Fines and other sanctions from the AP

The Autoriteit Persoonsgegevens (AP) (Dutch Data Protection Authority) has the power to impose sanctions if an organisation infringes the data protection laws. The most important sanctions are the fine, the periodic penalty payment, the processing ban, the reprimand and the warning. On this page, you can read more about the fines and other sanctions that the Dutch DPA can impose.

Fine

The Dutch DPA can impose an administrative fine on organisations that violate the GDPR. The Dutch DPA has had the power to impose fines since 25 May 2018, the date on which the GDPR entered into force.

A decision to fine an organisation may consist of multiple fines for different (partial) violations. Some of the fines imposed by the Dutch DPA have not yet been made public. Only when a fine has been made public can the Dutch DPA publish the fine on this website.

Amount of the fines

A fine amounts to a maximum of 20 million euros or 4% of the global annual turnover.

• Fines for companies: how the Dutch DPA determines the amount of fines for companies is laid down in the EDPB's Fining guidelines.
• Fines for the government: fines for government organisations and natural persons when they do not act as undertakings are determined by the Dutch DPA based on the Fining policy rules of the Dutch Data Protection Authority 2023 (in Dutch).

Hospitals and private schools are not regarded as governmental organisations. The fining guidelines therefore apply to them.

Collecting fines

The Central Judicial Collection Agency (CJIB) collects fines for the Dutch DPA. The Dutch DPA does not keep the money from the fines itself, but ensures that it ends up in the treasury. The money therefore goes to the general resources of the government.

International fines

For the fines imposed by the other data protection authorities in the European Union, see National news on the EDPB website.

Periodic penalty payment

The Dutch DPA may impose a periodic penalty payment on organisations that violate the GDPR. The organisation must pay the penalty if the violation has not stopped after a certain period. The periodic penalty payment also existed before the GDPR, under the Personal Data Protection Act.

Processing ban

The Dutch DPA may impose a processing ban. The Dutch DPA determines that an organisation may not process certain (categories of) personal data.

Reprimand

The Dutch DPA may issue a reprimand to an organisation if that organisation violates the GDPR. With the reprimand, the Dutch DPA establishes the violation and indicates that it disapproves of it.

The Dutch DPA will impose a reprimand if this is more appropriate than an administrative fine. For example, in the case of a minor violation. The Dutch DPA assesses whether this is the case by looking at relevant circumstances, such as the nature, gravity and duration of the violation, whether the violation was incidental, whether the rights of the persons involved could still be guaranteed and whether there was intent.

In the event of a more serious violation, the Dutch DPA will opt for a more appropriate measure, such as an administrative fine. Recital 148 of the GDPR provides insight into the factors that play a role in the choice of a reprimand.

Register of reprimands

The register of reprimands (in Dutch) contains the reprimands that the Dutch DPA has imposed to date. The Dutch DPA does not make reprimands public. That is why the names of the organisations involved are not included.

Warning

The Dutch DPA may issue a formal warning about a proposed processing. This is a processing that an organisation plans to do.

Published fines and sanctions

Most of the fines and sanctions imposed and published are listed in this overview (in Dutch) and in the register of reprimands (in Dutch).

Some fines and penalties are published in a different way. These are:

• Fine for VoetbalTV for recording and distributing video footage of amateur football matches via app and analysis tools, 575,000 euros (16 July 2020). This fine was annulled by the Central Netherlands Court (ECLI:NL:RBMNE:2020:5111) and that ruling was confirmed on appeal by the Council of State (ECLI:NL:RVS:2022:2173).
• International fines. For the fines imposed by the other data protection authorities in the European Union, see National news on the website of the European Data Protection Board (EDPB).
• Periodic penalty payment for health insurer CZ due to the processing of more medical data than necessary for the assessment of authorisation applications. Amount not disclosed - violation stopped in time (14 February 2020).
• Formal warning to supermarket about facial recognition (15 December 2020).