Privacy: Possible fines of up to EUR 100 million or more

Publication date 23 December 2014

The bill for the new European General Data Protection Regulation includes extremely high fines of up to EUR 100 million or 5% of the global annual turnover of a company. When are you likely to incur such a fine?

High fines

In our recent newsletter on privacy, we reported that there will be a new law to provide the same data protection regulations throughout the European Union. One important aspect of these regulations will be the introduction of new penalties including extremely severe sanctions for (repeated) breaches of privacy of EU citizens.

In the Netherlands, fines are imposed by the CBP (College bescherming persoonsgegevens; Data Protection Agency). At the moment, the CBP can impose a maximum fine of EUR 4,500. The latest fines however, could be up to maximum of EUR 100,000,000 or 5% of the global annual turnover of a company, depending on which amount is higher.

Violations

You may be fined for the following violations, for instance:

Processing of personal data without consent or legal basis.
Processing of personal data with regard to:
- racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs,
- trade union membership,
- genetic information,
- health,
- sex life,
- criminal convictions and related security measures.
Not taking appropriate technical and organizational measures to prevent data leaks, unauthorized access to and elimination of data.
Not reporting data leaks in time, as, for instance loss of a USB device or website hacking.
Non-performance of data protection impact assessment upon processing data that involve special privacy risks, for instance regarding health.

Action

Be sure to organize your data processing (HRM, ICT, online shop, website, software, cameras, GPS, etc.) in conformity with the new General European Data Protection Regulation. This regulation is expected to become effective in the course of 2015/2016. Thus, there is still plenty of time to make necessary adjustments in order to prevent fines.

More information

Russell Advocaten will inform you regularly on the most recent developments regarding this General European Data Protection Regulation and its potential consequences for your business. Would you like to know more about the application of the new General Data Protection Regulation, or do you have any other questions on how to organize your company in the context of the new data protection regulation? Please contact:

Related publications

An inclusive holiday policy

The holiday season is approaching, a time of joy and days off for many. However, not everyone finds these holidays equally meaningful.

4 November 2024: Dutch Labour Law Basics for Diplomats

On Monday 4 November 2024, Russell Advocaten Russell Advocaten will host a seminar on Dutch labour law for diplomats, consular agents, and administrative staff from Embassies and Consulates in collaboration with Diplomat Magazine.

2 October 2024: Labor and Employment Client Seminar by Primerus

On Wednesday 2 October 2024, Jan Dop will be one of the members of the panel that will present timely labor and employment law issues to Primerus clients.

25 September 2024: Cybersecurity and Data Protection in Litigation

Wednesday 25 September 2024, Reinier Russell will discuss cybersecurity and data protection in litigation at the European meeting of the World Litigation Forum in Barcelona.

24 September 2024: Risk management: social media in the company

On Tuesday 24 September 2024, Reinier Russell and Jan Dop will speak at the Technical Meeting of PAiE, the organisation of professional accountants in Europe.

1 January 2025: Dutch Tax Authority will enforce rules on labour relations

From 1 January 2025, the Dutch Tax and Customs Administration is going to enforce the Deregulation of Assessment of Employment Relationships Act (DBA). How will this affect principals and self-employed workers?