Newport Thomson

⚠️ IMPORTANT UPDATE 

This article accurately describes the Dutch AP’s pioneering 2019 fining structure, which was the first of its kind in the EU. However, Canadian businesses should note that as of June 2023, the Dutch AP now applies the EDPB’s harmonized Fining Guidelines for calculating fines for undertakings (businesses). The four-category system described below now applies only to government organizations and individuals not acting as businesses.

For the current methodology applicable to Canadian businesses operating in the Netherlands, see the EDPB Guidelines on the Calculation of Administrative Fines. The Dutch historical approach described below remains valuable for understanding how EU enforcement evolved and what principles still apply today.

---

The Problem with “Up to €20 Million”

When the GDPR came into force in 2018, everyone focused on the headline-grabbing maximum fines: up to €20 million or 4% of global annual turnover. But here’s the thing, those are ceilings, not starting points. Most European data protection authorities kept their actual calculation methods opaque, leaving companies guessing about real exposure. It was difficult to calculate business risk.

The Dutch took a different approach. In March 2019, the Autoriteit Persoonsgegevens (AP) published something rare: actual numbers. They created a four-tier structure that told you upfront where the penalty conversation started.

This approach mattered for Canadian companies doing business in Europe, particularly those shipping to the Netherlands or doing business with Dutch customers. While the specific four-category system has since been replaced by EU-wide harmonized guidelines, understanding this pioneering Dutch model helps explain how structured GDPR enforcement works today. 

The Four-Category System: From Minor to Major (Historical 2019 Framework)

The Dutch AP divided GDPR violations into four categories based on severity:

Category I: Administrative oversights

• Missing documentation for processor agreements
• Incomplete contact details for your Data Protection Officer
• Base fine: €85,000 (Range: €50,000 – €120,000)

Category II: Process failures

• No written data processing agreements with vendors
• Failing to conduct required Data Protection Impact Assessments
• Base fine: €225,000 (Range: €150,000 – €300,000)

Category III: Core principle violations

• Breaking transparency promises
• Violating fairness principles
• Incomplete breach notifications
• Base fine: €525,000 (Range: €350,000 – €700,000)

Category IV: The most serious violations

• Unlawful processing (no legal basis at all)
• Mishandling special categories of data (health, biometric, religious information)
• Unauthorized automated decision-making
• Base fine: €725,000 (Range: €450,000 – €1,000,000)

 

What “Base Fine Before Consideration” Actually Means

Here’s where the Dutch approach got interesting, and expensive.

When the AP investigated a Category IV violation, they started their calculator at €725,000. This happened before they looked at:

• Your company’s global revenue
• How many people were affected
• The actual harm caused
• Whether you cooperated with investigators
• Your previous compliance record

Think of it like this: You’re not arguing about whether you’ll get fined. You’re arguing about how much the €725,000 baseline moves up or down.

The AP then applied what lawyers call “aggravating and mitigating factors” from Article 83(2) of the GDPR:

Factors that push the fine higher:

• Intentional violations (versus negligent ones)
• Large numbers of affected individuals
• Sensitive data categories involved
• Previous violations
• Refusing to cooperate with regulators
• Financial gain from the violation

Factors that might lower the fine:

• Quick remediation efforts
• Strong existing security measures
• Voluntary disclosure
• First-time violation
• Good-faith misunderstanding of requirements

 

Real-World Example: The Dutch Tennis Association

In 2020, the AP fined the Royal Netherlands Lawn Tennis Association (KNLTB) €525,000 for selling member data to sponsors without consent.

KNLTB sold approximately 350,000 member records – names, addresses, contact information, birthdates – to generate revenue. They argued members hadn’t objected and it benefited the sport, attempting to rely on legitimate interest as their legal basis.

The AP started at the Category III base fine of €525,000 because this violated purpose limitation principles (data collected for membership administration, used for marketing sales). Despite the large number of people affected, the AP didn’t increase the base fine because:

• No special categories of data were involved
• No children’s data was included
• KNLTB had taken some measures to limit impact

The message was clear: violate core principles, pay the base fine at minimum.

Update (October 2025): The fine was subsequently reduced to €250,000 through a settlement agreement that includes a joint privacy awareness campaign. The campaign’s costs may further reduce the fine, with a final decision expected in June 2026.

 

The Article 84 Connection

Article 84 GDPR is brief – just two paragraphs telling EU member states to create penalty systems for violations not subject to administrative fines under Article 83.

But the Dutch used this as their framework for building structured certainty into all GDPR enforcement. While Article 83 sets the maximums, Article 84 gave member states permission to design their implementation approach.

Most countries kept it vague. The Dutch built a calculator.

 

Why Canadian Companies Should Care

1. Cross-Border Data Flows

If you’re shipping products to Dutch customers, you’re processing their personal data. Under GDPR, that puts you in scope. Quebec’s Law 25 has similar extraterritorial reach – if you’re handling Quebec resident data, you’re in scope there too.

The Dutch market is substantial: 17.5 million people with high internet penetration and significant e-commerce activity. You can’t simply ignore it.

2. The “Lead Authority” Problem

Under GDPR’s one-stop-shop mechanism, if you have your European establishment in the Netherlands, the Dutch AP becomes your lead supervisory authority. This means their fining methodology applies to you for cross-border processing issues.

Many companies chose Netherlands for their European headquarters because of favorable tax and business structures. They inherited the Dutch AP’s approach to enforcement – now the harmonized EDPB guidelines. 

