Rb. Den Haag - SGR 23/8425: Difference between revisions

Rb. Den Haag - SGR 23/8425
Court:	Rb. Den Haag (Netherlands)
Jurisdiction:	Netherlands
Relevant Law:	Article 4 of the Dutch Police Data Act
Decided:	08.10.2024
Published:	22.10.2024
Parties:	de korpschef van politie, de politie de Autoriteit Persoonsgegevens, de AP
National Case Number/Name:	SGR 23/8425
European Case Law Identifier:	ECLI:NL:RBDHA:2024:16324
Appeal from:	AP (The Netherlands) mobiele camera-auto's Rotterdam - besluit tot boeteoplegging
Appeal to:	Unknown
Original Language(s):	Dutch
Original Source:	RECHTBANK DEN HAAG (in Dutch)
Initial Contributor:	CBMPN

The Court diminished the fine imposed by the Dutch DPA against the Dutch police were from €50,000 to €30,000 for failing to conduct a DPIA before deploying mobile camera cars to monitor public spaces during the COVID-19 pandemic.

English Summary

Facts

The Dutch police deployed Mobile Camera Cars (MCAs) in Rotterdam during the COVID-19 pandemic to enforce public health measures, such as social distancing and ban on gatherings. The MCAs captured 360-degree video footage of public spaces, including streets, parks, and residential areas, where individuals (including children) were identifiable. The footage was transmitted to a central monitoring room and could be forwarded to other police units. The police failed to conduct a Data Protection Impact Assessment (DPIA) before deploying the MCAs, despite the high-risk nature of the data processing. A DPIA was only conducted after the processing had already begun. The Dutch DPA imposed a fine of €50,000 on the police for violating Article 4c(1) of the Dutch Police Data Act, which requires a DPIA for high-risk processing activities. The police then apealled the decision.

Holding

The District Court of The Hague ruled that the police violated Article 4c(1) of the Dutch Police Data Act by failing to conduct a DPIA before processing personal data. However, the court found that the violation was limited to one day (May 20, 2020), as the DPIA was completed before further processing occurred. The court also considered the exceptional circumstances of the COVID-19 pandemic and reduced the fine from €50,000 to €30,000, deeming the original fine disproportionate given the limited duration of the violation and the low likelihood of recurrence. The use of the MCAs has been discontinued.

The Court found that an image of a person captured by a camera falls under the concept of personal data, as the person concerned can be identified through it. The fact that the people were not actually identified by the police does not alter this. The personal data were collected and forwarded to the control room in the performance of police duties, so that this constitutes processing of police data. The film images are stored chronologically and therefore have a structure in time. It is not necessary that images are searchable for characteristics of the filmed persons.

The Court clarified that processing based on the Dutch Police Data Act does not automatically pose a high risk. However, in this case the processing of the camera images using the MCAs probably resulted in a high risk to the rights and freedoms of individuals. Although 360-degree camera images are not new in itself, the use of such cameras on (fast) moving cars is. Unlike the use of 360-degree cameras in fixed camera surveillance or on a mobile mast, the use of such cameras on a moving car makes it possible, for example, to follow people and make camera images of them. Moreover, personal data is collected in publicly accessible spaces from both adults and children, while they may not know that data is being collected or how it is being used. Furthermore, it may be impossible for people to prevent themselves from being subjected to such processing. The police had to take into account the possibility that camera images would also be made of large groups of people and that this could go beyond the nature of incidental monitoring. Furthermore, the purpose for which the camera images were made contributed to an increased risk to the rights and freedoms of individuals. The aim was to identify people and a violation of the emergency ordinance could lead to the imposition of a fine. In addition to being viewed live, the images could also be forwarded and saved.

The Court found that there was no force majeure situation that justified the police not drawing up a DPIA before processing personal data. The police had sufficient time to carry out a DPIA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Direct to content
The Judiciary - go to the homepage
Home
Subjects
Judgments and news
Registers
the Judiciary
Professionals
Contact
Forms and login
Home>
Judgments and news
Judgments
A portion of all judicial decisions are published on rechtspraak.nl. This is done pseudonymously.

