Netherlands

Main takeaways


  • Fines can be imposed on authorities and public entities, and relevant enforcement activity (including the highest fine so far) is directed against authorities.
  • Maximum transparency – all fines are published on the DPA website (anonymisation in two cases).
  • Fines > Damages: So far, fines are more important than damages, possibly due to limited damage amounts awarded. Depending on the outcome of the first lawsuits related to high damage claims in civil class actions, the relevance of damages may increase.

Fining practice

Trend: to date, have the national data protection authorities in the Netherlands focused on certain types of non-compliance with data protection law, or have the authorities stated that they will investigate certain types of non-compliance more closely in future? Do you see a focus on certain industries/sectors? If so, which ones?

The Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”, "DPA") has identified three key enforcement areas for 2020-2023, these being data trading, digital government and artificial intelligence / algorithms. The disclosed fines from 2022 show that the DPA does pay extra attention to government institutions, as three of the four disclosed fines were imposed on such institutions. Until this date, however, the majority of investigations and fines does not seem to have been closely related to digital government or the other two key areas.

The majority of investigations and fines from the data protection authority in the Netherlands relate to deficiencies in information security (Art. 32 GDPR) and non-compliance with GDPR main principles (Art. 5 GDPR).

However, more focus on algorithms is likely in the future as a new algorithm regulator has been introduced in the Netherlands in January 2023. It is housed within the DPA but has its own tasks and responsibilities and focuses mainly on the use of algorithms in governments.

Overall, what was the most significant fine in the Netherlands to date (please specify the recipient, the amount, the type of violation, the sector, and provide a brief summary)? Has the fine been challenged in court? If it has: was this successful, or what is the status of the proceedings?

The most significant fine in the Netherlands to date was imposed on the Dutch Tax Administration ("Belastingdienst") on 12 April 2022 in the amount of EUR 3.7 million. This is the highest fine imposed by the DPA to date. The fine was imposed because the Tax Administration illegally processed personal data over a period of many years in its ‘fraud identification facility’ ("Fraude Signalering Voorziening", "FSV"). The FSV was a blacklist which the Tax Administration used to register indications of fraud, often with major repercussions for people who had been wrongly included on the list. The EUR 3.7 million fine comprises multiple fines for six violations in total:

  • The Tax Administration had no statutory basis for processing personal data in the FSV: EUR 1 million.
  • The purpose of the FSV was not specifically described in advance: EUR 750,000.
  • The FSV contained incorrect and obsolete information: EUR 750,000.
  • The respective data was retained for far too long: EUR 250,000.
  • The FSV was not adequately protected: EUR 500,000.
  • The Tax Administration waited for more than a year to ask its internal privacy supervisor for advice on assessing the risks of using the FSV: EUR 450,000.

In February 2020, the Tax Administration closed the FSV. The penalty was imposed on the Minister of Finance because he is responsible for the Tax Administration’s processing of personal data. The Minister of Finance did not lodge an objection to the fine imposed by the DPA.

Another notable case concerns the fine against VoetbalTV. A EUR 575,000 fine had been imposed against VoetbalTV in 2020 for recording and distributing video footage of amateur football matches via app and analysis tools. According to the DPA, there was no 'legitimate interest' underlying the processing of personal data. The DPA held that VoetbalTV had only a purely commercial interest and that this could not be a legitimate interest. However, the Court dismissed the administrative fine because the DPA had failed to assess whether it was necessary to process personal data for those purposes based on the purposes set by VoetbalTV. On appeal, the Council of State ruled that the Court had rightly annulled the fine. If the DPA had considered all the interests put forward by VoetbalTV in assessing a legitimate interest, the DPA should have concluded that VoetbalTV did not have an exclusively commercial interest in making footage of football matches. This is the first case in which a fine imposed by the DPA has been challenged and overturned by the Court.

