The Data Protection Authority has the power to investigate complaints and cases (both on its own initiative as well as on the basis of a complaint), and to order the suspension of processing and/or transfer of data, as well as the destruction of data and other similar actions including administrative orders on the pain of a financial penalty for each day that the controller fails to comply with the order; these orders can be appealed to the courts. Failure to timely or correctly notify the Dutch Data Protection Authority of processing can be fined by a penalty of up to €4,500.
Individuals can file complaints with the Data Protection Authority, and can seek a judicial remedy for violations of the law. The data controller is liable for damages (including immaterial damages) incurred by anyone as a result of any violation of the Data Protection Act committed by the controller or processor of the data.
Infringement of notification obligations and/or in case of data transfers to countries of which the Dutch Minister has explicitly determined that transfers are prohibited, can qualify as criminal violation, subject to penalty fines not exceeding € 8,100 where the violation is committed negligently and € 20,250 or up to six months imprisonment in case of intentional infringement. Where the data controller is a legal entity, these amounts may be increased to € 20,250 and € 81,000 respectively;
Under special circumstances, a director of the company may also be held liable. There is also the risk of negative publicity for the violator.
Selected Enforcement Actions / General Comment
Pending law reform: An important legislative bill has been adopted recently and will enter into force per January 1st, 2016. The bill will introduce a statutory notification requirement in case of personal data breaches and expand the power of the Dutch Data Protection Authority (the “Authority”) to impose considerably higher penalties. The background to the latter amendment entails the idea to provide the Authority further jurisdiction and more comprehensive measures to enforce compliance with the Dutch Personal Data Protection Act (the “Act”). The Authority will be allowed to impose penalties in case of non-compliance with the key legal requirements of the Act, such as the legal obligation to inform data subjects about the data controller’s data processing activities. Penalties can run up as high as € 810,000 or 10 (ten) percent of the company’s annual turnover. Fortunately, in case of non-intentional violation of the Act, the Authority will be authorized to impose a penalty only after they have given the data controller the instruction and opportunity (under time limit) to correct the violation. The instruction requirement will not apply for intentional non-compliance. In that event the Authority can impose a penalty immediately. Some examples of recent enforcement action in the Netherlands include:
- In January 2015, several telecom providers communicated that they implemented new measures further to identified violations of the Dutch Data Protection Act (the providers retained personal data too long, after the purpose for the processing was no longer applicable). As a result, the Dutch Data Protection Authority decided not to take further enforcement actions.
- In December 2014 the Dutch Data Protection Authority communicated its intention to review the privacy terms of a social media company.
- In September 2014 the Dutch Data Protection Authority identified a company’s violation of the Dutch Data Protection Authority as a result of its computer/tablet rental services to elementary schools. The tablets had built in apps that processed study results of the schools’ students which were then used by the company for all kind of comparison purposes (in violation of the Act). According to the Authority, the company should have provided more/better information to the schools. The company has promised to mend its ways. The Authority will continue monitoring the actions of the company and will take further enforcement action in case of new identified violations.
- In July 2014 the Dutch Data Protection Authority and the Authority for Markets & Consumers concluded that the Netherlands Public Broadcasting violated the Dutch Data Protection Act by placing tracking cookies on the computers of website users, without their consent. The Netherlands Public Broadcasting promised to change their cookie policies accordingly, which they did after waiting too long. The Authority for Markets & Consumers imposed a € 25,000 penalty.
- In May 2014 the Dutch Data Protection Authority concluded that a company violated the Dutch Data Protection Act by placing tracking cookies on the computers of website users, without their consent.
- In January 2013, the Dutch Data Protection Authority and the Office of the Privacy Commissioner of Canada (OPC) have initiated a collaborative investigation into the processing of personal data by WhatsApp Inc. Users of Whatsapp do not have a choice to use the app without granting access to their entire address book (which contains phone number of users and non-users), which is in breach of Dutch and Canadian privacy laws. The coordinated investigation is a global first, as two national data protection authorities conducted their work together. In February 2014 the Dutch Data Protection Authority communicated that they may impose a remedial order on the pain of incremental penalty payments, if WhatsApp does not take remedial action itself. WhatsApp has taken remedial measures, but only partially. The issue has still not been fully resolved.
- In July 2012, it was concluded that a sickness absence management company processed sensitive personal data (health) in breach with the principle of proportionality and without sufficient legal basis. The sickness absence management company was ordered to destroy all personal data and inform the data subjects of their legal rights, subject to a penalty.
- I GVB, a public transportation company that had stored the travel data of students (on a chip card) for an unreasonable long period, was ordered to implement specific retention periods for the processing of the personal data and to destroy or anonymize the data on the last day of that retention period, subject to an incremental penalty of €5,000 per administrative measure and for each week (or part thereof) that they did fully not implement the measures imposed by the Dutch Data Protection Authority up to a maximum of €250,000 per measure.
- In January 2011, the Dutch Data Protection Authority concluded that the municipality of Charlois illegitimately processed data with regard to someone’s race for the purpose of maintaining a public order. The Authority imposed an order to cease the processing of racial data within three days and delete these data from the database within three months, subject to an incremental penalty of €2,000 per measure and for each day that the municipality of Charlois did not satisfy the order up to a maximum of €250,000 per measure.
- Transfer of personal data to US/Australia: The Data Protection Authority held that there was not an adequate level of protection to transfer personal data from a black list to police authorities in third countries. Transfer was not allowed
- An internet search engine company fined €15 million for violating Dutch data protection laws.