Bend the knee

In the last blog, we discussed that the controller is accountable for all breaches of the GDPR and this is partly true. The controller is always responsible for protecting the personal data of its users, but under the GDPR, the processors are also accountable for breaches with the data they process for the controller. This a big difference with the Dutch WBP law, where the accountability solely lies with the controller.

Picture of the autor Rutger Buijzen

Rutger Buijzen

Chief Technology Officer


What if the ‘Autoriteit Persoonsgegevens’ (AP), charged with upholding the law in the Netherlands, comes knocking at your door? The thing you hear the most is you're going to be fined tens of millions of euros or a percentage of your revenue. While this is actually possible, you probably would have to neglect all warnings to get fined directly. The supervisors also have a lot of other possibilities to make you uphold the law.

Examples of these are:

  • A warning or reprimand
  • An order to comply with a data subjects request for executing its rights under GDPR
  • An order to communicate a data breach to the affected party or to the public
  • Removal of certificates
  • An order to temporarily or permanently suspend data processing
  • An order to suspend data flows outside of the EU

But - there it is again - in comparison with the WBP, the AP doesn't first have to issue a warning or other corrective measures before issuing a fine. If you do some ‘Cambridge Analytica type of work’ they might just go straight ahead with a fine and that can come in two categories.

Two types of fines:

  • A fine of up to € 10 million or 2% of worldwide annual revenue for procedural infringements, like not having a registry, not having a data processing officer when you should have, or not notifying a supervisor in case of a data breach.
  • A fine of up to € 20 million or 4% of worldwide annual revenue for data infringements like processing data without consent, exporting data out of the EU, not complying with requests of data subjects.

The AP recently made a statement that they won't come out blazing with fines after 25th May, but will offer a helping hand to companies to comply with GDPR.

Upcoming topic: your rights as a data subject and how can exercise them!