Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

On 19 February 2019, the Dutch Data Protection Authority has come up with its own policy for determining the levels of administrative fines


On the basis of the guidelines of the article 29 working party of what now is the EDPB (European Data Protection Board) and the stipulations on imposing and setting administrative fines as laid down in the GDPR, the Dutch DPA has now formulated its own policy. This to achieve a consistent approach when administrative fines are imposed. The policy adequately reflects all of the principles listed in the EDPB guidelines, which are intended to come to a common understanding of the assessment criteria laid down in article 83 (2) of the GDPR.

In the context of the GDPR and related Dutch privacy legislation, such as the Telecommunication Act, the Dutch DPA has defined four categories with specific ranges and basic fines for each type of legislation.

In the annex of the policy, the type of GDPR infringement is related to a specific GDPR article and these infringements are divided in categories I, II, III, IV (cat I €0 to €200,000, basic fine 100,000, cat II €120,000-€500,000, basic fine €250,000, cat III €300,000-€750,000, basic fine €525,000, cat IV €450,000-€1,000,000, basic fine €725,000). These are relatively low fines, considering the maximum fines listed in article 83 of the GDPR.

The basic fines can be increased or reduced, depending on the relevant factors in article 7 of this policy. These relevant factors are:

a) The nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of persons affected and the extent of the damage suffered by them.

b) The deliberate or careless nature of the infringement.

c) The measures taken by the controller or the processor to limit the damage to the data subjects involved.

d) The extent to which the controller or the processor is responsible, considering the technical and organizational measures that had to be taken under articles 25 and 32 of the GDPR.

e) Previous infringements, where relevant, by the controller or the processor.

f) The level of cooperation with the Dutch DPA to remedy the infringement and reduce the possible, negative consequences of it.

g) The categories of personal data affected by the infringement.

h) The manner in which the Dutch DPA has been notified of the infringement and whether the controller or the processor has reported the infringement.

i) In how far the controller or the processor has complied with any previous measures imposed by the Dutch DPA, as referred to in article 58 (2) of the GDPR.

j) Compliance with approved codes of conduct in accordance with article 40 of the GDPR or with approved certification mechanisms referred to in article 42 of the GDPR.

k) Any other circumstances that may be regarded as aggravating or mitigating factors, such as financial gains realised, or losses avoided, whether or not directly arising from the infringement.

If the specific infringement category in a specific case does not result in what is considered an appropriate fine, the Dutch DPA may either opt for a fine in a specific range or in a higher or lower category or increase the fine by 50%.

In very special circumstances, either the maximum fine of €10 million or € 20 million under article 83 of the GDPR may be imposed or a fine amounting to 2 or 4 per cent of the company’s annual turnover in the relevant financial year. In these situations the Dutch DPA acts outside the limits of the specific ranges referred to in its own policy.

The financial situation of an offender may lead to reduced fines. In case of accumulated infringements, the maximum fine for the most severe infringement will be applicable.

The Dutch DPA is the first DPA who has defined its own policy and perhaps it will inspire the DPAs in other EU countries.


Article provided by: Bob Cordemeyer (Cordemeyer & Slager / Advocaten, The Netherlands)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.