The Dutch Data Protection Authority (AP) has announced a new policy for determining the fines to be imposed for violations of the General Data Protection Regulation (GDPR) and its national implementing act.

The AP’s assessment will first take into account the maximum amounts specified by the European Regulation: either 10 million euros or 2% of the annual worldwide turnover, or 20 million euros or 4% of the annual worldwide turnover, depending on the violation incurred. Violations that are subject to fines are divided into three or four categories designed by the data protection authority to take into account the weight of the breached requirements, with each assigned a minimum-maximum fine range.

According to the policy regarding cases of violations subject to a maximum fine of 10 million euros or 2% of the annual worldwide turnover, the failure to appropriately record processing activities in accordance with GDPR’s Article 30 would fall in categories I or II and be subject to fines of € 0 – € 200,000 or € 120,000 – € 500,000 respectively. Failure to cooperate with the Supervisory Authority or to notify it of an incident falls within category III and results in fines of € 300,000 – € 750,000. When violations give rise to the maximum fine of 20 million euros or 4% of the annual turnover, failure to comply with the rights of access, rectification or erasure fall within category III, while non-compliance with an order from the supervisory authority falls within category IV and can result in fines of € 450,000 – € 1,000,000.

Within the ranges, the AP will adjust the level of fines based on many relevant factors, including:

  • the nature, seriousness and duration of the infringement;
  • the number of affected data subjects and the extent of the damage
  • the nature and extent of the data compromised;
  • whether the infringement was intentional or the result of negligence;
  • the measures taken by the controller or processor to limit the damage suffered by affected individuals;
  • the extent to which the controller or processor is responsible in view of the technical and organizational measures that it has implemented;
  • previous relevant breaches by the controller or processor;
  • the extent to which the offending party has cooperated with the supervisory authority;
  • the categories of personal data involved;
  • the manner in which the supervisory authority became aware of the infringement, in particular whether, and if so to what extent, the controller or processor has reported the infringement.

The policy reaffirms the importance given by the GDPR to the Principle of Accountability. It states clearly that fines may be reduced if an offender is able to prove that it has taken appropriate steps to comply with the regulation, to limit the damage to Data Subjects, and to cooperate with the Data Protection Authority.

Both the original policy in Dutch and Achieved Compliance’s English translation are available to read here.


Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact