Introduction

Data breach notification obligations already exist in the Netherlands as of January 2016. With the entry into force of the GDPR in 2018, data security and data breach (notification) obligations are unified across the EU. However, despite the GDPR’s intention to provide a level playing-field across the EU, interpretation and enforcement of security and data breach notification obligations may still vary across EU countries.

 In this blog post, we discuss the AP’s approach towards – and enforcement of – data breaches, including the AP’s GDPR fining policy. 

AP’s approach towards data breaches

Stringent approach

 As of 2016, the AP has taken a relatively stringent approach towards data breach notifications. As a result, organisations are more often inclined to notify a security incident as a data breach to the AP, and as such the Netherlands is amongst the top in numbers of data breach notifications to the supervisory authority (in 2019 the AP received almost 27,000 notifications). The majority of the notifications relate to minor incidents, including personal data sent to the wrong recipient. 

Enforcement by the AP

Under the GDPR, supervisory authorities have various enforcement powers at their disposal. This includes reprimands, suspensions of processing activities and the possibility to impose fines up to EUR 10 million or 2% of the global annual turnover for failure to implement appropriate technical and organisational measures and/or to (timely) notify a data breach to the supervisory authority.

Fines by the AP

The AP has used various of its enforcement powers to ensure compliance with the data security and data breach notification obligations. On several occasions the AP issued an order for incremental penalty payments (last onder dwangsom), ordering organisations to improve their security, and resulting in the payment of a specified amount if the order is not complied with within the specified term.

The AP furthermore published two fines for failure to comply with the data security and data breach notification obligations under the GDPR:

•  a fine of EUR 600,000 for the failure to timely (within 72 hours) notify the data breach to the AP after discovery (this incident preceded the GDPR); and

• a fine of EUR 460,000 for inadequate security measures by a hospital regarding the medical records of a Dutch reality-star which were accessed by 85 employees who were not authorized nor involved in the treatment of the reality star.

 In the latter case, the AP focuses on the security requirements of article 32 GDPR and stipulates that given the sensitivity and potential risks for the data subjects, a high level of security requirements must be observed for the protection of medical data, which includes two-factor authentication and a regularly and systematically review of logs regarding access to medical files.

AP’s fining policy

This case was also the first case in which the AP calculated the fine on the basis of its new (GDPR) fining policy.

 This fining policy contains a ‘four category’ structure for the fines the AP will administer, based on the seriousness of the breach. Each category contains a bandwidth with a minimum and maximum amount. Within these bandwidths, the AP determined a ‘base fine’, which it uses as the starting point in determining the fine in each individual case. The base fine consists of the minimum of the bandwidth plus half of the bandwidth. 

 Category I:  fine bandwidth between € 0 and € 200.000 (base fine: € 100.000)

Category II: fine bandwidth between € 120.000 and € 500.000 (base fine: € 310.000)

Category III: fine bandwidth between € 300.000 and € 750.000 (base fine: € 525.000)

Category IV: fine bandwidth between € 450.000 and € 1.000.000 (base fine: € 725.000)

This base fine’ may subsequently be increased or decreased by the AP, based on a number of factors, inter alia: 

• the seriousness and the duration of the infringement; 

• the purposes of the processing; 

• the categories of data and number of affected data subjects; 

• the extent of the damage suffered and measures taken to limit the damage;

• the intentional or negligent nature of the infringement; 

• previous relevant breaches; 

• the extent to which there has been cooperation with the supervisory authority in order to remedy the infringement and to limit its possible negative consequences; and 

• any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains made or losses avoided, whether directly or indirectly resulting from the infringement. 

 The four categories as determined by the AP are substantially lower than the maximum fines that may be imposed under the GDPR. However, the GDPR fining policy allows the AP to impose a fine up to the maximum as determined in the GDPR, if the AP is of the opinion that the maximum amount of the applicable category does not constitute a sufficient fine in a relevant case. In such cases the AP will have to substantiate why it is of the opinion that the maximum amount of the applicable category is not a sufficient penalty in an individual case. 

 Failure to comply (i) with the security requirements of article 32 GDPR and (ii) with the data breach notification obligations under article 33 and 34 GDPR fall within category 2, with the exception of article 33 (3) and article 34 (2) regarding the elements that must be included in the notification to the AP and/or data subjects, which fall in category 3.

 The AP’s GDPR fining policy will be updated if and when the European Data Protection Board (EDPB) publishes its uniform policy on GDPR fines.