Dutch DPA Issues Policy on GDPR Fines
The Dutch Data Protection Agency (Autoriteit Persoonsgegevens) issued a policy on GDPR fines last week to bring additional clarity, guidance and standards to its decisions to levy fines penalties the European Union General Data Protection Regulation (GDPR). GDPR permits Data Protection Authorities to issue penalties of up to 4% of an organization’s global annual revenue (or up to 20 million euros, whichever is higher) for certain violations. However, the standard fines will be well short of that amount according to the ranges provided.
The Dutch DPA has allocated a range of possible fines to each violation of between 0 and 1 million euros, as well as set forth a list of relevant factors that it will take into account, as applicable. The factors include:
– The nature, seriousness and duration of the infringement taking into account the nature of the processing, the number of affected data subjects, and the size of the damage suffered;
– Whether it was intentional or negligent;
– The measures taken to limit the damage suffered;
– Responsibility in light of its implementation of Articles 25 and 32;
– Any previous relevant breaches;
– Any cooperation to prevent the infringement and mitigate negative consequences;
– The categories of personal data involved;
– If the controller / processor reported the violation;
– Alignment with Article 40 codes of conduct and Article 42 approved certification mechanisms.
– Any other aggravating or mitigating factor such as financial gains made or losses avoided.
The Dutch DPA also provided lists of the articles (sometimes split by paragraph) to indicate the category where they may fall. Here are how a few of the GDPR articles were placed in the fine categories (these are only representative examples – there are more listed in the document):
Category I (0 – 200,000 Euros):
Article 26 (Joint controllers)
Article 11 (Processing which does not require identification)
Category II (120,000 – 500,000 Euros):
Article 25 (Data protection by design and by default)
Article 32 (Security of Processing)
Article 36 (Prior consultation)
Category III (300,000 – 750,000 Euros):
Article 6 (Lawfulness of processing)
Article 7 (Conditions for permission)
Article 13 & 14 (Information to be provided …)
Article 15 (Right of access)
Article 17 (Right to erasure)
Article 20 (Right to data portability)
Article 31 (Cooperation with the Supervisory Authority)
Category IV (450,000 – 1,000,000 Euros):
Article 9 (Processing of special data)
Article 22 (Automated individual decision making, including profiling)
The document also provides other guidance on how fines will be set:
The GDPR ranges will only be used on violations of the GDPR occurring on or after May 25, 2018. If the allocated range of fines is not appropriate to the specific case, the Dutch DPA can use a higher or lower one. In the event that there are multiple violations from the same or related processing activities, the total fine does not go beyond the statutory maximum fine for the biggest violation. The Dutch DPA can also take into account the financial circumstances of the organization.
The document is in Dutch and no official translation was provided. Google translate was used to provide an unofficial translation so all references should be verified. There has been no indication whether other Data Protection Authorities will produce similar lists.
The PDF of the document released can be found by clicking here. The Dutch DPA has been relatively active recently – they also came out not long ago and said that cookie walls were not permitted because they were not freely given consent under GDPR.
Other Relevant Posts:
Consent Required by Danish DPA for Customer Service Call Recording under GDPR
EDPB Releases GDPR Guidance on Contractual Necessity Lawful Basis
Poland and Denmark Issue First GDPR Fines (covering Transparency and Data Minimization)
Third-Party Data Sharing In Focus Again with Finland DPA Investigation
Dutch DPA Issues Policy on GDPR Fines
EDPB Issues Opinion on Intersection of GDPR and ePrivacy
Summary of Ireland’s Data Protection Commission Annual Report
EU Issues Third Proposal of ePrivacy Regulation Changes in February
Romanian Presidency Offers ePrivacy Regulation Compromises
CNIL Releases Data Sharing Guidance for Third-Party Marketing under GDPR – Requires Informed Consent