On 14 March 2019, the Dutch data protection authority (Autoriteit Persoonsgegevens, DPA) announced (in Dutch) its fining structure for violations of the European General Data Protection Regulation (GDPR) and the Dutch law implementing the GDPR (Implementation Act).
The GDPR sets two levels of administrative fines that may apply depending on which GDPR provisions have been infringed: The higher of €10 million or 2% of global revenue and the higher of €20 million or 4% of global revenue. At both levels, the GDPR sets maximums for administrative fines and calls on member state authorities to determine what fine is appropriate in individual cases.
The Dutch DPA has introduced the four categories as set out in the table below. While the Dutch DPA has set default fines for violations in each category, it also has set a range to be applied depending on the specifics of a violation.
The first category is reserved for simple violations such as not sufficiently keeping records of the responsibilities of processors or joint controllers, and not publishing the contact details of the Data Protection Officer (DPO).
The second category is reserved for not fulfilling certain requirements for processing such as not concluding data processing agreements with processors, not securing personal data well enough, not conducting impact assessments, or guaranteeing the DPO’s independence.
Examples of the third category include violations of the transparency requirement, failure to notify of data breaches, and not cooperating with the Dutch DPA.
The fourth category is reserved for the unlawful processing of special categories of data (including the national identification number) unlawful profiling, and not complying with specific orders from the Dutch DPA.
Interestingly, categories I and II do not correspond to violations that are punishable by the lower GDPR fine of €10 million, nor do categories III and IV solely correspond to violations that are punishable by the GDPR fine of €20 million.
The Dutch DPA will diverge from the default amount listed if there are either mitigating or aggravating circumstances, such as the nature, severity and duration of the violation, amount of affected individuals and the scope of the damages. Most importantly, if the amount is deemed not to be fitting, the Dutch DPA can still impose the maximum fine of €20 million or 4% revenue.
Hogan Lovells partners Winston Maxwell and Christine Gateau have previously proposed an alternative GDPR fining approach based on a scoring system.