Home / Publications / GDPR Enforcement Tracker Report / Netherlands
Table of contents
  1. Executive Summary
  2. Numbers and Figures
  3. Enforcement Insights by Business Sector
  4. Enforcement Insights per Country
  5. Finance, Insurance and Consulting
  6. Accommodation and Hospitality
  7. Health Care
  8. Industry and Commerce
  9. Real Estate
  10. Media, Telecoms and Broadcasting
  11. Public Sector and Education
  12. Transportation and Energy
  13. Individuals and Private Associations
  14. Employment
  15. Methodology and Contacts
  16. Austria
  17. Bulgaria
  18. Belgium
  19. Croatia
  20. Czech Republic
  21. France
  22. Germany
  23. Hungary
  24. Italy
  25. Luxembourg
  26. Netherlands
  27. Norway
  28. Poland
  29. Spain
  30. Sweden
  31. United Kingdom

Netherlands

Main takeaways


  • Fines can be imposed on authorities and public entities, and relevant enforcement activity is directed against authorities.
  • Maximum transparency – all fines are published on the DPA website (anonymisation in two cases).
  • Fines > Damages: So far, fines are more important than damages, possibly due to limited damage amounts awarded. Depending on the outcome of the first lawsuits related to high damage claims in civil class actions, the relevance of damages may increase.

Fining practice

Trend: Have the national data protection authorities in the Netherlands focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

The Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”, “DPA”) has identified four key enforcement areas for 2024, these being algorithms / artificial intelligence, Big Tech, freedom and security, data trading an digital government. 

The DPA is the national coordinating authority for risk signalling, advice, and collaboration in the supervision on AI and algorithms. In this role, the DPA will focus on four areas in 2024: transparent algorithms, auditing, governance and preventing discriminatory algorithms. The DPA publishes an AI & Algorithmic Risks Report twice a year. This report gives periodic insight into the risks and effects of the use of algorithms in the Netherlands.

Furthermore, the DPA announced that it will focus on incorrect use of cookie banners or other tracking software in 2024.

The majority of investigations and fines from the DPA in the Netherlands relate to deficiencies in information security (Art. 32 GDPR) and non-compliance with GDPR main principles (Art. 5 GDPR).

In 2023, four fines have been imposed by the DPA.

Overall, what was the most significant fine in the Netherlands to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

The most significant fine in the Netherlands to date was imposed on Uber Technologies Inc. and Uber B.V. (“Uber’’) on 11 December 2023 to the amount of EUR 10 million. This is the highest fine imposed by the DPA to date. The fine was imposed because Uber committed a number of breaches of the GDPR in relation to transparency, in the view of the DPA. The decision describes five violations:

  • The digital form through which a request for access can be made is not easily enough accessible in the Uber driver app (Art. 12(2) GDPR).
  • Uber does not provide a copy of the personal data in an easily accessible form, and the guidance notes to this are not in an understandable language for drivers (Art. 12(1) GDPR).
  • Uber does not provide sufficiently specific information about retention periods in the privacy notice (Art. 13(2)(a) GDPR and Art. 15(1)(a) and (d) GDPR).
  • Uber does not specifically mention in its privacy statement the countries to which transfers of data is made to in its privacy statement, nor the specific protection measures (Art. 13(1)(f) GDPR and Art. 15(2) GDPR).
  • Uber does not explicitly mention the right to data portability in its privacy notice (Art. 13(2)(b) GDPR).

The DPA started an investigation after the Commission Nationale de l’Informatique et des Libertés (“CNIL”) received more than 170 complaints of  French Uber drivers. The CNIL forwarded the complaints to the DPA, as Uber’s European headquarters is located in the Netherlands.

Uber objected to the decision of the DPA.

Spring scene in Amsterdam city

Organisation of authorities and course of fine proceedings in the Netherlands

How is the data protection authority organised in the Netherlands? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

The DPA is the supervisory authority for the GDPR and the Dutch GDPR Implementing Act (“Uitvoeringswet Algemene verordening gegevensbescherming”). The DPA is an autonomous administrative body with its own legal personality. The chairman, the other members and the extraordinary members of the DPA are appointed by the central government further to a recommendation from the Minister of Justice and Security.

The annual budget of the DPA in 2024 increased to approximately EUR 40,121,000 The figures relating to the DPA's workforce in 2023 are not yet published.

How does a fine procedure work in the Netherlands? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

Fines can be imposed by the DPA itself.  

