GDPR Enforcement in the Netherlands

Trend: Have the national data protection authorities in the Netherlands focused on certain types of non-compliance... Do you see a focus on certain industries/sectors? If so, which ones?

Pursuant to the 2025 annual report (Dutch only), the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “DPA”) has organised its supervisory activities around five overarching focus areas: (1) Algorithms and AI; (2) Freedom and Security; (3) Big Tech; (4) Data Trading; and (5) Digital Government. Within these focus areas, the DPA has particularly concentrated on large-scale systems and systems with significant societal impact, whether operated by private or public organisations. This problem-driven approach means that issues without broader, serious consequences may not always receive priority treatment.

As regards specific industries and sectors, the DPA has demonstrated particular attention to government and public-sector organisations. The DPA has started random inspections of municipalities to assess their handling of personal data, focusing on processing registers, data protection impact assessments (DPIAs) and the independence of data protection officers. The healthcare sector has also attracted considerable attention, particularly following the major data breach at Clinical Diagnostics laboratory in August 2025, which affected over 941,000 participants in the national health screening programme. The DPA received approximately 600 complaints, tips and calls regarding this breach and initiated an intensive supervisory process. Additionally, the youth care sector (jeugdzorg) has been subject to specific investigation regarding the handling and notification of data breaches.

In the financial services and data-trading sector, the DPA imposed a EUR 2.7 million fine on Experian Nederland B.V. for GDPR violations relating to credit-scoring practices. The DPA has also continued its cookie enforcement campaign, warning over 200 websites about misleading cookie banners, with approximately three quarters subsequently adjusting their practices.

Regarding Big Tech, the DPA has actively collaborated with European counterparts on cross-border enforcement. Notable actions include intensive cooperation with the Irish Data Protection Commission on the EUR 530-million fine against TikTok for inadequate protection of European user data transferred to China and investigations into AI training practices by Meta and LinkedIn using public user data. The DPA has also issued warnings regarding the use of AI chatbots, including concerns about DeepSeek and the risks of AI chatbot applications focused on friendship and mental health.

Looking ahead, the DPA’s Strategic Focus 2026–2028 identifies three enforcement themes: mass surveillance, artificial intelligence and digital resilience, indicating continued prioritisation of these areas. In 2026, the DPA will take concrete action within each of these themes alongside its regular tasks. Within these priorities, the DPA will specifically concentrate on large-scale systems and systems with significant societal impact, whether operated by private or public organisations.

The DPA has been the national coordinating authority for risk signalling, advice and collaboration in the supervision of AI and algorithms since 2023. Building on this role, the DPA will further expand its focus in 2026. It will publish its vision on generative AI and the GDPR requirements applicable to the training of AI models, with the aim of clarifying the regulatory framework for organisations developing or deploying such systems. In addition, the DPA will issue further guidance on the right to explanation, providing organisations with practical tools to comply with this legal obligation when using or preparing to use automated decision-making. The DPA also publishes an AI & Algorithmic Risks Report twice a year. This report gives periodic insight into the risks and effects of the use of algorithms in the Netherlands.

Overall, what was the most significant fine in the Netherlands to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

The most significant fine in the Netherlands to date was imposed on Uber Technologies Inc. and Uber B.V. (“Uber’’) on 22 July 2024 for EUR 290 million. The fine was imposed because Uber transferred personal data of European taxi drivers to the United States (US) and failed to appropriately safeguard the data with regard to these transfers.

Uber collected sensitive information of drivers from Europe and retained it on servers in the US. This included taxi licences, location data, photos, payment details, identity documents and criminal and medical data of drivers. Uber did this for a period of over two years, transferring those data to Uber's headquarters in the US without using transfer tools. Because of this, the protection of personal data was not sufficient and in violation of Articles 44 and 46 GDPR.

The Court of Justice of the EU invalidated the Privacy Shield in 2020. According to the Court, standard contractual clauses could still provide a valid basis for transferring data to countries outside the EU, but only if an equivalent level of protection can be guaranteed. Because Uber no longer used standard contractual clauses, the data of drivers from the EU were insufficiently protected.

The DPA started an investigation after more than 170 French drivers complained to the French human-rights interest group the Ligue des droits de l'Homme (LDH). The LDH forwarded the complaints to the DPA, as Uber’s European headquarters is located in the Netherlands.

Uber has indicated its intent to contest the fine. There is no publicly available information on the current status of this case.

How is the data protection authority organised in the Netherlands? Budget, staff, assignment to a ministry?

