Dutch Data Protection Authority Sets GDPR Fines Structure
On 14 March 2019, the Dutch data protection authority (Autoriteit Persoonsgegevens, DPA) announced (in Dutch) its fining structure for violations of the European General Data Protection Regulation (GDPR) and the Dutch law implementing the GDPR (Implementation Act).
The GDPR sets two levels of administrative fines that may apply depending on which GDPR provisions have been infringed: The higher of €10 million or 2% of global revenue and the higher of €20 million or 4% of global revenue. At both levels, the GDPR sets maximums for administrative fines and calls on member state authorities to determine what fine is appropriate in individual cases.
The Dutch DPA has introduced the four categories as set out in the table below. While the Dutch DPA has set default fines for violations in each category, it also has set a range to be applied depending on the specifics of a violation.
The first category is reserved for simple violations such as not sufficiently keeping records of the responsibilities of processors or joint controllers, and not publishing the contact details of the Data Protection Officer (DPO).
The second category is reserved for not fulfilling certain requirements for processing such as not concluding data processing agreements with processors, not securing personal data well enough, not conducting impact assessments, or guaranteeing the DPO’s independence.
Examples of the third category include violations of the transparency requirement, failure to notify of data breaches, and not cooperating with the Dutch DPA.
The fourth category is reserved for the unlawful processing of special categories of data (including the national identification number) unlawful profiling, and not complying with specific orders from the Dutch DPA.
Interestingly, categories I and II do not correspond to violations that are punishable by the lower GDPR fine of €10 million, nor do categories III and IV solely correspond to violations that are punishable by the GDPR fine of €20 million.
The Dutch DPA will diverge from the default amount listed if there are either mitigating or aggravating circumstances, such as the nature, severity and duration of the violation, amount of affected individuals and the scope of the damages. Most importantly, if the amount is deemed not to be fitting, the Dutch DPA can still impose the maximum fine of €20 million or 4% revenue.
Under the GDPR, individuals have:
- The right to access –this means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
- The right to be forgotten – if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
- The right to data portability – Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine readable format.
- The right to be informed – this covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
- The right to have information corrected – this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
- The right to restrict processing – Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
- The right to object – this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
- The right to be notified – If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
The GDPR is the EU’s way of giving individuals, prospects, customers, contractors and employees more power over their data and less power to the organizations that collect and use such data for monetary gain.
The business implications of GDPR
This new data protection regulation puts the consumer in the driver’s seat, and the task of complying with this regulation falls upon businesses and organizations. Otherwise, you’re failing to comply.