This decision has been pseudonymized in accordance with the pseudonymization guideline
ECLI:NL:RBDHA:2024:16324
Share decision
Instance
The Hague District Court
Date of decision
08-10-2024
Date of publication
22-10-2024
Case number
23_8425
Areas of law
Administrative law
Special characteristics
First instance - multiple
Content indication
Fine. Police Data Act. Use of Mobile Camera Cars (MCAs) in Rotterdam at the start of the COVID-19 outbreak. The Dutch Data Protection Authority has imposed a fine on the police because a data protection impact assessment (DPIA) had not been carried out prior to the processing of personal data. Processing only occurs when the camera is turned on by the special investigating officer who manages the MCA. An infringement was only established for one day. The chance of a recurrence of the infringement is also very small. The court finds the fine of €50,000 disproportionate.

Sources
Rechtspraak.nl
JBP 2024/125
Enriched judgment
Judgment
THE HAGUE DISTRICT COURT

Administrative law

case number: SGR 23/8425

judgment of the multi-member chamber of 8 October 2024 in the case between

the police chief, the police
(authorized representatives: Mr. E.P.M. Thole and Mr. Ӧ. Zivali),

and

the Dutch Data Protection Authority, the AP
(authorized representatives: Mr. W. van Steenbergen and Mr. A. Karimi).

Introduction
1. In this judgment, the court assesses the police's appeal against a fine under the Police Data Act (Wpg).

1.1.
With the decision of 17 November 2022, the AP imposed a fine of €50,000. With the contested decision of 6 November 2023, the AP declared the police's objection unfounded.

1.2.
The AP responded to the appeal with a statement of defence.

1.3.
The court heard the appeal at a hearing on 27 August 2024. The following participated: [name 1] and [name 2] of the Rotterdam police, the police representatives, Mr. Ӧ. Zivali and Mr. N.A. Frans, and the AP's representatives.

Assessment by the court
What is this case about?

2. The municipality of Rotterdam has rented Mobile Camera Cars (MCAs). These MCAs were deployed by the municipality at the start of the COVID-19 outbreak, from 10 April 2020, in connection with the enforcement of, among other things, the ban on gatherings and the obligation to maintain a distance of 1.5 metres. The use of the MCAs led to questions from the Rotterdam city council and the AP. The use was therefore temporarily stopped by the police on 17 April 2020. The use of the instrument was re-examined and the police and the municipality of Rotterdam established a deployment framework. On 26 April 2020, the MCAs started driving again. The AP imposed a fine on the police because a data protection impact assessment (DPIA) had not been carried out prior to the processing of personal data. This is a violation of the Wpg. The basic fine for this violation is €56,500, but the AP saw reason to set the fine at €50,000. In doing so, it took into account, among other things, that the use of the MCAs took place at the beginning of the COVID-19 outbreak. The police believe that the AP should not have imposed a fine or should have imposed a lower fine. According to the police, the AP should have taken more account of the exceptional circumstances of the COVID-19 crisis.

What are the rules?

3. The relevant rules are in the appendix. The appendix is part of the ruling.

What is the court's judgment?

4. The court assesses the legality and proportionality of the fine imposed on the police. It does so on the basis of the police's grounds for appeal.

What was the reason for the investigation and was the investigation careful in view of that?

5. The police state that the legality of the temporary deployment of the MCAs is not in dispute. It suspects that the AP primarily initiated the investigation and enforcement procedure with a view to establishing the legality of the deployment of the MCAs in general. The investigation into compliance with a possible GEB obligation in this specific case appears to have been merely incidental. Due to the AP's focus on the legality aspects, the investigation into the possible GEB obligation may have been careless.

6. The court considers that there is no reason to assume that the investigation into the GEB obligation was incidental and that the investigation was therefore not carried out carefully by the AP. The request for information of 17 December 2020 already states that the AP's investigation also relates to the question of whether the police acted in violation of the obligation to carry out a GEB as referred to in the Wpg.

Is there any processing of police data?

7. The police argue that the Wpg has not been violated, because there was no processing of police data within the meaning of the Wpg. The AP requested camera images from 19 May 2020 to 31 May 2020. Camera images were only made on 20, 29 and 31 May 2020. Only 29 May 2020 is relevant. For the other two days, there are no screenshots and/or no mention of “recognizable” persons who would have been captured. Insofar as moving camera images were made, it cannot be assumed that persons were identified and identifiable. The MCAs did not have a facial recognition function. The images were only retained for the AP investigation, because the retention period had already been reduced to zero days. Furthermore, there is no processing in a file. The content of a file must be structured to enable easy access to personal data. The camera images were stored unstructured as consecutive, chronological film images and were not searchable or selectable on the basis of person-related criteria.

8. The court notes that the Report of Official Proceedings of 18 March 2021 shows that camera images are only available from 20, 29 and 31 May 2020. On the other days, a grey screen is displayed with the text "no signal". For those days, it cannot be determined that the cameras were on and that people were recognizably captured on camera. The report also does not show that people were recognizably captured on camera on 31 May 2020. The report does show that people were recognizably captured on camera on 20 and 29 May 2020. The police's claim that no screenshots from 20 May 2020 are available does not alter this.

9. The court is of the opinion that on 20 and 29 May 2020, police data were processed within the meaning of the Wpg. An image of a person captured by a camera falls under the concept of personal data, as the person concerned can be identified through it.1 The fact that the people were not actually identified by the police does not alter this. The personal data were collected and forwarded to the control room in the performance of police duties, so that this constitutes processing of police data. The fact that the images were only retained for the AP's investigation does not change this. Because this concerns automated processing, the Wpg already applies and it is not required that there is processing in a file. The AP rightly states that this follows from Article 2 of Directive (EU) 2016/680.2 To the extent that this directive has been incorrectly or incompletely implemented in the Wpg on this point, the Wpg must be interpreted in accordance with the directive. The AP has also sufficiently substantiated that there is processing in a file. The film images are stored chronologically and therefore have a structure in time. The images do not also have to be searchable for characteristics of the filmed persons.

Is a DPIA necessary?

10. The police argue that there is no violation, because the DPIA was not necessary. The processing does not pose a high risk to the rights and freedoms of individuals. Whether there is a likely high risk depends on the nature, scope, context and purposes of the processing. According to the police, the AP applied this standard incorrectly by not taking into account the special aspects of the Wpg compared to the GDPR. The special investigation framework of the Wpg differs fundamentally from the very general nature of the GDPR. If the AP's reasoning were to be followed, a GEB would have to be carried out for almost every processing under the Wpg. The AP also wrongly emphasises new technology, while this was not the case. MCAs had been offered for years and were probably also used. The intention was not to follow large groups of people on the move using camera images. The cameras were only allowed to be switched on under strict conditions in the event of incidents at pre-designated locations and the cameras had to be switched off when moving to another location. Partly because of this context, there is no question of the use of new technology. Moreover, it is not decisive whether there is new technology. The police referred to a ruling by the Gelderland District Court.3

11. The court considers that a DPIA is necessary if processing poses a high risk to the rights and freedoms of individuals and it is also likely that this risk will occur.4 In the court's opinion, the AP was right to adhere to the interpretation of the standard that it provided for the identical standard in Article 35, paragraph 4, of the GDPR.5 This interpretation of the standard is based on guidelines from the European Data Protection Board.6 It is obvious that the DPIA obligation under the Wpg should be adhered to as much as possible. As was also considered in the ruling by the Gelderland District Court referred to by the police, processing based on the Wpg does not automatically pose a high risk. However, the AP has sufficiently substantiated that the processing of the camera images using the MCAs probably resulted in a high risk to the rights and freedoms of individuals. The AP explained that, although the technology of making 360-degree camera images is not new in itself, the use of such cameras on (fast) moving cars is. Unlike the use of 360-degree cameras in fixed camera surveillance or on a mobile mast, the use of such cameras on a moving car makes it possible, for example, to follow people and make camera images of them. Personal data is also collected in publicly accessible spaces from both adults and children, while they may not know that data is being collected or how it is being used. Moreover, it may be impossible for people to prevent themselves from being subjected to such processing. The police had to take into account the possibility that camera images would also be made of large groups of people and that this could go beyond the nature of incidental monitoring. Furthermore, the purpose for which the camera images were made contributed to an increased risk to the rights and freedoms of individuals. The aim was to identify people and a violation of the emergency ordinance could lead to the imposition of a fine. In addition to being viewed live, the images could also be forwarded and saved.

Did the police comply with the GEB obligation in a timely manner?

12. The police argue that the AP is wrong to state that the DPIA was mandatory from 26 April 2020, the moment the MCAs started driving again. After all, personal data were not processed for the first time until 29 May 2020. At that time, the GEB had already been completed.

13. The court considers that it follows from Article 4c, first paragraph, of the Wpg that a DPIA must have been carried out prior to actual processing. Processing only occurs when the camera is turned on by the special investigating officer who controls the MCA. Only at that moment can there be a violation. The court therefore does not follow the AP's position that a DPIA must have been carried out prior to a proposed processing activity, even if it subsequently turns out that the actual processing only takes place at a later date.

14. In view of what it has considered above under 8 and 9, the court finds that police data were processed on 20 May 2020, while the DPIA had not yet been implemented at that time. The police therefore violated the DPIA obligation on 20 May 2020. After 26 May 2020, the DPIA was completed, so that the processing of police data on 29 May 2020 does not lead to a violation.

Did the police materially comply with the DPIA obligation?

15. The police believe that they have materially complied with the DPIA obligation. The deployment framework, whether or not in combination with the pre-DPIA, contains a DPIA assessment. The GEBDPIArequirements have also been materially complied with.

16. The court finds that the AP has sufficiently substantiated that the deployment framework lacks various essential legally prescribed elements, such as an assessment of the risks to the rights and freedoms of the data subjects and the intended measures to limit the risks to the data subjects. The AP rightly states that although measures have been formulated in the deployment framework, it is unclear which risks are seen and, as a result, whether the intended measures to limit these risks are adequate.

Is there a ground for justification?

17. The police argue that there is a ground for justification.7 They rely on force majeure in the sense of a state of emergency. Rotterdam was confronted with a serious COVID-19 outbreak and an overloaded healthcare system. The situation was untenable. It had to comply with the DPIA obligation, but also had the social responsibility to protect public health. Under these circumstances, it chose to establish the deployment framework. By making efficient use of the MCAs, it has attempted to contain the untenable situation of the corona pandemic. By strategically deploying the MCAs at locations where there was no other camera surveillance, and only activating the cameras at pre-agreed locations, it has guaranteed proportionality and subsidiarity.

18. The court finds that there was no force majeure situation that justified the police not drawing up a DPIA before processing personal data. The police had sufficient time to carry out a DPIA. In this regard, the court takes into account that the police were able to draw up the deployment framework and had also carried out a pre-DPIA on 10 May 2020.

Can the police be blamed for the violation?

19. The police argue that there is no blame and that therefore no fine can be imposed.8 Article 4c, paragraph 1, of the Wpg contains a very open standard and the AP failed to issue guidelines or otherwise provide information on when a DPIA should be carried out. In addition, there was an unprecedented crisis situation and it is not blameworthy that a formal requirement would not have been complied with in a timely manner. Furthermore, it points out that the deployment of the MCAs took place at the initiative of the municipality of Rotterdam. First without formal involvement of the police and then largely still by (enforcement officers of) the municipality of Rotterdam. It is also relevant that the police are subordinate to or under the authority of the mayor with regard to the maintenance of public order.

