Offices – Netherlands
Explore all Offices
Global Reach
Global Reach

Apart from offering expert legal consultancy for local jurisdictions, CMS partners up with you to effectively navigate the complexities of global business and legal environments.

Explore our reach
Insights – Netherlands
Explore all insights
Expertise
Insights
Insights

CMS lawyers can provide future-facing advice for your business across a variety of specialisms and industries, worldwide.

Explore topics
Offices
Global Reach
Global Reach

Apart from offering expert legal consultancy for local jurisdictions, CMS partners up with you to effectively navigate the complexities of global business and legal environments.

Explore our reach
CMS Netherlands
CMS Netherlands Abroad
Insights
Insights by type
About CMS

Select your region

Publication 13 May 2025 · Netherlands

GDPR Enforcement in Individuals & Private Associations

Deep dive into relevant data protection enforcement cases and insights for individuals & private associations

2 min read

On this page

In the individuals and private associations sector, DPAs from 17 different countries have so far imposed 360 fines (+52 compared to the 2024 ETR) on private individuals, individual entrepreneurs, private sport associations and leagues in the total amount of EUR 2,544,656 (+EUR 693,990 compared to the 2024 ETR).

Let's take a closer look

  • The highest fine of EUR 600,000 was issued against the GSM Association by the Spanish DPA (AEPD) for not carrying out a data protection impact assessment regarding its use of an identification system for physical attendees that granted access based on facial recognition and biometric tokens (ETid-2545).
     
  • Fines against private individuals were generally much lower, most often below EUR 2,000.
     
  • The lowest fine of EUR 48 was issued against an Estonian police officer (ETid-384) who accessed personal data in a police database for private research.
     
  • Many cases against individuals and private associations involve video surveillance on private grounds or in traffic. DPAs imposed fines for such violations regularly even on private individuals.
     
Main takeaways
The number of fines and total amount for this sector has grown modestly since the 2024 ETR. Many small fines were imposed against individuals. More than 60% of all fines in this sector were imposed by the Spanish DPA (i.e. 219 of 360 cases). DPAs have tended to treat bigger non-profits (esp. sports associations) just like similarly sized businesses. They imposed fines for various offences ranging from lack of technical and organisational measures to insufficient information provided to data subjects. For individual entrepreneurs and private individuals, the DPAs seem to pay very close attention to the extent to which the violation was foreseeable by the individual and to the motives behind the processing. The number of data subjects and the violator's intention to pursue economic interests through the illegal data processing was particularly important.
Nearly half of all fines in this sector were based on illegal video surveillance. This underscores the general focus of DPAs on video surveillance. They consider video surveillance to be such a risky form of processing that strict requirements must be met even by private individuals.
previous page

7. GDPR Enforcement in Finance, Insurance and Consulting

next page

9. GDPR Enforcement in Industry & Commerce