Contributed By Vondst Advocaten N V
The national data supervisory authority is the AP. The AP is charged with the supervision of the processing of personal data in accordance with the GDPR and the Implementation Act. The AP is competent to perform the tasks and exercise the powers set forth in Articles 57 and 58 of the GDPR. In addition, the Implementation Act provides for the possibility to impose an administrative enforcement order by the AP to enforce obligations laid down by the Implementation Act.
In general, the AP focuses on material personal data breaches. Priority is given to violations that have a big impact on privacy or on minor violations affecting many data subjects. If the AP finds minor violations, it will often first give a warning, provided the violator can demonstrate good faith and is prepared to improve (for example, by implementing new privacy procedures). In 2018, however, the AP imposed a penalty of EUR600,000 on Uber for violating the Dutch Data Breach Regulation (based on the former Dutch Data Protection Act). The AP has performed various targeted enforcement actions since the GDPR came into force.
From time to time, the AP announces specific areas of focus. Recent focus has been on the security of personal data, Big Data and profiling, medical data, personal data with the (digital) government and personal data in labour relationships. The AP has announced that personal data breaches that are not notified in accordance with the GDPR are a focus point for 2019.
The Dutch Authority for Consumers and Markets (‘Autoriteit Consument & Markt’) (ACM) is charged with the supervision of the Telecommunications Act (direct marketing and cookies). For violations of the Telecommunications Act, the ACM may impose an administrative penalty of up to EUR900,000 per breach or 10% of the annual turnover of the company in breach (whichever is higher).