DPA proceedings usually start with an investigation involving the gathering of information, including from the company in question. Sometimes the start of an investigation is published on the website of the DPA.  

Following the investigation phase, the DPA sends a draft report to the company concerned. The company is able to provide its views on the factual and legal aspects of the case, before the authority issues a notification on the penalty.

Lastly, the DPA will share the final report with the company, including a response to the company's views. The final report will also be published on the DPA website.

Companies may appeal against penalty notifications with the competent administrative court.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

Fines are transferred to the state treasury.

Is there a common, official calculation methodology for fines in the Netherlands?

The DPA in the Netherlands has adopted official guidelines on fining (Dutch only); these contain a calculation methodology for fines in the Netherlands for breaches of the GDPR by government organisations and individuals not acting on behalf of a company: wetten.nl.

The Dutch guidelines on fining do not apply to companies. The fines for companies are calculated by means of the EDPB Guidelines on the calculation of administrative fines under the GDPR.

Can public authorities be fined in the Netherlands? If they can: Where does this money go?

Public authorities can be fined. The DPA fining guidelines apply. These fines are transferred to the state treasury.  

In the Netherlands, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

Until today, the data protection authority in the Netherlands has comprehensively published all fines on its website, including press releases. There are two cases to date where the name of the fined organisation was anonymised:


  1. On 30 April 2020, a fine was imposed on a company for processing employee fingerprints. The name of the company has been anonymised.
  2. On 10 June 2021, a fine was imposed on an orthodontic practice. The name of this practice has been anonymised.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines?

Not applicable 

Traditional Dutch windmills with canal close the Amsterdam Netherlands

Other legal consequences of non-compliance in the Netherlands

Does the Netherlands have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

The Dutch legal system has two different collective redress mechanisms:

  • representative collective actions; and
  • a collective settlement mechanism based on an opt-out system.

Representative collective actions allow a representative entity (a foundation or an association with full legal capacity) to initiate proceedings to protect similar interests held by a group of people. A representative entity is able to submit a claim for a declaratory judgment, injunctive relief or specific performance or, in the case of collective actions relating to events which took place on or after 15 November 2016, is also able to claim monetary damages. Representative collective actions are governed by Articles 3:305a to 3:305d of the Dutch Civil Code.

Class settlement proceedings allow the parties to a collective settlement agreement to jointly petition the Amsterdam Court of Appeal to declare the settlement to be binding for all class members. Class members are able to opt out. Class settlement proceedings are governed by the Act on the Collective Settlement of Mass Damage (“Wet Collectieve Afwikkeling Massaschade”) which has been implemented in Articles 7:907 to 7:910 of the Dutch Civil Code and Articles 1013 to 1018a of the Dutch Code of Civil Procedure.

What is more relevant in the Netherlands: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

To date, fines from the DPA are more relevant than private litigation regarding data protection infringements.

The amount of GDPR-based civil claims lodged by individuals has so far been limited and has mainly resulted in a handful of claims being awarded in the range of EUR 250-500, with one outlier being awarded EUR 2,500. As per 1 January 2020 however, it has become easier in the Netherlands to claim damages in civil class actions. Based on this legislation, the first multi-billion GDPR-based proceedings have been initiated. Depending on the outcome of the first series of these proceedings, we expect a vast amount of new civil class actions to follow in the coming years.

An example of a civil class action that has been started concerns an action against TikTok on behalf of all minor TikTok users in the Netherlands. They demand that TikTok pays damages in the amount of at least EUR 2 billion to these minors for unfairly collecting and trading their data.

To date, the Amsterdam Court already answered the following questions:

  • Is the Amsterdam Court competent in this case?
  • Are the claim foundations admissible?
  • Which of the three claim foundations may conduct the proceedings against TikTok?

In the next phase of this civil class action, the claim foundations and TikTok will be given the opportunity to negotiate a settlement, the interested parties will have the opportunity to opt-in/opt-out with regard to the class action and the claim foundations will have the opportunity to supplement the grounds of the class action. 

Read more


Key contacts

Erik Jonkman
Erik Jonkman
Advocaat
Amsterdam
T +31 20 3016 379
Tom Jozak
Tom Jozak
Of Counsel
Amsterdam
T +31 20 301 6449
Inge Hajema
Inge Hajema
Advocaat
Amsterdam
T +31 20 3016 400
Previous 27 / 32 Next