20. In the opinion of the court, the violation is blameworthy. There is no question of an unclear standard. As considered above, it was obvious to adhere as much as possible to the interpretation of the standard that the AP has given for article 35, paragraph 4, of the GDPR. In addition, the European Data Protection Board specifically stated with regard to video surveillance that it is reasonable to assume that a DPIA is required for many cases of video surveillance.9The fact that the MCAs were deployed during a crisis situation does not automatically lead to the conclusion that there is no culpability. The fact that the municipality was also involved in the deployment of the MCAs, as stated by the police, does not alter the fact that the police were obliged to carry out a DPIA prior to processing personal data and that they failed to comply with this. The AP rightly states that the police have not made it plausible that this violation could not be attributed to them due to the relationship of authority between the police and the mayor.

Is there a disproportionately high fine?

21. The police believe that the fine is not proportionate given the nature, minor seriousness and short duration of the violation. The AP reduced the fine by only €6,500, because it was recognised that swift action was required due to the corona crisis. The duration of the violation has not been determined and therefore the number of 43 days determined by the AP cannot be included in the seriousness of the violation, apart from the fact that this number also includes the days on which the municipality of Rotterdam had deployed the MCAs without the involvement of the police. In addition, the deployment framework and the pre-DPIA sufficiently take into account the data protection effects. The cameras were only switched on very sporadically and the images did not lead to a fine or disadvantage for the persons involved. The police reasonably did everything possible to keep the consequences as limited as possible. They voluntarily cooperated with the AP and have amply demonstrated that they (want to) materially comply with the applicable requirements and ensure a good data protection framework. There was no question of intent or seriously culpable conduct. Due to the serious negligence in the contested decision and the incorrect basis for the use of supervisory powers by the AP, the fine must be revoked in full. Finally, the AP should have taken the primary decision within 13 weeks after drawing up the investigation report, according to article 5:51, first paragraph, of the General Administrative Law Act, while this took a year. The reasonable period of article 6 of the Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) was also exceeded.

22. The court considers that the AP must tailor the amount of the fine to the seriousness of the violation and the extent to which it can be attributed to the offender. In doing so, the administrative body must take into account the circumstances under which the violation was committed. This is regulated in article 5:46, second paragraph, of the General Administrative Law Act.

23. In determining the amount of the fine, the AP based itself on the Fine Policy Rules of the Dutch Data Protection Authority 2019 (the Fine Policy Rules). According to the Fine Policy Rules10, the AP assumes a basic amount of €56,500 for a violation of article 4c of the Wpg. The basic fine can be increased or decreased depending on the extent to which the factors mentioned in article 35c, paragraph 2, of the Wpg and article 7 of the Fine Policy Rules give reason to do so. The court does not find the Fine Policy Rules 2019 unreasonable in general.

24. The court agrees with the AP that there is a serious violation. It is important in this respect that the MCAs were deployed after it had been decided to carry out a DPIA and this had not yet been completed. The fact that the police drew up the deployment framework does not make the violation any less serious. As considered above, the deployment framework did not meet -important- requirements for a DPIA. However, when determining the amount of the fine, the AP wrongly assumed that the MCAs were deployed for 43 days. The court considered above that a violation was only established for one day. The duration of the violation is therefore minor. The chance of a recurrence of the violation is also very small. The use of the MCAs has been discontinued. In view of this, the court does not consider the fine of €50,000 to be proportionate. The court considers a fine of €30,000 to be appropriate and necessary in this case. In doing so, the court took into account that the AP has considered the fact that the MCAs were deployed at the start of the COVID-19 outbreak to be a mitigating circumstance.

25. There is no reason to further reduce the fine due to the police's cooperation in the investigation. As the AP has stated, the use of the MCAs and the processing of personal data were not discontinued due to the investigation. The court also does not consider the fact that the AP initially communicated with the municipality of Rotterdam to be a mitigating circumstance. The AP rightly states that the police have their own responsibility to comply with their legal obligations. The fact that the AP wrongly cited the GDPR as the basis for demanding the camera images does not mean that the fine must be revoked in full or reduced. The AP was authorised to demand the camera images.

