On March 14, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, DPA) published on Netherlands Official Gazette its own General Data Protection Regulation (GDPR) fining policy.
It is the first European Union (EU) country to do so.
Article 83, GDPR, provides that DPAs can issue to controllers and processors “effective, proportionate and dissuasive” administrative fines for infringements of the Regulation. For some violations, the fines will be “up to 10,000,000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher” while for other violations “up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher”. GDPR Article 83(4), (5) and (6) provide a list of those violations.
The new Dutch GDPR fining policy divides the GDPR violations in five categories based on their maximum fines:
- Annex 1 lists violations with a legal maximum fine of € 10,000,000 or, for a company, up to 2% of the total worldwide annual turnover
- Annex 2 lists violations with a legal maximum fine of € 20,000,000 or, for a company, up to 4% of the total worldwide annual turnover
- Annex 3 lists violations with a legal maximum fine of € 900,000
- Annex 4 lists violations with a legal maximum fine of € 830,000
- Annex 5 lists violations with a legal maximum fine of € 83,000
Then for each category the DPA sets forth up to four sub-categories based on company’s size, minimum and maximum fine. For each sub-category it declares a “basic fine”. For example, if a company’s maximum fine is €10 million, it might face the following fines for less severe violations:
- Category I: fine from €0 to €200,000; basic fine is €100,000;
- Category II: fine from €120,000 to €500,000; basic fine is €310,000;
- Category III: fine from €300,000 to €750,000; basic fine is €525,000;
- Category IV: fine from €450,000 to €1 million; basic fine is €725,000.
Article 7 takes into account the following factors, which reflect the assessment criteria pointed out by WP29, see here:
- the nature, gravity and duration of the infringement;
- the intentional or negligent nature of the infringement;
- the measures taken by the controller or processor to limit the damages;
- the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them;
- previous relevant violations by the controller or processor;
- the degree of cooperation with the supervisory authority to remedy the infringement and to limit its possible negative effects;
- the categories of personal data breached;
- the manner in which the supervisory authority has become aware of the infringement;
- compliance with the measures referred to in Article 58.2, GDPR;
- alignment with approved codes of conduct; and
- any other aggravating or mitigating factor applicable to the circumstances, such as financial gains made or losses avoided.
The DPPA policy dated February 19, 2019 with regard to determining the level of administrative fines (Beleidsregels van de Autoriteit Persoonsgegevens van 19 februari 2019 met betrekking tot het bepalen van de hoogte van bestuurlijke boetes (Boetebeleidsregels Autoriteit Persoonsgegevens 2019), Government Gazette 2019, 14586, is available at https://zoek.officielebekendmakingen.nl…
WP29 published criteria for appropriate administrative fines in GDPR’s breach WP29 published criteria for appropriate administrative fines in GDPR’s breach