Guidelines For Fines Under The GDPR

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) published a press release on 14 March 2019, updating its policy on calculating administrative fines. These guidelines are intended for the organisations to become aware of the updated structure of penalties.


The GDPR empowers each member state of the EU to impose administrative fines, the amount of which depends on every single case. Being a member state, The Dutch Data Protection Authority (AP) has the power to issue administrative fines for the violations of GPDR provisions.
Article 83 of the GDPR sets out the details for imposing fines on non-compliant organisations. The maximum limit is 20 million euros or 4% of annual global turnover. This big sum of money can pretty much wipe out the entire profits of a company hence eliminating the chances of regulatory arbitrage.
The Dutch Data Protection Authority (AP), preparing to enforce the new rules, updated its penalties structure and published a press release on 14 March 2019. The newly updated policy provides insights on how the (AP) will use its administrative power.


Although the penalties described in GDPR are two-tiered, the AP divided the infringements into four categories. Each category has an upper and a lower limit, and a basic fine. The basic fine in each category will be 50% of the sum of the upper and lower limit. It is an average of the minimum and maximum fine in that category.

The AP will take into account the following factors while deciding the amount of fine:

  • The nature of the breach, how much risk is likely to be caused by the data breach?
  • How many people are will affect as a result of the personal data breach?
  • The amount of data compromised
  • The types of data involved (e.g., sensitive vs non-sensitive data, children’s data vs adults’ data, or financial or non-financial information)
  • How long has it been the breach? Generally, the more time spent, the more harm is likely to occur
  • Whether it was a result of lack of security, organisational negligence, or a cyber-attack, and whether there is involvement or not.
  • No matter it was a result of negligence or someone deliberately breach into the data records
  • Whether or not the data controller has taken any action to minimise the damage to the victims. If the data controller stays careless despite knowing that a data breach occurred already, they are more likely to penalise.
  • Whether there has been a previous data breach or not. A history of data breaches perks up the ears of regulatory authorities, implying negligence on the part of the data controller or some deliberate action involved, e.g. moral hazard or some mole in the organisation.
  • Whether or not the data controller or processor gained any benefit from the breach
  • Whether the organisation had adhered to any approved code of conduct (Article 40) or certification mechanism (Article 42)

The maximum amount for the most severe violation of the GDPR is €1,000,000. However, this is not the final word. If this maximum amount of fine is inadequate in a particular scenario, the penalties can go even higher. If the infringements are repeating, the policy states that the Dutch DPA will increase the fines by 50%. However, the resulting amount will not exceed the threshold of €20,000,000.