26. The exceeding of the term referred to in Article 5:51, first paragraph, of the General Administrative Law Act also does not give rise to a further reduction of the fine. This is a term of order, so that the exceeding of it has no consequences.11 The judge can discount the exceeding of this term in the amount of the fine, but the court sees no reason to do so. In addition, the court takes into account that the AP sent an intention to enforce to the police shortly after drawing up the fine report, so that it quickly became clear that it would impose a fine. Finally, the police cannot rely on the ECHR. The rights included in the ECHR are not intended to protect the government.12

Conclusion and consequences
27. The appeal is well-founded, because the contested decision is in conflict with Article 5:46, second paragraph, of the General Administrative Law Act. The court therefore annuls the contested decision.

28. The court now makes its own decision, applying article 8:72, third paragraph, opening sentence and under b, of the General Administrative Law Act. The court revokes the primary decision insofar as the fine has been set at €50,000. The court determines that the fine will be set at €30,000 and that this ruling replaces the annulled decision.

29. Because the appeal is well-founded, the AP must reimburse the police for the court fee and the police will also receive compensation for their legal costs. The compensation has been calculated as follows, applying the Administrative Law Costs Decree. The police receive a fixed amount per procedural act for legal assistance by an authorised representative. On appeal, each procedural act has a value of €875. An appeal has been filed on behalf of the police and the court hearing has been attended. The compensation then amounts to a total of €1,750. No further costs have been incurred that can be reimbursed.

Decision
The court:

- declares the appeal well-founded;

- annuls the decision of 6 November 2023;

- revokes the decision of 17 November 2022 insofar as the fine was set at

€50,000;

- determines that the fine is set at €30,000 and determines that this ruling replaces the annulled decision;

- determines that the AP must reimburse the police the court fee of €365;

- orders the AP to pay the police legal costs up to an amount of €1,750.

This ruling was made by Mr. D.C. Laagland, chairman, and Mr. M.D. Gunster and

Mr. P.T. Heblij, members, in the presence of Mr. M. de Graaf, clerk. The judgment was pronounced in public on 8 October 2024.

registrar

chair

A copy of this judgment was sent to the parties on:

Information about appeal
A party that disagrees with this judgment may send an appeal to the Administrative Jurisdiction Division of the Council of State explaining why this party disagrees with this judgment. The appeal must be filed within six weeks after the date on which this judgment was sent. If the submitter cannot await the hearing of the appeal because the case is urgent, the submitter may request the provisional relief judge of the Administrative Jurisdiction Division of the Council of State to make an interim provision (a temporary measure).

Appendix
Police Data Act

Article 1. (definitions)

In this Act and the provisions based thereon, the following terms shall have the following meanings:

a. police data: any personal data processed in the context of the performance of the police task referred to in Articles 3 and 4 of the Police Act 2012, with the exception of:

–the performance of statutory regulations other than the Traffic Regulations Administrative Enforcement Act;

–the tasks assigned by or pursuant to the Aliens Act 2000, referred to in Article 1, first paragraph, section i, under 1° and Article 4, first paragraph, section f, of the Police Act 2012;

b. personal data: all information about an identified or identifiable natural person;

c. processing of police data: any operation or set of operations performed on police data or a set of police data, whether or not carried out by automated means, such as collecting, recording, organising, structuring, storing, updating or changing, retrieving, consulting, using, providing by transmission, disseminating or otherwise making available, combining, linking, shielding or destroying police data;

[…]

f. controller: this is in the case of:

1°. the police: the chief of police, as referred to in article 27 of the Police Act 2012;

[…]

o. file: any structured set of police data that is accessible according to certain criteria, regardless of whether this set of data is centralised or decentralised, or distributed in a functionally or geographically determined manner;

[…].

