenvolgens
    Lees verder
  • 9 december 2019

    Uitnodiging bijeenkomst: Actualiteiten arbeidsrecht voor HR-professionals 14 januari 2020

    Marion Hagenaars
    Nieuwe wet- en regelgeving volgen elkaar in hoog tempo op met grote gevolgen voor de HR-praktijk. Tijdens deze bijeenkomst worden de belangrijkste arbeidsrechtelijke ontwikkelingen van 2019 en het nieuwe recht per 1 januari 2020 besproken. Hierbij worden praktische handvatten voor uw dagelijkse praktijk aangeboden. Wat staat er op het programma: de Wet Arbeidsmarkt in Balans
    Lees verder
  • 31 oktober 2019

    Uw ziekmelding wordt niet geaccepteerd! Of toch wel?

    Marion Hagenaars
    Lastige gesprekken met werknemers. Over functioneren, samenwerkingsproblemen, houding en gedrag. En dan – u had het al voorzien – een ziekmelding. Soms met een enkel WhatsApp bericht. U bent geen arts, maar bij een ziekmelding in dergelijke omstandigheden plaatst u vraagtekens. Er lijkt immers meer sprake te zijn van een “vlucht in ziekte”. U besluit
    Lees verder

Plaats een reactie

Top