The Dutch Data Protection Authority (DDPA) in the Netherlands has released its own General Data Protection Regulation (GDPR) fining policy, according to reports, and is the first European Union (EU) country to do so.
The GDPR stipulates that the maximum fine levied against a company can be 4 percent of its global revenue or €20 million, whichever is higher. However, it did not lay out rules for how to determine an exact fine or provide any scale.
The DDPA came up with four categories of fines, and gave a few different examples based on the size of the company and the maximum possible fine. If a company’s maximum fine is €10 million, then a category 1 fine would be between €0 to €200,000; category 2 would be €120,000 to €500,000; category 3 would be €300,000 to €750,000 and category 4 would be €450,000 to €1 million. A fine higher than category 4 would only be issued if the maximum is not appropriate.
The DDPA doesn’t explain, however, how it will classify the violations, but it does have “relevant factors” for how it will determine the severity of a violation. Those factors include the number of people affected, the length of the infringement, how quickly a company reacted to the problem and the type of data involved.
Arnoud Engelfriet, IT lawyer and partner at Dutch firm Legal ICT, said the Netherland’s policy is a step in the right direction. “The supervisor is free under the GDPR to issue fines and to categorize them as it sees fit, so you can have four, eight, two or no categories if you want. As long as you can justify each fine, you’re okay under the GDPR,” Engelfriet said.
The fines should make it easier for the public and companies to get a sense of how the GDPR is going to be implemented.
Engelfriet said the scheme illustrates how GDPR enforcement is going to become more and more common. “You wouldn’t set such a policy if you did not intend to issue fines,” he noted.