Article 4c (data protection impact assessment)

1. Where a type of processing, in particular processing using new technologies, is likely to result in a high risk to the rights and freedoms of individuals, taking into account the nature, scope, context or purposes of the processing, the controller shall carry out an assessment of the impact of the intended processing operations on the protection of personal data prior to the processing.

2. The assessment shall contain at least:

a. a general description of the intended processing;

b. an assessment of the risks to the rights and freedoms of data subjects;

c. the measures envisaged to mitigate the risks;

d. the precautionary and security measures and mechanisms to protect the personal data and to demonstrate compliance with the provisions of or pursuant to this Act, taking into account the rights and legitimate interests of the data subjects and other persons concerned.

[…].

Article 35 (supervision by the Dutch Data Protection Authority)

1. The Dutch Data Protection Authority, referred to in Article 6, paragraph 1, of the General Data Protection Regulation Implementation Act, shall supervise the processing of police data in the European part of the Netherlands in accordance with the provisions of this Act and pursuant to this Act.

[…].

Article 35c (powers of the Dutch Data Protection Authority)

1. The Dutch Data Protection Authority shall be authorised:

a. to warn the controller or processor that the intended processing is likely to infringe the provisions of this Act and pursuant to this Act;

b. to impose an administrative enforcement order to enforce the provisions of this Act and pursuant to this Act;

c. to impose an administrative fine if the controller acts in breach of the provisions of or pursuant to:

–Articles 4a, 4b, 4c, 6c, 31d, 32, 33a, 33b and 36 of at most the amount of the fine of the fifth category of Article 23, paragraph 4, of the Dutch Criminal Code;

[…].

2. When deciding on the imposition of an administrative fine referred to in paragraph 4 and on the amount thereof, due account shall be taken, for each specific case, of:

a. a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing in question as well as the number of data subjects affected and the extent of the damage suffered by them;

b) the intentional or negligent nature of the infringement;

c) the measures taken by the controller or processor to limit the damage suffered by data subjects;

d) the extent to which the controller or processor is responsible in view of the technical and organisational measures implemented in accordance with Articles 4a and 4b;

e) previous relevant breaches by the controller or processor;

f) the extent to which there has been cooperation with the Dutch Data Protection Authority in remedying the breach and limiting its possible adverse effects;

g) the categories of personal data to which the breach relates;

h) the manner in which the Dutch Data Protection Authority became aware of the breach, in particular whether, and if so to what extent, the controller or processor notified the breach;

i. i) compliance with the measures referred to in the first paragraph, insofar as they have been previously taken in relation to the controller or processor in question in relation to the same matter.

[…].

Directive (EU) 2016/680

Article 27 Data protection impact assessment

1. Where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context or purposes of the processing, Member States shall provide that the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

2. The assessment referred to in paragraph 1 shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to mitigate the risks, safeguards, security measures and mechanisms put in place to protect the personal data and to demonstrate compliance with this Directive, taking into account the rights and legitimate interests of data subjects and other persons concerned.

Article 57 Penalties

Member States shall lay down the rules on penalties applicable to infringements of this Directive and shall take all necessary measures to ensure that they are applied. The penalties provided for must be effective, proportionate and dissuasive.

General Administrative Law Act

Article 5:5

The administrative authority shall not impose an administrative penalty if there were grounds for justification for the infringement.

Article 5:41

The administrative authority shall not impose an administrative fine if the infringement cannot be attributed to the offender.

Article 5:46

1. The law shall determine the maximum administrative fine that may be imposed for a specific infringement.

2. Unless the amount of the administrative fine has been established by law, the administrative authority shall tailor the administrative fine to the seriousness of the infringement and the extent to which it can be attributed to the offender. Where necessary, the administrative authority shall take into account the circumstances in which the infringement was committed.

[…].

Article 5:51

1. If a report has been drawn up of the violation, the administrative body shall decide on the imposition of the administrative fine within thirteen weeks after the date of the report.

[…].

