GDPR Enforcement in the Netherlands

Trend: Have the national data protection authorities in the Netherlands focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

The Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”, “DPA”)  identified four key enforcement areas for 2024, these being algorithms/artificial intelligence, Big Tech, freedom and security, data trading and digital government. The DPA has indicated that these areas will also provide direction to its supervision in 2025.

The DPA has been the national coordinating authority for risk signalling, advice and collaboration in the supervision of AI and algorithms since 2023. In this role, the DPA focused on four areas in 2024: transparent algorithms, auditing, governance and bias. The DPA publishes an AI & Algorithmic Risks Report twice a year. This report gives periodic insight into the risks and effects of the use of algorithms in the Netherlands.

The majority of investigations and fines from the DPA in the Netherlands relate to deficiencies in information security (Article 32 GDPR) and non-compliance with GDPR main principles (Article 5 GDPR).

Overall, what was the most significant fine in the Netherlands to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

The most significant fine in the Netherlands to date was imposed on Uber Technologies Inc. and Uber B.V. (“Uber’’) on 22 July 2024 for EUR 290 million. This is the highest fine imposed by the DPA to date. The fine was imposed because Uber transferred personal data of European taxi drivers to the United States (US) and failed to appropriately safeguard the data with regard to these transfers.

Uber collected sensitive information of drivers from Europe and retained it on servers in the US. This included taxi licences, location data, photos, payment details, identity documents and criminal and medical data of drivers. Uber did this for a period of over two years, transferring those data to Uber's headquarters in the US, without using transfer tools. Because of this, the protection of personal data was not sufficient and in violation of Articles 44 and 46 GDPR.

The Court of Justice of the EU invalidated the Privacy Shield in 2020. According to the Court, standard contractual clauses could still provide a valid basis for transferring data to countries outside the EU, but only if an equivalent level of protection can be guaranteed. Because Uber no longer used standard contractual clauses, the data of drivers from the EU were insufficiently protected.

The DPA started an investigation after more than 170 French drivers complained to the French human rights interest group the Ligue des droits de l'Homme (LDH). The LDH forwarded the complaints to the DPA, as Uber’s European headquarters is located in the Netherlands.

Uber has indicated its intent to object to the fine.

How is the data protection authority organised in the Netherlands? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

The DPA is the supervisory authority for the GDPR and the Dutch GDPR Implementing Act (“Uitvoeringswet Algemene verordening gegevensbescherming”). The DPA is an autonomous administrative body with its own legal personality. The chairman, the other members and the extraordinary members of the DPA are appointed by the central government based on the recommendation of the Minister of Justice and Security.

The annual budget of the DPA in 2025 increased to approximately EUR 49 million. In 2024 the staffing level has grown to 320 FTE.

How does a fine procedure work in the Netherlands? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

• Fines can be imposed by the DPA itself.  
• DPA proceedings usually start wi
• th an investigation involving the gathering of information, including from the company in question. Sometimes the start of an investigation is published on the website of the DPA.
• Following the investigation phase, the DPA sends a draft report to the company concerned. The company is able to provide its views on the factual and legal aspects of the case, before the authority issues a notification on the penalty.
• Lastly, the DPA will share the final report with the company, including a response to the company's views. The final report will also be published on the DPA website.
• Companies may appeal against penalty notifications with the competent administrative court.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

Fines are transferred to the state treasury.

Is there a common, official calculation methodology for fines in the Netherlands?

The DPA in the Netherlands has adopted official guidelines on fining (Dutch only); these contain a calculation methodology for fines in the Netherlands for breaches of the GDPR by government organisations and natural persons not acting on behalf of a company: Boetebeleidsregels Autoriteit Persoonsgegevens 2023.

The Dutch guidelines on fining do not apply to companies. The fines for companies are calculated in accordance with the EDPB Guidelines on the calculation of administrative fines under the GDPR.

Can public authorities be fined in the Netherlands? If they can: Where does this money go?

Public autorities can be fined. The DPA fining guidelines apply, classifying the fines into different categories and ranges. These fines are transferred to the state treasury.

In the Netherlands, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

Most of the imposed and published fines and sanctions are listed on the website of the DPA: Boetes en andere sancties | Autoriteit Persoonsgegevens.

Furthermore, investigations and fines are also mentioned in its annual report.

There are two cases to date where the name of the fined organisation was anonymised:

1. On 30 April 2020, a fine was imposed on a company for processing employee fingerprints. 
2. On 10 June 2021, a fine was imposed on an orthodontic practice.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

Not applicable

Does the Netherlands have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

The Dutch legal system has two different collective redress mechanisms:

• representative collective actions; and
• a collective settlement mechanism based on an opt-out system.

Representative collective actions allow a representative entity (a foundation or an association with full legal capacity) to initiate proceedings to protect similar interests held by a group of people. A representative entity is able to submit a claim for a declaratory judgment, injunctive relief or specific performance or, in the case of collective actions relating to events which took place on or after 15 November 2016, is also able to claim monetary damages. Representative collective actions are governed by Articles 3:305a to 3:305d of the Dutch Civil Code.

Class settlement proceedings allow the parties to a collective settlement agreement to jointly petition the Amsterdam Court of Appeal to declare the settlement to be binding for all class members. Class members are able to opt out. Class settlement proceedings are governed by the Act on the Collective Settlement of Mass Damage (“Wet Collectieve Afwikkeling Massaschade”) which has been implemented in Articles 7:907 to 7:910 of the Dutch Civil Code and Articles 1013 to 1018a of the Dutch Code of Civil Procedure.

What is more relevant in the Netherlands: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

To date, fines from the DPA are more relevant than private litigation regarding data protection infringements.

The amount of GDPR-based civil claims lodged by individuals has so far been limited and has mainly resulted in a handful of claims being awarded in the range of EUR 250-500, with one outlier being awarded EUR 2,500. As of 1 January 2020 however, it has become easier in the Netherlands to claim damages in civil class actions. Based on this legislation, the first multi-billion GDPR-based proceedings have been initiated. Depending on the outcome of the first series of these proceedings, we expect a vast amount of new civil class actions to follow in the coming years.

An example of a civil class action that has been started concerns an action against TikTok on behalf of all minor TikTok users in the Netherlands. The claimants demand that TikTok pays damages in the amount of at least EUR 2 billion to these minors for unfairly collecting and trading their data. The court has ruled that class actions can only be successfully brought if the violation of the GDPR leads to material damage, or if the immaterial damage can be bundled. This has raised the bar for successfully claiming damages. At the moment, the appeal against this court decision is pending.