3 years of GDPR: an overview of the fines imposed by the Authority for the Protection of Personal Data to date

3 years of the GDPR: an overview of the fines imposed by the Dutch Data Protection Authority to date Including relevant case law on the commercial interest and processing of personal data outside the EEA

Three years after the GDPR entered into force (as of 28-05-2018), we thought it would be nice to look back. The Dutch Data Protection Authority ("Autoriteit Persoonsgegevens ("AP")") has been on a roll imposing fines for breaches of the GDPR. Recently, various parties, such as the OLVG, Booking.com, the municipality of Enschede, PVV Overijssel, LocateFamily.com and CP&A have been fined and the fines are rising. In addition, we are seeing more and more legal proceedings regarding the GDPR.

The fines have been imposed for various reasons. Therefore we felt it was time for an overview. And more important, an overview of the preliminary conclusions that we can draw from the fines to date. In addition to providing an overview of the fines imposed to date, we will also focus on two recent developments in the field of marketing and privacy and the processing of personal data by entities outside the EU (or more precisely: the EEA).

Overview of fines to date

2018

• In 2016, a data breach took place at the Uber group. This allowed unauthorised persons to access personal data of customers and drivers. A fine of € 600,000 was imposed because Uber failed to report the data breach within 72 hours (AP imposes fine on Uber for late reporting of data breach | Authority for the Protection of Personal Data).

2019

• An investigation by the AP revealed that 85 employees of the Haga Ziekenhuis (a hospital) had seen the medical data of a Dutch celebrity without there being a care or treatment relationship. The security was deemed inadequate and a fine of 460,000 euros and an order under penalty was imposed to ensure that the Haga Ziekenhuis would soon improve the security. Two-factor authentication and checking of log files (inspection) were considered necessary (Haga fined for insufficient internal security of patient records | Netherlands Authority for the Protection of Personal Data).

• Note: The District Court of The Hague recently reduced the fine imposed by the AP from 460,000 to 350,000 euros. In short, it was considered important that the Haga Hospital had taken the necessary measures for improvement (http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBDHA:2021:3090).

2020

• Tennis association KNLTB was fined for selling personal data of members to two sponsors, without permission from the data subjects, and the AP found that there was no legitimate interest for the processing by the association. Therefore, there was no legal basis for the processing and the processing was deemed unlawful. The fine amounted to 525,000 euros (Penalty for tennis association for selling personal data | Authority for Personal Data).
• The AP imposed a fine of 725,000 euros on a company for processing its employees' fingerprints for attendance and time registration purposes. The company could not invoke an exception for the processing of this type of biometric data (Fine for company for processing employee fingerprints | Netherlands Authority for the Protection of Personal Data).
• A fine was imposed on the Bureau Krediet Registratie (BKR) Foundation for creating too high thresholds for the exercise of the right of access to personal data by data subjects. The BKR charged a fee for retrieving personal data and offered the possibility of doing so no more than once a year. The fine for this amounted to 830,000 euros (Fine for BKR because of costs for inspection of personal data | Netherlands Authority for the Internal Market).

