Dutch Data Protection Authority: Randomly selected companies will be subject to GDPR-compliance investigations

This month, the Data Protection Authority (DPA) of the Netherlands has launched an investigation according to Art. 57 (1) a GDPR which obliges the supervisory authorities to “monitor and enforce compliance” with the EU General Data Protection Regulation (GDPR). The Dutch DPA thereby verifies compliance with Art. 30 GDPR (records of processing activities) in 30 randomly selected large companies of the private sector (i.e. which have more than 250 employees) rooted in 10 different branches: industry, water supply, construction, retail, hospitality, travel, communications, finance, business services, and health care across the Netherlands. Its investigative powers in terms of this investigation derive from Art. 58 (1) a GDPR which enables the DPAs “to order the controller and the processor, and, where applicable the controller’s or the processor’s representative, to provide any information the supervisory authority requires for the performance of its tasks”.

For those investigations it is not necessary that a complaint has been lodged or any other indication of non-compliance occurs. In particular, the Dutch DPA regularly carries out such “ex officio” investigations focusing on certain enforcement priorities depending on the sector or the topic. With their investigation strategy they aim to focus on the compliance with certain requirements of the GDPR that may typically create adequate safeguards in organizations to issue and maintain compliance with the general Principles of the GDPR (Art. 5 et seqq GDPR).

Therefore, the authorities decided for the private sector that the records of processing activities (Art. 30 GDPR) are the key drivers for GDPR compliance, since these records eventually enable an organization knowing about what personal data they process and for which purposes. Since the results of the investigation will most probably be published anonymously (e.g. numbers and other details of the violation in specific sectors), they might hope to create a ripple effect on other organizations of the respective sectors.

A prediction of the crucial penalties that may be the result of this “ex officio” investigations of the Dutch DPA is basically not possible, as the organizations involved and the state of their GDPR compliance are unknown. But it might be interesting that the Dutch DPA is also allowed to issue a so-called “enforcement notice under penalty” according to the Dutch GDPR Execution Act if an organization has been established non-compliant. This enforcement notice can contain an order for the respective organization to comply and demonstrate compliance within a fixed time frame. For each day or week that they fail to comply with such an order, a fixed penalty may apply.

Such an enforcement order may be issued in the event of a violation of Art. 30 GDPR that is not likely to result in a risk for the data subjects. Where the investigation shows that non-compliance may result in a risk for the freedoms and rights of the data subjects or is potentially deemed unfair, the penalty could also result in the maximum category of possible fines.