The DPA is the supervisory authority for the GDPR and the Dutch GDPR Implementing Act (“Uitvoeringswet Algemene verordening gegevensbescherming”). The DPA is an autonomous administrative body with its own legal personality. The chairman, the other members and the extraordinary members of the DPA are appointed by the central government further to a recommendation from the Minister of Justice and Security.

The annual budget of the DPA increased further in 2026 to approximately EUR 53,500,000. In 2025 the staffing level has grown to 349 FTE.

How does a fine procedure work in the Netherlands? Can the authority impose fines itself? Procedural steps? Legal remedies?

Fines can be imposed by the DPA itself.

DPA proceedings usually start with an investigation involving the gathering of information, including from the company in question. Sometimes the start of an investigation is published on the website of the DPA.

Following the investigation phase, the DPA sends a draft report to the company concerned. The company is able to provide its views on the factual and legal aspects of the case before the authority issues a notification on the penalty.

Lastly, the DPA shares the final report with the company, including a response to the company's views. The final report is also published on the DPA website. However, companies may take legal action to prevent publication of the report.

Companies may appeal against penalty notifications with the competent administrative court.

When fines are imposed: Where does the money go? (state treasury / authority budget / other)

Fines are transferred to the state treasury.

Is there an official calculation methodology for fines in the Netherlands?

The DPA in the Netherlands has adopted official guidelines on fining (Dutch only); these contain a calculation methodology for fines in the Netherlands for breaches of the GDPR by government organisations and natural persons not acting on behalf of a company: Boetebeleidsregels Autoriteit Persoonsgegevens 2023.

The Dutch guidelines on fining do not apply to companies. The fines for companies are calculated in accordance with the EDPB Guidelines on the calculation of administrative fines under the GDPR.

Can public authorities be fined in the Netherlands? If yes: Where does this money go?

Public authorities can be fined. The DPA fining guidelines apply, classifying the fines in different categories and ranges. These fines are transferred to the state treasury.

Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

The DPA maintains a website on which individual fines and sanctions are published which the DPA considers of public interest: Boetes en andere sancties | Autoriteit Persoonsgegevens. Fines are not published in all cases, as companies may take legal action to prevent publication.

Furthermore, in some cases investigations and fines are also mentioned in its annual report.

There are two cases to date where the name of the fined organisation was anonymised.

If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).

Not applicable

Does the Netherlands have model declaratory proceedings/class actions in data protection law?

The Dutch legal system has two different collective redress mechanisms:

• representative collective actions (Dutch Class Action Mass Claims Settlement Act (In Dutch: Wet afwikkeling massaschade in collectieve actie "Wamca")); and
• a collective settlement mechanism based on an opt-out system.

Under the Wamca, representative collective actions allow a representative entity (a foundation or an association with full legal capacity) to initiate proceedings to protect similar interests held by a group of people. A representative entity is able to submit a claim for a declaratory judgment, injunctive relief or specific performance or to claim monetary damages. Representative collective actions are governed by Articles 3:305a to 3:305d Dutch Civil Code.

Class settlement proceedings allow the parties to a collective settlement agreement to jointly petition the Amsterdam Court of Appeal to declare the settlement to be binding on all class members. Class members may opt out. The rules on class settlement proceedings are implemented in Articles 7:907 to 7:910 Dutch Civil Code and Articles 1013 to 1018a Dutch Code of Civil Procedure.

What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?

To date, fines from the DPA are more relevant than private litigation regarding data protection infringements.

The amount of GDPR-based civil claims lodged by individuals has so far been limited and has mainly resulted in a handful of claims being awarded in the range of EUR 250–500, with one outlier of EUR 2,500 being awarded.

At the moment, the first multi-billion GDPR-based proceedings have been initiated.

An example of a civil class action is the collective action brought by three claims organisations against TikTok on behalf of Dutch users, including minors, seeking billions of euros in damages for the unlawful collection and use of their personal data. 
The court has ruled that class actions can only be successfully brought if the violation of the GDPR leads to material damage or if the non-material damage can be bundled.

In an interim judgment of 7 October 2025, the Amsterdam Court of Appeal ruled, among other things, that claims for non-material damage may be bundled in a collective action, as they arise from the same underlying conduct and legal framework, even if the extent of the impact differs among individual users. Furthermore, the Court of Appeal further held that it would await answers to preliminary questions referred to the CJEU by the Rotterdam District Court in a similar collective action against Amazon, concerning whether the Dutch courts have jurisdiction to hear the claims based on the GDPR. The assessment of the non-GDPR-based claims may, however, proceed.