2021

• The OLVG hospital was also fined for the lack of adequate security measures for patient data. A fine of 440,000 euros was imposed (also in this case) due to the lack of two-factor authentication and proper logging with actual verification (OLVG Hospital fined for inadequate security of medical records | Netherlands Authority for the Protection of Personal Data).
• Booking.com was fined for failing to report a data breach on time. The fine imposed amounted to 475,000 euros. The fact that criminals had gained access to customer data was only reported to the AP 22 days after the 72-hour deadline had expired (Booking.com fine for late reporting of data breach | Netherlands Authority for the Protection of Personal Data)
• The AP imposed a fine of €600,000 on the municipality of Enschede for counting shoppers via WiFi tracking in the centre of Enschede. By doing so, the municipality intended to monitor how busy it was in the city centre, but it could also actually follow people. This was not necessary for the regulation of the crowds in the city. The use of WiFi tracking that makes this possible was already deemed unlawful by the AP, without regard to the necessity. The use of WiFi tracking is subject to strict requirements (Penalty Enschede Municipality for WiFi Tracking | Dutch Data Protection Authority). Please check our earlier blog on this subject: Authority for Personal Data: following people with WiFi tracking is almost never allowed | Ploum Rotterdam Law Firm.
• The AP imposed a fine of 7,500 euros on the PVV Overijssel because the PVV Overijssel sent an e-mail in which the e-mail addresses of all addressees were visible. This incident was subsequently not reported to the AP, for which a fine was imposed. Because of the financial capacity of PVV Overijssel, the fine was lowered (Fine PVV Overijssel for not reporting a data leak | Authority Personal Data).
• Locatefamily.com was fined € 525,000 with an order under penalty, because it processed personal data of subjects within the EEA but has no office or representative within the EEA. Data subjects therefore have no point of contact within the EEA, which is required under the GDPR for data controllers established outside the EU (Fine of 525,000 Euros for Locatefamily.com | Authority for Personal Data).
• Recently, the AP imposed a fine of 15,000 euros on the maintenance company CP&A for keeping track of the reasons for the sickness absence of its employees. CP&A thereby processed more personal data than necessary ("nice-to-haves") and permitted (health data are special personal data within the meaning of the GDPR, which employers are not allowed to process). Moreover, access to these data was insufficiently secured (Penalty for CP&A for privacy breach of sick employees | Netherlands Authority for the Protection of Personal Data). Please also check: Measuring the temperature of visitors and employees: is that allowed? |Ploum Rotterdam Law Firm

Two relevant developments in case law

• In addition to the published fines, we would like to mention two more recent developments that are highly relevant to practice. Firstly, the case of VoetbalTV, about a video platform with 520,000 users. According to the AP, this platform processed personal data without a legitimate basis and for this reason a fine of €575,000 was imposed. However, the court ruled in 2020 that the AP applied the GDPR too strict and wiped the fine off the table entirely. The AP judged that a commercial interest could not be a 'legitimate interest' within the meaning of the GDPR, but the court disagreed. The AP should therefore have tested further whether the processing was lawful (http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBMNE:2020:5111). Please also check our earlier blog on this topic, written before the judgment of the Court: Personal Data Authority (too?) strict about justified interest and marketing? | Ploum Rotterdam Law Firm.
• In addition, the Schrems II judgment has shown at the European level that great care is required when transferring data to third countries. In this judgment, the Court of Justice declared the Privacy Shield, on the basis of which personal data could be transferred from the EU to the US, invalid. The European Standard Contractual Clauses (SCCs) for the exchange of personal data with third countries can offer an adequate safeguard, according to the ECJ. However, when using these, it should be checked to what extent these agreements can be complied with and additional measures may be required (ECLI:EU:C:2020:559; The Court declares Decision 2016/1250 on the adequacy of the protection offered by the EU-US Privacy Shield invalid (europa.eu)). A new version of the SCCs is being worked on in the meantime and is expected in the near future. For frequently asked questions on this subject, see: edpb_faqs_schrems_ii_202007_adopted_en.pdf (europa.eu) or e-mail privacy@ploum.nl for more information. 

Lessons learned

Despite its early days, the GDPR has given us much food for thought over the past three years. The AP will probably make itself heard more often and we now also know that it can be worthwhile to act against a fine imposed. So far, it can be concluded that much importance is attached to taking appropriate security measures, such as two-factor authentication, logging and checking these, but also, for example, to appropriate agreements in (employment) contracts. Moreover, data subjects must be able to exercise their rights under the GDPR without raising barriers and data breaches must be reported in a timely manner.

Be careful when processing special personal data (e.g., of employees), do not process more personal data than necessary and act regarding data processing outside the EU (EEA). The transfer of personal data to third countries will (continue to) require the necessary attention in the coming period. More generally, we expect that the function of the GDPR - and thereby the enforcement of the AP and interpretation of certain standards by the courts - will only become more decisive in the coming years. Therefore, three years down the line, take a fresh look at your processing register, privacy policies, security measures (including their enforcement) and your agreements regarding the processing of personal data.

Need help?

Do you need help reviewing your policy documents or have other questions about the processing of personal data? Please contact Nina Witt (n.witt@ploum.nl) or email privacy@ploum.nl and we will get back to you as soon as possible.