Tag Archive: fine

The Netherlands: new chairman DPA announces fines

By Richard van Schaik and Róbin de Wit

Last week, the chairman of the Dutch Personal Data Protection Authority (Autoriteit Persoonsgegevens, “AP”), Aleid Wolfsen, announced that several investigations around data breaches are pending and that the first serious fine is just a matter of time.

Mr. Wolfsen is optimistic about the impact of the upcoming General Data Protection Regulation (“GDPR”), effective from May 25, 2018. Data subjects’ rights are boosted up and the responsibilities for companies significantly increased, Wolfsen says. Furthermore, the possibilities for the AP to step up the level of enforcement and to impose “draconian fines” will further expand. Under the GDPR, fines of up to EUR 20 million or 4% of the worldwide annual turnover may be imposed, whilst the maximum amount is substantially lower under current Dutch data privacy laws.

Although the AP has not imposed any fines in 2016, changes are imminent. Mr. Wolfsen indicated that almost 4,000 cases of data breaches have been notified to the AP and that several investigations are still pending. Investigations relate to cases where the protection of personal data is “drastically insufficient”. It is therefore to be expected that the first fines will follow in due course.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-new-chairman-dpa-announces-fines/

GERMANY: Bavarian Data Protection Authority issues guidance on GDPR Sanctions

By: Dr. Thomas Jansen and Mari Martin

On September 1, 2016, the Bavarian Data Protection Authority (BayLDA) issued a brief paper outlining the basic principles of the future sanction regime under the European General Data Protection Regulation (GDPR). The document is available at the following link: https://www.lda.bayern.de/media/baylda_ds-gvo_7_sanctions.pdf (German-language only).


The GDPR will become effective on May 25, 2018, after a transition period of two years. European supervisory authorities are currently working to achieve a more uniform view of the new basis and requirements for data protection at the European level. In the meantime, the BayLDA plans to periodically publish papers such as this one on selected topics. The BayLDA explicitly notes that is not a binding interpretation of the regulation.

Amount and Scope of Administrative Violations and Fines Increased

According to the GDPR, administrative fines shall be effective, proportionate and dissuasive. Some infringements are subject to administrative fines of up to 20 million EUR or 4% of the organization’s total annual global turnover.

Further, as explained with reference to the “economic enterprise concept” in the explanatory memorandum of the Treaty on the Functioning of the European Union (recital 150), if the sanctioned entity is part of an “undertaking,” the total annual turnover of the entire undertaking is the relevant amount from which the 4% fine will be deducted, not just the annual turnover of the specific sanctioned entity (i.e. the individual controller or processor). Please see our post of July 26, 2016 titled “EU: GDPR – Group revenues at risk of fines” for more information on the meaning of an “undertaking.”

The GDPR provides for a significantly wider range of offences than does the current German Federal Data Protection Law (BDSG). Under the GDPR, violation of the vast majority of provisions regulating data controllers and processors is subject to a fine. The GDPR provisions regarding administrative fines demonstrate the European Commission’s (EC’s) intention to provide for financial sanctions for data protection infringements and to enable severe sanctions if necessary. Exceptions should exist only for minor infringements and when a fine would be disproportionately burdensome.

The GDPR imposes fines on both controllers and processors. In addition, accredited certification bodies under Article 43 of the GDPR, which are responsible for properly assessing and certifying compliance by data controllers and processors with data protection regulation and organizational codes of conduct, may be subject to administrative fines due to breach of their obligations.

According to the BayLDA, it can be assumed that organizations may be held responsible for violations committed by their employees. However, the GDPR does not regulate the extent to which fines may be imposed on employees themselves. This issue remains unclear.

Fines Imposed for Violations of Technical and Organizational Measures

In an important change from the BDSG, the GDPR provides that violations of the duty to take appropriate and adequate technical and organizational measures to protect personal data are an administrative offense subject to fines. Also significant is the fact that the GDPR sets out fines for violations of the obligation to ensure implementation of the principles of privacy by design and privacy by default. These changes underscore the great value the EC places on the importance of technical and organizational measures and the principles of privacy by design and privacy by default for effective data protection.

