The Dutch Data Protection Authority (DPA) released its GDPR fining policy on 14 March 2019, becoming the first EU Member State supervisory authority to set out a structure for calculating administrative fines for failing to comply with the GDPR.
Four categories of fines plus an aggravating category
The legal maximum monetary fine that can be imposed on a party breaching the GDPR is €20 million or up to 4 per cent of the company’s worldwide annual turnover, whichever amount is higher. In view of this broad (and very high) ceiling, the Dutch DPA has taken a step forward to categorise violations of the GDPR into four tiers of fines. According to their fining policy, the category of fine is determined by the nature, seriousness and duration of the violation, as well as the number of individuals involved in or affected by the breached obligation.
Each of the four penalty categories sets a minimum amount for the fine, which can then be increased or decreased on a case-by-case basis:
- Category I: between €0 and €200,000
- Category II: between €120,000 and €500,000
- Category III: between €300,000 and €725,000
- Category IV: between €450,000 and €1 million.