Out-Law News 1 min. read

Dutch data protection card services fine shows minimal impact of EU-wide guidance


A Dutch Data Protection Authority (Dutch DPA) decision suggests that it took little account of recent guidance from the European Data Protection Board (EDPB) when calculating fines, an expert has said.

The Dutch DPA recently fined International Card Services B.V. (ICS) €150,000 for breaking General Data Protection Regulations (GDPR) (88 pages/ 960 KB) by failing to perform a required data protection impact assessment (DPIA). This is the first published fine imposed by the Dutch DPA since the application of the EDPB guidelines (48-page / 787KB) on GDPR fine calculations.

The fine amount is based on the Dutch DPA’s national guidelines on fine calculation, as well as EDPB guidelines on calculation. However, given the amount and structure of the fine, the “impact of the new EU fining guidelines seems very minimal”, said Nienke Kingma of Pinsent Masons.

Commenting on the decision, Wouter Seinen, data law expert at Pinsent Masons said, it “demonstrates that the Dutch Data Protection Authority is not changing its approach to the calculation of fines since the EDPB guidelines were published and found a way to impose a fine which is a thousand times lower than the maximum for this type of breach, fining 0.0019% where the maximum was 2%”.  

The DPA holds the view that their 2019 methodology for determined fines is not impacted by the EDPB Guidelines as the two are already aligned. Seinen added: “This may be a relief for the controller in question and is good news for businesses in general as it gives a clear handle on how the Dutch DPA goes about calculation of fines”.

The decision also highlights the importance of having a good DPIA process in place, including the involvement of the data protection officer, if appointed, Seinen said.

Under article 35 of the GDPR, organisations are required to perform a data protection assessment when processing is likely to result in a high risk to people’s rights and freedoms. For example, a DPIA is required in cases of large-scale processing of sensitive data. In 2019, the ICS started online reidentification of its customers without performing the legally required DPIA. Customers were required to upload a photo and a copy of their government-issued ID. ICS was under the impression that a DPIA was not required following the use of the risk analysis system of its parent company, Dutch banking group ABN AMRO. However, the Dutch DPA found that the process used did not meet the GDPR requirements because, amongst various other reasons, a data protection officer was not able to give advice about carrying out a DPIA.

Kingma said: “This case emphasises that involving the DPO in cases of high-risk processing activities is not only recommended but is in fact required by the GDPR”. The processing involved 1.5 million people and concerned highly confidential data, including national security numbers.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.