Factors Influencing the Amount of Fines

According to the EC, a number of factors must be considered when determining the amount of fines. Previous breaches of data protection law should be considered an aggravating factor. The extent to which the controller or processor cooperated with the supervisory data protection authority should be considered. Further, if the controller or processor gives the supervisory authority incomplete or inaccurate information during the course of an investigation, this should be considered an aggravating factor, as recognized by the European Court of Justice in the field of competition law.

As stated by the EC, the GDPR is intended to lead to a uniform application of sanctions in Europe In the future, the European Data Protection Board may develop relevant guidelines.


All organizations operating as either a data controller or processor in any EU member state should be aware of the significant increase in both the amount and scope of potential fines under the GDPR. In particular, administrative fines under the GDPR may be up to 4% of the total worldwide annual turnover of the preceding financial year in the case of an “undertaking.” Such enhanced financial penalties for data protection violations are intended to prevent organizations from incurring any profit in the event of a data protection breach.

In addition, organizations should carefully note the imposition of fines due to violations regarding technical and organizational measures and the principles of privacy by design and privacy by default. Organizations should ensure that that appropriate technical and organizational measures are in place and that they have appropriately implemented the principles of privacy by design and privacy by default before the GDPR becomes effective in 2018.

If you would like to discuss how we can help your organisation, please get in touch with your usual DLA Piper contact or email us at dataprivacy@dlapiper.com.

For further information on the GDPR please visit our dedicated GDPR microsite.


Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-bavarian-data-protection-authority-issues-guidance-on-gdpr-sanctions/

FRANCE: The CNIL Fines Google €100,000 Over Right To Be Forgotten

The French data protection authority (the “CNIL”) will not settle for a compromise, or so says its recent decision to fine Google Inc. €100,000 for failing to properly implement the so-called “right to be forgotten”.

By Carol Umhoefer (Carol.Umhoefer@dlapiper.com) and Caroline Chancé (Caroline.Chance@dlapiper.com).

Earlier this month, Google announced it was adapting its approach to the right to be forgotten following discussions between the Mountain View, California firm and EU data protection authorities, in particular the CNIL, which in May 2015 issued a cease and desist order against Google Inc. (see previous post here) and rejected its appeal in September 2015 (see previous post here).

Despite reports that some EU data protection authorities saw this as a potentially acceptable solution, on March 10, 2016, the French regulator ordered Google Inc. to pay a €100,000 fine for violation of individuals’ right to object to the processing of their personal data and the right to delete their personal data, in light of the landmark decision of the Court of Justice of the European Union (“ECJ”) in Costeja v. Google[1].

For the CNIL, in order to be compliant with French law, Google Inc. must delist links from all Google Search extensions globally, and unconditionally. Google Inc. argued that this extraterritorial reach of the right to be forgotten is likely to raise conflict of laws issues and impair other States’ sovereignty (see previous post here). In particular, Google expressed concerns that a global delisting would disproportionately undermine the freedom of expression and information. But the CNIL countered that the purpose of its decision is to ensure “effective and complete protection of data subjects“, as required by the ECJ.

A Google spokesman has already confirmed they will appeal the CNIL’s decision[2].

If the CNIL’s decision becomes definitive, Google will have to further adapt its approach to the right to be forgotten or face up to € 300,000 in additional administrative fines.

For further information, please contact Carol.Umhoefer@dlapiper.com or Caroline.Chance@dlapiper.com.

[1] Case C-131/12, Google Spain and Google Inc. v. Agencia Espanola de Protección de Datos (AEPD) and Mario Costeja Gonzalez, May 13, 2014

[2]France fines Google over ‘right to be forgotten’“, Julia Fioretti, Reuters, March 24, 2016 (http://www.reuters.com/article/us-google-france-privacy-idUSKCN0WQ1WX)

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-the-cnil-fines-google-e100000-over-right-to-be-forgotten/

NETHERLANDS – high fines imposed on both publishing company and its shareholder

By Richard van Schaik and Róbin de Wit

Yesterday, the Authority for Consumers and Markets (“ACM”) reported that it has imposed a € 745,000 fine on a Dutch publishing company for violating rules regarding unfair commercial practices – such as sending unsolicited follow-up shipments -, telemarketing and distance selling. A striking detail is that not only the company was fined, but the ACM also imposed a € 300,000 fine on the ultimate shareholder for exercising de facto leadership with respect to the violations.


