The Dutch Data Protection Authority (DPA) released its GDPR fining policy on 14 March 2019, becoming the first EU Member State supervisory authority to set out a structure for calculating administrative fines for failing to comply with the GDPR.

Four categories of fines plus an aggravating category

The legal maximum monetary fine that can be imposed on a party breaching the GDPR is €20 million or up to 4 per cent of the company’s worldwide annual turnover, whichever amount is higher. In view of this broad (and very high) ceiling, the Dutch DPA has taken a step forward to categorise violations of the GDPR into four tiers of fines. According to their fining policy, the category of fine is determined by the nature, seriousness and duration of the violation, as well as the number of individuals involved in or affected by the breached obligation.

Each of the four penalty categories sets a minimum amount for the fine, which can then be increased or decreased on a case-by-case basis:

  • Category I: between €0 and €200,000
  • Category II: between €120,000 and €500,000
  • Category III: between €300,000 and €725,000
  • Category IV: between €450,000 and €1 million.

According to the DPA’s policy, Category I will include minor breaches, for instance a failure to comply with a person’s right to rectification or erasure or a failure to agree a written data processing agreement with processors. Categories II and III will, however, cover the majority of possible GDPR breaches, allowing the regulator to retain discretion when deciding how to move the yardstick between the categories. A failure to comply with the principles relating to processing (breach of Article 5) or the obligation surrounding the lawfulness of processing (breach of Article 6), or not ensuring proper transparency (breach of Article 12), or failure to comply with certain of the data subjects rights, and/or obligations regarding data breach notifications and data transfers will fall into one of these two middle categories. Naturally, Category IV will lend itself to more serious breaches, such as violations involving the processing of special categories of personal data, automated individual decision-making (profiling) and any unlawful processing of criminal data.

Furthermore, in scenarios where the maximum fine in Category IV is deemed “not appropriate”, the Dutch DPA’s fining policy states that the regulator can fine an amount higher than €1 million and up to the maximum permitted by Article 83 of the GDPR. However, the fining policy does not provide guidance on the types of violations the DPA would consider “not appropriate” for Category IV.

This new fining structure is intended to provide transparency and an understanding of what a monetary fine from the Dutch DPA would entail. However, some practitioners have criticised the new guidelines for being too broad and argued that the policy has not really provided much clarity as to the approach the regulator will take to fining. While the policy has introduced minimum and maximum levels of fines depending on the category of the violation and has classified different GDPR breaches into the four categories, the policy does not provide much detailed guidance, therefore leaving the regulator with a significant level of broad-brush discretion.

Will the UK watchdog follow suit?

Pre-GDPR, the UK Information Commissioner’s Office’s (ICO) and the Dutch DPA joined forces in the investigation of Uber’s data processing practices during a 2016 data breach. The ICO fined the company £385,000, while the Dutch DPA separately imposed a fine of €600,000. The UK regulator’s lesser amount was based on the five bands established under the Data Protection Act 1998. However, the ICO was instrumental in establishing the general conditions for administrative fines under Article 83 of the GDPR and with the launch of this first GDPR fining policy in the Netherlands, one can only expect things to come from other regulators. As we understand, the ICO is indeed reconsidering a new fining matrix, in conjunction with other European supervisory authorities, to calculate monetary penalties under the GDPR administrative fines structure.