Enforcement

€2,700,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 2,700,000 on Experian Nederland B.V. The controller, a company that determines individuals' creditworthiness and sells this information, processed personal data without a sufficient legal basis. The controller also failed to inform data subjects about the processing of their data. Following the decision, the company decided to stop its activities in the Netherlands and will delete its database by the end of the year.

2.700.000 euro boete - Nederlandse Autoriteit Persoonsgegevens (AP).

De Nederlandse Autoriteit Persoonsgegevens heeft Experian Nederland B.V. een boete van 2.700.000 euro opgelegd. De verantwoordelijke, een bedrijf dat de kredietwaardigheid van individuen bepaalt en deze informatie verkoopt, heeft persoonsgegevens verwerkt zonder een voldoende wettelijke basis. Bovendien heeft de verantwoordelijke de betrokkenen niet geïnformeerd over de verwerking van hun gegevens. Na deze beslissing heeft het bedrijf besloten om zijn activiteiten in Nederland te beëindigen en zal het zijn database aan het einde van het jaar verwijderen.

€40,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of €40,000 on Coolblue. The company collected personal data via cookies without users' explicit consent, relying on pre-ticked consent boxes.

€4,750,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 4.75 million on Netflix. This fine is based on a complaint filed by the Austrian organization 'noyb'. During its investigation, the DPA found that between 2018 and 2020, Netflix did not sufficiently inform customers about the processing of their personal data. The privacy policy was partly unclear and, did not provide sufficient information on the purpose and legal basis of the data collection and use, for example. In addition, requests from data subjects

€290,000,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 290 million on Uber for transferring personal data of European drivers to the USA without sufficient privacy safeguards. The DPA launched an investigation after 170 French drivers filed complaints with the 'Ligue des droits de l'Homme'. The DPA's investigation revealed that Uber had stored sensitive personal data—such as location information, payment details, identity documents, and health data—on US servers without adequate safeguards for over two years.

€6,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 6,000 on the recruitment company Ambitious People Group B.V. . The controller had not deleted the data of data subjects after they had requested it.

€30,500,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has fined Clearview Al Inc. EUR 30,500,000. Clearview, a company offering facial recognition services, holds a database of over 30 billion images, including those of Dutch citizens. These images are scraped from publicly available online platforms, such as social media. Clearview uses these images to create biometric profiles, allowing individuals to be identified. During its investigation the DPA found that the personal data contained in the company's database had been processed u

€50,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 600,000 on A.S. Watson Health & Beauty Continental Europe B.V.. The controller had tracked visitors to their drugstore website “Kruidvat.nl” with tracking cookies without their consent. The cookie banner on the website had the boxes for consenting to the placement of tracking software pre-ticked by default. Visitors who nevertheless wanted to reject the cookies could only do so with greater difficulty. This allowed the controller to collect sensitive perso

€150,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 150,000 on International Card Services B.V. (ICS). ICS failed to carry out a data protection impact assessment before starting the digital identification of customers in the Netherlands in 2019. The identity check covered around 1.5 million people and involved sensitive personal data such as pictures of the data subjects.

€10,000,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has fined Uber Technologies Inc. and Uber B.V. EUR 10 million for failing to provide sufficient information about the storage period of European drivers' data and the countries outside of the EU to which the data was transferred. The DPA also found that Uber made it unnecessarily difficult for drivers to request access to their data. Although there was a digital form in the app that drivers could use to request access, it was not placed in an easily accessible position. In addition

€30,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 30,000 on Voorschoten municipality. The municipality had kept information about household waste for longer than necessary and had not sufficiently informed residents. In 2018 and 2019, the municipality of Voorschoten had replaced the waste garbage cans for houses and the underground containers for apartments. These bins were fitted with chips with numbers that were linked to a house address. The aim was to increase the collection of separate waste by limit

€150,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 150,000 on the Dutch Social Insurance Institution (SVB). The controller had suffered a data breach in which a client's data had been leaked to unauthorized third parties. An unknown third party had succeeded in requesting benefit information via the controller's telephone helpdesk. In the course of its investigation, the DPA found that the controller had failed to implement sufficient technical and organizational measures to protect personal data. For exam

€3,700,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 3,7 million on the Dutch Tax and Customs Administration. This is the highest fine ever imposed by the Dutch DPA As part of its investigation, the DPA found a number of violations of the GDPR. The Tax and Customs Administration had kept a list for several years on which it recorded indications of fraud. The list contained information on over 270,000 individuals, including minors. The administration had processed personal data such as health, citizenship, an

€565,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 565,000 on the Dutch Foreign Ministry. As part of its investigation, the DPA found that the National Visa Information System (NVIS) suffered from significant security deficiencies. This is particularly serious as the Foreign Ministry has processed an average of 530,000 visa applications per year over the last three years and the personal data processed in the course of the applications was therefore inadequately secured. The data included sensitive informa

€525,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 525,000 on DPG Media Magazines B.V. The DPA had received several complaints regarding the way the controller handled requests from customers. Customers who wanted to know what kind of personal data the controller stored, or wanted to have their data deleted, first had to upload or send in proof of identity. The DPA determined that sending in proof of identity would not have been necessary for the purpose of processing the request. In addition, the mailing

€2,750,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) has fined the Minister of Finance EUR 2,75 million. In the context of childcare benefit applications, tax offices had processed data on the dual nationality of applicants for several years. However, the DPA found that the data on dual nationality of Dutch citizens would not have been necessary when assessing an application for childcare benefits. The said data had also been processed for the purpose of combating organized fraud and for automatic classification in the authority