In short, the background of the case is as follows.

In the period from 2011 to 2013, the company approached a great number of consumers through telemarketing, its website and by regular mail with the aim to sell a trial package for a low amount. After the sale, consumers received follow-up shipments unsolicitedly, for which they had to pay.

Furthermore, offers were presented to be free of charge – which was not the case -, clear information regarding the company’s offers was withheld and consumers were asked for a direct debit authorization, which is not allowed for this type of telephone sales.

Lastly, the company did not provide mandatory information about the purpose of the call, meaning that consumers did not have sufficient information to decide whether or not they wanted to continue the conversation.

Despite warnings issued by the ACM in response to several complaints the ACM received from consumers, the company did not follow up on its commitment to reorganize its sales operations and to monitor its call centers more strictly. This made the ACM to decide to investigate the matter and subsequently, to impose fines. The ultimate shareholder was fined for the fact that it was aware of the ongoing violations and failed to take actions against it.

The company lodged a notice of objection to the decision of the ACM.

Please click here for the report issued by the ACM.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-high-fines-imposed-on-both-publishing-company-and-its-shareholder/

THE NETHERLANDS: Public service broadcasting modifies its cookie policy after fine threat

By Richard van Schaik and Róbin de Wit


The Dutch telecommunications supervisory authority, the Authority for Consumers & Markets (“ACM”), has established that the Netherlands Public Broadcasting (“NPO”) violated the rules for placing cookies. On various websites managed by the NPO, the NPO places cookies at user’s devices without having obtained their priot informed opt-in consent. By doing so, the NPO violates Dutch cookie law as laid down in the Telecommunications Act (Telecommunicatiewet “Tw”). Under the Tw, it is prohibited to place cookies without having informed users properly and without having obtained their prior opt-in consent.


Background decision ACM

In 2012, the ACM sent letters to a large number of Dutch government websites or websites linked to the government on the compliance with Dutch cookie law. The ACM holds the opinion that now that the government is (indirectly) involved, it is of importance that these websites set a good example in this respect. Therefore, the ACM currently takes enforcement action where government websites are concerned.

The websites managed by the NPO fall within the scope of government websites. According to the ACM, it had confronted the NPO with its violating behavior several times. Since the NPO failed to come up with a satisfactory response and in order to force the NPO to adjust its current policy, the ACM imposed an order subject to a penalty for noncompliance amounting to EUR 25,000 per week with a maximum of EUR 125,000.


Background Dutch cookie law

Under Dutch cookie law, website operations need to consider the application of article 11.7a of the Tw for the use of cookies. Cookies that are placed on, or read from, a user’s computer require informed prior opt-in consent before being placed. The principle of informed prior consent does not apply where functional cookies are concerned, i.e. cookies that are strictly necessary for the provision of an information society service requested by the user. For example, tracking cookies do not fall under this “strictly necessary”. On the contrary: tracking cookies or similar data files placed or accessed, are considered to be personal data, unless the party placing such cookies or information can prove otherwise. If the placement of cookies – like tracking cookies – also involves the processing of personal data, the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens “Wbp”) also applies. Under the Wbp, a legal basis for the processing of personal data is required, which can often be found in the unambiguous consent of the user. Currently, the Dutch cookie legislation is being reviewed and it is very likely that after the summer holidays, new legislation comes into force.

In reply to ACM’s decision, NPO confirmed it will change its policies.

For further information, please contact Richard van Schaik (richard.vanschaik@dlapiper.com) or Róbin de Wit (robin.dewit@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-public-service-broadcasting-modifies-its-cookie-policy-after-fine-threat/

The Netherlands: Dutch energy company is fined for violating the Dutch telemarketing rules

Last week, the Dutch Authority for Consumers and Markets (“ACM”) imposed a fine on energy company Essent for violating the Dutch telemarketing rules. In short, Essent had called several consumers with respect to a commercial offer, albeit that a large number of the consumers approached was registered with the Do Not Call Me Register (“Register”). This means that Essent was not allowed to approach these consumers unsolicited by telephone, unless it concerned a former customer of Essent. Clearly, Essent had failed to remove addresses from such registered consumers (not being former customers) from its call files and approached them unsolicited by telephone in violation of article 11.7 of the Dutch Telecommunications Act (Telecommunicatiewet).