Fine policy rules Dutch Data Protection Authority 2019

Article 5. Category classification and fine ranges

5.1
The provisions regarding violations for which the Dutch Data Protection Authority may impose an administrative fine of no more than the amount of the fine of the fifth category of Article 23, paragraph 4, of the Criminal Code (as of 1 January 2018: €83,000) are classified in Annex 5 into category I, category II or category III.

5.2
The Dutch Data Protection Authority determines the basic fine for violations for which a statutory maximum fine of €83,000 applies within the following fine ranges:

Category I Fine range between €0 and €25,000 Basic fine: €12,500

Category II Fine range between €15,000 and €50,000 Basic fine: €32,500

Category III Fine range between €30,000 and €83,000 Basic fine: €56,500

5.3
The amount of the basic fine is set at the minimum of the range plus half of the range of the fine category linked to a violation.

Article 7. Relevant factors

Without prejudice to Articles 3:4 and 5:46 of the General Administrative Law Act, the Dutch Data Protection Authority shall take into account the factors referred to under a to k, insofar as applicable in the specific case:

a. a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing in question as well as the number of data subjects affected and the extent of the damage suffered by them;

b) the intentional or negligent nature of the infringement;

c) the measures taken by the controller or processor to limit the damage suffered by data subjects;

d) the extent to which the controller or processor is responsible in view of the technical and organisational measures implemented in accordance with Articles 25 and 32 of the General Data Protection Regulation;

e) previous relevant infringements by the controller or processor;

(f) the extent of cooperation with the supervisory authority in remedying the breach and mitigating its possible adverse effects;

(g) the categories of personal data concerned by the breach;

(h) the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the controller or processor notified the breach;

(i) compliance with the measures referred to in the second paragraph of Article 58 of the General Data Protection Regulation, insofar as they have been taken previously in relation to the controller or processor concerned in respect of the same matter;

(j) adherence to approved codes of conduct pursuant to Article 40 of the General Data Protection Regulation or approved certification mechanisms pursuant to Article 42 of the General Data Protection Regulation; and

(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains made or losses avoided, whether directly or indirectly, as a result of the breach.

1Court of Justice of the European Union of 11 December 2014, C-212/13, paragraphs 20-22.

2Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

3Rechtbank Gelderland, 7 December 2023, ECLI:NL:RBGEL:2023:6640.

4Article 1, opening words and under a, of the Wpg.

5Decision on the list of processing operations of personal data for which a data protection impact assessment (DPIA) is mandatory, Stcrt.2019 no. 64418, 27 November 2019.

6Guidelines for data protection impact assessments and determining whether a processing operation is "likely to entail a high risk" within the meaning of Regulation 2016/679 of 4 April 2017 (WP248 rev.01).

7As referred to in Article 5:5 of the General Administrative Law Act (Awb).

8As referred to in Article 5:41 of the Awb.

9Guidelines 3/2019 on the processing of personal data by means of video equipment of 29 January 2020.

10Article 5, paragraph 2, of the Fine Policy Rules.

11Administrative Jurisdiction Division of the Council of State (Division), 25 October 2023, ECLI:NL:RVS:2023:3939.

12Division, 2 May 2012, ECLI:NL:RVS:2012:BW4561.

Search help
A comprehensive manual is available for searching for rulings, including explanations of:

Search by date of ruling/publication
Search by keywords
Search by ECLI or LJN
Search by legal area
Search for locations of rulings
Search for rulings by locations
Selection criteria
The Judiciary, Supreme Court of the Netherlands and Council of State publish rulings based on selection criteria:

Rulings in cases of multiple chambers
Rulings of Supreme Court and appeal courts
Rulings with media attention
Rulings in criminal cases
European law
Indicative rulings
Recusal
Full selection criteria
Weekly overview
Select a week and see which rulings have been added to the register of rulings in that week.

Weekly overview of rulings
EnglishSitemapPrivacyCookiesAccessibilitySpoofingVacanciesArchiveDisclaimer
Follow us
twitter
facebook
facebook
linkedin
youtube
Stay informed
rss
email