Spring scene in Amsterdam city

Organisation of authorities, procedure and publicising of fine proceedings

How is the data protection authority organised in the Netherlands? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

The DPA is the supervisory authority for the GDPR and the Dutch GDPR Implementing Act ("Uitvoeringswet Algemene verordening gegevensbescherming"). The DPA is an autonomous administrative body with its own legal personality. The chairperson, the other members and the extraordinary members of the DPA are appointed by the central government further to a recommendation from the Minister of Justice and Security.

The annual budget of the DPA in 2022 increased to approximately EUR 29,000,000 and in 2023 to approximately EUR 34,500,000. The figures relating to the DPA's workforce in 2022 are not yet published but this too is likely to have increased compared to the 169,2 FTEs employed in 2021.

How does a fine procedure work in the Netherlands? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

Fines can be imposed by the DPA itself.

DPA proceedings usually start with an investigation involving the gathering of information, including from the company in question. Sometimes the start of an investigation is published on the website of the DPA.

Following the investigation phase, the DPA sends a draft report to the company concerned. The company is able to provide its views on the factual and legal aspects of the case before the authority issues a notification on the penalty.

Lastly, the DPA will share the final report with the company, including a response to the company's views. The final report will also be published on the DPA website.

Companies may appeal against penalty notifications with the competent administrative court.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the State treasury, the authority's budget)?

Fines are transferred to the State treasury.

Is there a common, official calculation methodology of fines in the Netherlands (such as the fining models in the Netherlands or Germany)?

The data protection authority in the Netherlands has adopted official guidelines on fining (Dutch only); these contain a calculation methodology for fines in the Netherlands: https://wetten.overheid.nl/BWBR0041994/2019-03-15

Can public authorities be fined in the Netherlands? If they can: Where does this money go?

Public authorities can be fined. These fines are transferred to the State treasury.

In the Netherlands, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

Until today, the data protection authority in the Netherlands has comprehensively published all fines on its website, including press releases. There are two cases to date where the name of the fined organisation was anonymised:

 

  1. On 30 April 2020, a fine was imposed on a company for processing employee fingerprints. The name of the company has been anonymised.
  2.  On 10 June 2021, a fine was imposed on an orthodontic practice. The name of this practice has been anonymised.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

Not applicable.

Traditional Dutch windmills with canal close the Amsterdam Netherlands

Other legal consequences of non-compliance

Does the Netherlands have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

The Dutch legal system has two different collective redress mechanisms:

  • representative collective actions; and
  • a collective settlement mechanism based on an opt-out system.

Representative collective actions allow a representative entity (a foundation or an association with full legal capacity) to initiate proceedings to protect similar interests held by a group of people. A representative entity is able to submit a claim for a declaratory judgment, injunctive relief or specific performance or, in the case of collective actions relating to events which took place on or after 15 November 2016, is also able to claim monetary damages. Representative collective actions are governed by Articles 3:305a to 3:305d of the Dutch Civil Code.

Class settlement proceedings allow the parties to a collective settlement agreement to jointly petition the Amsterdam Court of Appeal to declare the settlement to be binding for all class members. Class members are able to opt out. Class settlement proceedings are governed by the Act on the Collective Settlement of Mass Damage (" Wet Collectieve Afwikkeling Massaschade") which has been implemented in Articles 7:907 to 7:910 of the Dutch Civil Code and Articles 1013 to 1018a of the Dutch Code of Civil Procedure.

What is more relevant in the Netherlands: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

To date, fines from the data protection authority in the Netherlands are more relevant than private litigation regarding data protection infringements.

The amount of GDPR-based civil claims lodged by individuals has so far been limited and has mainly resulted in a handful of claims being awarded in the range of EUR 250-500, with one outlier being awarded EUR 2,500. As per 1 January 2020 however, it has become easier in the Netherlands to claim damages in civil class actions. Based on this legislation, the first multi-billion GDPR-based proceedings have been initiated. Depending on the outcome of the first series of these proceedings, we expect a vast amount of new civil class actions to follow in the coming years.

An example of a civil class action that has been started concerns an action against TikTok on behalf of all minor TikTok users in the Netherlands. They demand that TikTok pays damages in the amount of at least EUR 2 billion to these minors for unfairly collecting and trading their data. The case has yet to be heard by the Court.