3 years of GDPR: an overview of the fines imposed by the Authority for the Protection of Personal Data to date

25 May '21

Author(s): Nina Witt, Lars Boer,

3 years of the GDPR: an overview of the fines imposed by the Dutch Data Protection Authority to date Including relevant case law on the commercial interest and processing of personal data outside the EEA

Three years after the GDPR entered into force (as of 28-05-2018), we thought it would be nice to look back. The Dutch Data Protection Authority ("Autoriteit Persoonsgegevens ("AP")") has been on a roll imposing fines for breaches of the GDPR. Recently, various parties, such as the OLVG, Booking.com, the municipality of Enschede, PVV Overijssel, LocateFamily.com and CP&A have been fined and the fines are rising. In addition, we are seeing more and more legal proceedings regarding the GDPR.

The fines have been imposed for various reasons. Therefore we felt it was time for an overview. And more important, an overview of the preliminary conclusions that we can draw from the fines to date. In addition to providing an overview of the fines imposed to date, we will also focus on two recent developments in the field of marketing and privacy and the processing of personal data by entities outside the EU (or more precisely: the EEA).

Overview of fines to date





Two relevant developments in case law

  • In addition to the published fines, we would like to mention two more recent developments that are highly relevant to practice. Firstly, the case of VoetbalTV, about a video platform with 520,000 users. According to the AP, this platform processed personal data without a legitimate basis and for this reason a fine of €575,000 was imposed. However, the court ruled in 2020 that the AP applied the GDPR too strict and wiped the fine off the table entirely. The AP judged that a commercial interest could not be a 'legitimate interest' within the meaning of the GDPR, but the court disagreed. The AP should therefore have tested further whether the processing was lawful (http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBMNE:2020:5111). Please also check our earlier blog on this topic, written before the judgment of the Court: Personal Data Authority (too?) strict about justified interest and marketing? | Ploum Rotterdam Law Firm.
  • In addition, the Schrems II judgment has shown at the European level that great care is required when transferring data to third countries. In this judgment, the Court of Justice declared the Privacy Shield, on the basis of which personal data could be transferred from the EU to the US, invalid. The European Standard Contractual Clauses (SCCs) for the exchange of personal data with third countries can offer an adequate safeguard, according to the ECJ. However, when using these, it should be checked to what extent these agreements can be complied with and additional measures may be required (ECLI:EU:C:2020:559; The Court declares Decision 2016/1250 on the adequacy of the protection offered by the EU-US Privacy Shield invalid (europa.eu)). A new version of the SCCs is being worked on in the meantime and is expected in the near future. For frequently asked questions on this subject, see: edpb_faqs_schrems_ii_202007_adopted_en.pdf (europa.eu) or e-mail privacy@ploum.nl for more information. 

Lessons learned

Despite its early days, the GDPR has given us much food for thought over the past three years. The AP will probably make itself heard more often and we now also know that it can be worthwhile to act against a fine imposed. So far, it can be concluded that much importance is attached to taking appropriate security measures, such as two-factor authentication, logging and checking these, but also, for example, to appropriate agreements in (employment) contracts. Moreover, data subjects must be able to exercise their rights under the GDPR without raising barriers and data breaches must be reported in a timely manner.

Be careful when processing special personal data (e.g., of employees), do not process more personal data than necessary and act regarding data processing outside the EU (EEA). The transfer of personal data to third countries will (continue to) require the necessary attention in the coming period. More generally, we expect that the function of the GDPR - and thereby the enforcement of the AP and interpretation of certain standards by the courts - will only become more decisive in the coming years. Therefore, three years down the line, take a fresh look at your processing register, privacy policies, security measures (including their enforcement) and your agreements regarding the processing of personal data.

Need help?

Do you need help reviewing your policy documents or have other questions about the processing of personal data? Please contact Nina Witt (n.witt@ploum.nl) or email privacy@ploum.nl and we will get back to you as soon as possible.


Attorney at law

Nina Witt

Expertises:  IT-Law,Privacy law,Intellectual property rights,Cybersecurity , Food,Health Care & Life Sciences, E-health,E-commerce,

Attorney at law

Lars Boer

Expertises:  IT-Law,Privacy law,Procurement law,Cybersecurity , Technology, media and telecom, Commercial contracts,

Share this article

Respond to this article

Would you like to place a comment to this article? Login or create a My Ploum account to post comments

Stay up to date

Add these interests to My Ploum.



Ask a question

Subscribe to our newsletter

Personal data


Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Change your details' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Create account

Get all your tailored information with a My Ploum account. Arranged within a minute.

I already have an account

Benefits of My Ploum

  • Follow what you find interesting
  • Get recommendations based on your interests
  • Subscribe quickly to knowledge events and Ploum Academy
  • Use question and answer options in articles

*This field is required

I already have an account

Benefits of My Ploum

Follow what you find interesting

Receive recommendations based on your interests

Quick registration for knowledge events and Ploum Academy

Post comments on articles

Why do we need your name?

We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.


A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.