The Dutch Data Protection Authority (DPA) released its GDPR fining policy on 14 March 2019, becoming the first EU Member State supervisory authority to set out a structure for calculating administrative fines for failing to comply with the GDPR.

Four categories of fines plus an aggravating category

The legal maximum monetary fine that can be imposed on a party breaching the GDPR is €20 million or up to 4 per cent of the company’s worldwide annual turnover, whichever amount is higher. In view of this broad (and very high) ceiling, the Dutch DPA has taken a step forward to categorise violations of the GDPR into four tiers of fines. According to their fining policy, the category of fine is determined by the nature, seriousness and duration of the violation, as well as the number of individuals involved in or affected by the breached obligation.

Each of the four penalty categories sets a minimum amount for the fine, which can then be increased or decreased on a case-by-case basis:

  • Category I: between €0 and €200,000
  • Category II: between €120,000 and €500,000
  • Category III: between €300,000 and €725,000
  • Category IV: between €450,000 and €1 million.


Continue Reading Is the Dutch GDPR fining matrix setting the tone for the ICO’s future fining policy?

The Dutch data protection authority, the College Bescherming Persoonsgegevens (CBP), has released a report following a seven-month investigation examining Google’s changes to its privacy policy. CBP’s report condemns Google for violating Dutch data protection law, the Wet bescherming persoonsgegevens (Wbp).

Controversially in March 2012, Google made changes to its privacy policy (GPP2012) to allow the

The Dutch Data Protection Authority (CBP) has published new guidelines on data protection and implementation of data security principles, which replace the previous guidance from 2001. The guidelines seek to provide practical advice on how data controllers and processors can ensure compliance with the Dutch Data Protection Act (Wet bescherming persoonsgegevens).

The new guidelines include