From an investigation carried by the ACM in response to several complaints from consumers, it turned out that Essent made use of phone numbers of consumers who had left their contact details through surveys on Essents website for which a prize could be won. ​​Under Dutch law, Essent may only use such contact details for telemarketing purposes if the consumer (not being a former customer) has expressly and unambiguously consented thereto. This was not always the case. Therefore, Essent was obliged to compare the phone numbers obtained through its website with the phone numbers included in the Register prior to using them. Essent had failed to do so and called the consumers anyway, as a result of which the purpose of the Register was being undermined. This caused the ACM to impose a fine amounting to € 47,500.

For further information, please contact Richard van Schaik (richard.vanschaik@dlapiper.com) or Róbin de Wit (robin.dewit@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-dutch-energy-company-is-fined-for-violating-the-dutch-telemarketing-rules/

Belgium: Beware of the barking Privacy Watchdog, she’s biting.


By Patrick Van Eecke and Julie De Bruyn (DLA Piper – Brussels)

The quietness in the privacy landscape in Belgium is about to drastically change.  Reason for the change of pace are the recent major data breaches that were published by the media. The Privacy Commission announced it will establish a dedicated task force to carry out proactive audits focusing on different sectors, such as financial and insurance institutions, hospitals and other health providers, and telecom operators.

Draft Belgian legislation will grant the Privacy Commission the power to independently impose monetary fines and other sanctions, such as the blocking of access to certain databases by non-compliant companies, or the withdrawal of the permits to make use of such (public) databases. The expansion of powers would transform the Privacy Commission from passive bystander to an actual ‘Privacy Police’.

Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/belgium-beware-of-the-barking-privacy-watchdog-she-starts-biting/

SPAIN: Spanish Data Protection Commissioner (AEPD) Imposes First Financial Sanctions on Cookies

By Elisa Lorenzo and Diego Ramos

The AEDP has fined two website operators €3,000 and €500, respectively, finding that the websites did not offer complete and clear information on the use and purpose of their cookies, and therefore did not obtain proper consent.

In April 2013, the AEPD published Guidance Notes for the use of cookies, in order to provide Internet services providers guidelines on the correct interpretation of their legal obligations. According to the Guidance Notes, user consent must be (i) express or (ii) clearly inferred from user actions, in both cases after having obtained proper information about the use of cookies at the relevant website. The Guidance Notes also define the main criteria to evaluate whether information provided to users regarding cookies is clear and correct.

In its Resolution No. R/02990/2013 pronouncing the fines, the AEPD considers that the layered notice system used by the websites is not entirely adapted to the criteria defined by the AEPD’s Guidance Notes. According to the AEPD, the first level should contain “essential” information (as defined by the Guidance Notes), which AEDP considered was not the case for the websites at issue. The sites also failed to supply in the second layer complete information adapted to the cookies actually set on the sites. More generally, the notices did not define the cookies used on the websites or give any details about the type of cookies set. Furthermore, the notices did not properly identify which cookies belong to and are controlled by the website operator, and which are controlled by third parties. Moreover, the notices in question referred only generically to some of the purposes for which the cookies were used, without informing users about the mechanisms to deactivate the cookies or to revoke the consent provided.

The Resolution notes that the fines were reduced taking into account the good faith and lack of economic benefit for both entities, and also the fact that there were no material precedents for cookies violations.

It is important to highlight that the criteria adopted by the AEPD are the same as in the April 2013 Guidance Notes, which at the time were formally presented as a tool providing online market players with criteria on how to fulfill their legal obligations but are now being used as if they are part of the legal provisions, leading to enforcement and financial sanctions.

As of this date, it is still unknown whether the decision will be appealed to the courts.

Please contact elisa.lorenzo@dlapiper.com or diego.ramos@dlapiper.com if you would like further information.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/spain-spanish-data-protection-commissioner-aepd-imposes-first-financial-sanctions-on-cookies/