Tag: Autoriteit Persoonsgegevens

Dutch data protection authority imposes fine of €525,000

10. June 2021

Company fails to appoint an EU representative. Dutch data protection authority imposes fine of €525,000.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a fine of €525,000 on Locatefamily.com on May 12, 2021. The company failed to comply with its obligation under Article 27 of the EU General Data Protection Regulation, which required the company to appoint a representative in the EU.

The online platform caught the attention of the authorities because it published the contact details (including telephone numbers and addresses) of individuals. In this regard, the Dutch data protection authority stated that data subjects had often not registered for the online platform. In particular, the data subjects did not know how the company had obtained their data.

After numerous complaints from individuals, the data protection authority determined that the online platform had not complied with requests to delete data. It further came to light that the company had no branches in the EU and had not appointed a representative accordingly. This made it almost impossible for data subjects to assert their rights against the company.

Article 27(2)(a) of the GDPR provides that companies not established in the EU that offer goods or services to persons in the EU or monitor the conduct of persons in the EU must designate a representative in the EU. Although exceptions to this are possible, they are narrowly defined.

An exemption may be considered if the processing of personal data is occasional and does not involve the extensive processing of sensitive personal data or the processing of personal data in connection with criminal convictions and offenses. The processing must also not, taking into account the nature, context, scope and purposes of the processing, result in a risk to the rights and freedoms of natural persons.

As no exceptional case existed in the assessment of the Dutch data protection authority, the company imposed a fine in the amount of €525,000 on Locatefamily.com. To avoid further penalties, the company was to appoint an EU representative by a certain deadline.

Dutch DPA published update on policy on administrative fines

9. April 2019

The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), announced an update on its policy regarding administrative fines.

In addition to the Dutch GDPR implementation law the published policy provides insides on how the Dutch DPA will use its fining powers. According to the policy the DPA differentiats three or four categories of infringements. Each infringement is fined with a basic fine and a specific penalty bandwidth.

The DPA calculates the fine in two steps. First the basic fine is applied, second the basic fine is increased or decreased according to the classification to the different categories. Various aspects are included in the calculation of the fine, such as:

  • the nature, the seriousness and duration of the violation,
  • the number of data subjects affected,
  • the extent of the damage and of the data compromised,
  • the intentional or negligent nature of the violation,
  • the measures adopted to mitigate the damages,
  • the measures that were implemented to ensure compliance with the GDPR, including information security measures,
  • prior violations,
  • the level of cooperation with the DPA,
  • the types of data involved,
  • how the DPA became aware of the violation, including whether (and if so, to what extent) the data controller or processor reported the violation,
  • adherence to approved codes of conduct an certification mechanisms,
  • any other applicable aggravating or mitigating factors.

The maximum amount in general is €1.000.000,00, but the fine can be higher in case the Dutch DPA decides that the calculated maximum amount is inappropriate in the particular case.