Framework for GDPR Fines Published by the Dutch Authorities


The Dutch Data Protection Authority (AP) has announced a new policy for determining the fines to be imposed for violations of the General Data Protection Regulation (GDPR) and its national implementing act.

The AP’s assessment will first take into account the maximum amounts specified by the European Regulation: either 10 million euros or 2% of the annual worldwide turnover, or 20 million euros or 4% of the annual worldwide turnover, depending on the violation incurred. Violations that are subject to fines are divided into three or four categories designed by the data protection authority to take into account the weight of the breached requirements, with each assigned a minimum-maximum fine range.

According to the policy regarding cases of violations subject to a maximum fine of 10 million euros or 2% of the annual worldwide turnover, the failure to appropriately record processing activities in accordance with GDPR’s Article 30 would fall in categories I or II and be subject to fines of € 0 - € 200,000 or € 120,000 - € 500,000 respectively. Failure to cooperate with the Supervisory Authority or to notify it of an incident falls within category III and results in fines of € 300,000 - € 750,000. When violations give rise to the maximum fine of 20 million euros or 4% of the annual turnover, failure to comply with the rights of access, rectification or erasure fall within category III, while non-compliance with an order from the supervisory authority falls within category IV and can result in fines of € 450,000 - € 1,000,000.

Within the ranges, the AP will adjust the level of fines based on many relevant factors, including:
• the nature, seriousness and duration of the infringement;
• the number of affected data subjects and the extent of the damage
• the nature and extent of the data compromised;
• whether the infringement was intentional or the result of negligence;
• the measures taken by the controller or processor to limit the damage suffered by affected individuals;
• the extent to which the controller or processor is responsible in view of the technical and organizational measures that it has implemented;
• previous relevant breaches by the controller or processor;
• the extent to which the offending party has cooperated with the supervisory authority;
• the categories of personal data involved;
• the manner in which the supervisory authority became aware of the infringement, in particular whether, and if so to what extent, the controller or processor has reported the infringement.

The policy reaffirms the importance given by the GDPR to the Principle of Accountability. It states clearly that fines may be reduced if an offender is able to prove that it has taken appropriate steps to comply with the regulation, to limit the damage to Data Subjects, and to cooperate with the Data Protection Authority.

Both the original policy in Dutch and Achieved Compliance’s English translation are available to read here.

READ MORE BLOGS

Before any tool can be useful, GDPR demands a combination of review, risk analysis and thoughtful decision-making on the part of your company. The PRIVACY BLOG by Achieved Compliance can help you stay on top of compliance and regulators’ expectations in the complex world of data compliance.
 
Achieved Compliance brings together experience and innovation, breaking new ground in data privacy compliance. With combined 60 years of experience in data protection in client counseling, government, and Fortune 100 companies, Achieved Compliance provides companies with a software-guided, team-oriented solution that helps them easily and cost-effectively comply with complex privacy requirements around the globe.

+1-571-366-1784
info@achievedcompliance.com
Manage your preferences | Opt out using TrueRemove
Got this as a forward? Sign up to receive our future emails.
View this email online.
1800 Diagonal Road Suite 600
Alexandria, VA | 22314 US
This email was sent to .
To continue receiving our emails, add us to your address book.
Subscribe to our email list.