The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) was the first data protection authority in the EU that has published a fining policy detailing the principles for setting administrative fines in specific cases.
The impact of the fining policy issued by the Dutch Data Protection Authority may go far beyond the Netherlands, because under the GDPR, also in line with WP29’s previous guidelines on administrative fines (more about this can be read here and here), the aim is a more uniform application of data protection rules, which should also mean the approximation of the amounts of fines. ("The practice of applying administrative fines consistently across the European Union is an evolving art. Actions should be taken by supervisory authorities working together to improve consistency on an ongoing basis. This can be achieved through regular exchanges through case-handling workshops or other events which allow the comparison of cases from the sub-national, national and cross-border levels. The creation of a permanent sub-group attached to a relevant part of the EDPB is recommended to support this ongoing activity." See page 17 of the Guidelines.)
What does the Dutch Data Protection Authority's fining policy include?
The authority sets four categories and assigns the different types of infringements to such categories. The four categories are:
| Category 1 | Between EUR 0 and EUR 200,000 | Basic fine amount: EUR 100,000 |
| Category 2 | Between EUR 120,000 and EUR 500,000 | Basic fine amount: EUR 310,000 |
| Category 3 | Between EUR 300,000 and EUR 750,000 | Basic fine amount: EUR 525,000 |
| Category 4 | Between EUR 450,000 and EUR 1,000,000 | Basic fine amount: EUR 725,000 |
In the case of infringements that can be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, the infringements are assigned into categories 1, 2 and 3 as a matter of principle. In the case of infringements that can be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, the infringements are assigned to categories 1,2,3 and 4.
The classification of infringements is set out in Annexes 1 and 2 of the fining policy, broken down by GDPR Articles.
(The authority also defines categories similar to the above, for example regarding fines to be imposed under the Dutch Telecommunications Act or eIDAS Regulation.)
How will the authority impose a fine?
The Authority starts from the basic fine amount and applies a derogation within the minimum and maximum level defined in the given category, taking into account the increasing and also the reducing factors.
In determining the amount of the fine, the factors set out in Article 83 of the GDPR shall be taken into account. (See WP29’s guidelines for more information on such factors.)
If, in the light of the infringement committed in a given case, the level of the fine in a given category is not suitable for sanctioning, the Authority may determine the amount of the fine within the bandwidth of the next higher category or the fine bandwidth respectively of the next lower category.
If, according to all the circumstances of the case, the maximum fine according to the fining policy is inappropriate, the fine may be up to the maximum amount defined by the GDPR (i.e. EUR 10 or 20 million, or 2% or 4% of the total worldwide annual turnover of the preceding financial year).
What other circumstances are taken into account by the Authority?
The authority may also take into account the financial situation of the party subject to the proceedings and, if justified, further reduction of the fine is possible.
In the case of multiple infringements, the maximum amount of the most serious infringement determines the maximum fine that can be imposed.