€400,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has fined airline Transavia EUR 400,000. In 2019, the airline suffered a data breach, in which a hacker gained access to Transavia's systems through two accounts held by the company's IT department. This could have potentially allowed the hacker to access data such as names, dates of birth, gender, email addresses, phone numbers, flight information and booking numbers of 25 million passengers. It was found that the hacker actually downloaded the personal data of 83,000 people. In 3

€450,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) has fined UWV (the Dutch employee insurance service provider - 'Uitvoeringsinstituut Werknemersverzekeringen) EUR 450,000. The UWV had not properly secured the sending of group messages via the 'My Workbook' environment. This is a personal environment on the UWV website where job seekers have contact with the UWV. As a result, there were multiple data leaks of personal information, including health information, from a total of more than 15,000 individuals.

€750,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) has fined the video portal TikTok EUR 750,000 for violating the privacy of young children. The information that Dutch users - mostly young children - received from TikTok when installing and using the app was in English and therefore not easy to understand. By not providing the privacy policy in Dutch, TikTok did not adequately explain how the app collects, processes, and reuses personal data. The DPA considered this to be a violation of the company's duty to provide informati

€600,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) has fined the municipality of Enschede EUR 600,000. In 2017, the municipality decided to install special measurement boxes to measure crowds in the city center of Enschede. Sensors in the measurement boxes detected the wifi signals from the cell phones of passers-by and registered them with a code. Based on the registered codes, it was possible to calculate how busy the city center was. However, this also made it possible to track which measurement box a particular cell phone

€440,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) imposed a fine of EUR 440,000 on the Amsterdam hospital OLVG. The controller had taken insufficient measures between 2018 and 2020 to prevent access by unauthorized employees to medical records. The controller did not check adequately who had access to which file nor did the controller ensure that the computer system presented sufficient security. This resulted, among others, in working students and other employees being able to access patient files without this being necessar

€12,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) has fined an orthodontic clinic EUR 12,000. The web form that new patients used to sign up contained mandatory fields for all sorts of patient personal data. The data that the patients (mostly children) entered into the form was then sent to the orthodontic clinic via an unencrypted - and thus unsecured - connection. This presented the risk of unauthorized third parties accessing the personal data of the data subjects.

€525,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) has imposed a fine of EUR 525,000 on Locatefamily.com. Locatefamily.com is a platform where people can search for the contact information of family members they have lost contact with or other people they would like to get in touch with. The data subjects complained that their contact information (name, address, phone number) was published on the website without their knowledge. The data subjects were not able to request the deletion of their data published on the site easily,

€475,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (Autoriteit Persoonsgegevens) has fined Booking.com EUR 475,000 for not reporting a data breach to the DPA in a timely manner. In December 2018, criminals gained access to the data of 4,109 people who had booked a hotel room through the booking site. That included their names, addresses and phone numbers, as well as details about their booking. The criminals also accessed the credit card data of 283 people and managed to access the credit card's security code in 97 cases. Furthermo

€830,000 fine - Dutch Supervisory Authority for Data Protection (AP)

BKR had required the payment of a fee when individuals requested access to their personal data and only provided access to their data once a year free of charge by post.

€7,500 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) fined the Overijssel local branch of the PVV party EUR 7,500 for failing to notify the AP of a personal data breach, in violation of Art. 33 GDPR. An email regarding the convening of a meeting had been sent via an open distribution list due to a human error. Since the total of 101 recipients were addressed as 'Friends of the PVV' in the email, the political beliefs of the data subjects were thus disclosed to all addressees.

€725,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The organisation had required its staff to have their fingerprints scanned to record attendance. However, as the decision of the data protection authority stated, the organisation could not rely on exceptions to the processing of this special category of personal data and the company could also not provide any evidence that the employees had given their consent to this data processing.

€15,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) has imposed a fine of EUR 15,000 on CP&A. The controller had documented both the causes of illness and specific complaints of the data subjects as part of the recording of employee absences due to illness. The DPA found that this was unlawful since health data is granted special protection. Employers are not permitted to record either the reasons or causes of sick leave. Furthermore, the DPA found that the controller had not implemented adequate technical and organizational me

€525,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch Data Protection Authority has fined the Royal Dutch Tennis Association ('KNLTB') with EUR 525,000 for selling the personal data of more than 350,000 of its members to sponsors who had contacted some of the members by mail and telephone for direct marketing purposes. It was found that the KNLTB sold personal data such as name, gender and address to third parties without obtaining the consent of the data subjects. The data protection authority also rejected the existence of a legitimate

€900,000 fine - Dutch Supervisory Authority for Data Protection (AP)

As the UWV (the Dutch employee insurance service provider - 'Uitvoeringsinstituut Werknemersverzekeringen') did not use multi-factor authentication when accessing the online employer portal, security was inadequate. Employers and health and safety services were able to collect and display health data from employees in an absence system.

€50,000 fine - Dutch Supervisory Authority for Data Protection (AP)

Marketing staff had access to patient data. Among other things, this violated the purpose limitation principle.

€350,000 fine - Dutch Supervisory Authority for Data Protection (AP)

Original Fine Summary: The Haga Hospital does not have a proper internal security of patient records in place. This is the conclusion of an investigation by the Dutch Data Protection Authority. This investigation followed when it appeared that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person. To force the hospital to improve the security of patient records, the AP simultaneously imposes an order subject to a penalty. If the Haga Hospital has not