3. Understanding the Evolution to Harmonized Enforcement

The Dutch structured approach was pioneering but created inconsistencies across Europe. In June 2023, the European Data Protection Board adopted final harmonized Fining Guidelines that all EU data protection authorities now use when calculating fines for businesses.

The EDPB guidelines incorporate the structured approach pioneered by the Dutch but apply it consistently across all 27 EU member states. The key principles remain:

• Predetermined starting points based on violation severity
• Company turnover as a factor (now weighted earlier in the process)
• Aggravating and mitigating circumstances
• Three severity levels: low, medium, and high

The Dutch AP now uses these EDPB guidelines for all businesses, while maintaining their 2019 four-category system only for government organizations and individuals not acting as businesses.

4. The Compliance Culture Message

Whether using the 2019 Dutch system or the current EDPB guidelines, the message is the same: “We take core principles seriously, and we’ve already done the math.”

When regulators say transparency, lawfulness, and fairness are non-negotiable, they back it up with predetermined penalty ranges. This isn’t negotiation – it’s structured enforcement.

 

How the Math Actually Works (Historical Dutch Example)

Let’s walk through a hypothetical using the 2019 Dutch framework to understand the principle:

Scenario: A Canadian company ships products to Dutch customers. They collect email addresses for order fulfillment but then add customers to their marketing list without consent. Under CASL in Canada, this would be legal and considered Implied Consent – Business Relationship, valid for 2 years from the date of last purchase.

The Dutch GDPR Analysis:

1. Category Determination: This is unlawful processing (no legal basis for marketing use) = Category IV
2. Base Fine: €725,000
3. Aggravating Factors:
   • 50,000 customers affected (+)
   • No prior violations (neutral)
   • Company has 100 employees, not a large enterprise (-)
4. Mitigating Factors:
   • Company cooperated fully when discovered (-)
   • Immediately stopped the practice (-)
   • Implemented proper consent mechanisms (-)
   • First-time violation (-)
5. Potential Outcome: Fine reduced from €725,000 toward the bottom of the bandwidth (€450,000), possibly €500,000-€600,000 final amount

Even with strong mitigation, you’re looking at half a million euros.

Note: Under the current EDPB guidelines, the calculation process is similar but incorporates company turnover earlier in the analysis. The principle remains: serious violations start with substantial baseline amounts that are then adjusted based on specific circumstances.

 

The Repeat Offender Multiplier

Here’s where it gets worse: the Dutch automatically increase fines by 50% for repeat violations within five years.

That €600,000 fine? Next time it’s €900,000, and now you’re pushing against that €1 million bandwidth ceiling. This means the regulator will likely invoke the GDPR’s statutory maximum (€20 million or 4% of turnover) rather than stay within their standard structure.

This 50% repeat offender increase applies under both the historical Dutch framework and the current EDPB guidelines, emphasizing that compliance isn’t optional for companies planning long-term market presence.

 

What About Smaller Companies?

Both the Dutch historical approach and current EDPB guidelines consider financial circumstances. The principle is that fines should be proportionate enough not to immediately bankrupt you, while still being painful enough to deter future violations and send a market signal.

For a small Canadian e-commerce company with €2 million in annual revenue, even a reduced Category IV fine of €300,000 could be existential. Regulators know this. That’s partly the point – don’t commit serious violations.

 

Practical Implications for Canadian Businesses

Before You Enter the Dutch Market:

Map your data flows clearly. Know exactly:

• What personal data you’re collecting
• Your legal basis for each processing activity
• Where data is stored and who has access
• How long you’re keeping it
• What you’re using it for

If you can’t articulate this clearly, you’re not ready for European markets.

Build for Transparency:

The Dutch AP (and all EU regulators under EDPB guidelines) hammer transparency violations hard. This means:

• Privacy notices that clearly explain what you’re doing and why
• Clear opt-in mechanisms for marketing
• Documented consent records
• Easy-to-find privacy policies

“We buried it in the Terms of Service or Privacy Notice” won’t cut it. GDPR takes the position: “If a person does not know they signed up for something; they did not.”

Get Your Legal Bases Right:

Serious violations happen when you have no legal basis at all. The GDPR gives you six options:

• Consent
• Contract necessity
• Legal obligation
• Vital interests
• Public task
• Legitimate interests

Pick one. Document why it applies. Don’t just assume “legitimate interests” covers everything. Both the Dutch AP and other EU regulators take a strict view on this basis. Most organizations misuse this basis and find regulators will not accept it as lawful grounds for processing.

Special Categories = Special Attention:

If you’re processing health data, biometric data, religious information, or other special categories, you’re automatically in high-severity territory if something goes wrong.

Don’t process special categories unless:

• You absolutely must
• You have explicit consent or another Article 9(2) exception
• You’ve documented everything thoroughly

Plan for Breach Response:

You have 72 hours to notify the supervisory authority of a personal data breach (unless it’s unlikely to risk people’s rights). Incomplete breach notifications are treated as serious violations.

Have a breach response plan ready before you need it. Know who’s responsible for what. Have contact information for the Dutch AP saved. Practice at least annually.

 

The Larger Trend: From Dutch Innovation to EU Harmonization

The Dutch weren’t alone in creating fining structures – Denmark, Latvia, and others published similar frameworks. But the Dutch model was among the most detailed and widely referenced.

As of June 2023, the European Data Protection Board completed the harmonization effort by adopting final guidelines that all EU data protection authorities now follow for calculating fines for businesses. This represents the culmination of efforts that began with pioneering frameworks like the Dutch model.

The EDPB guidelines incorporate lessons learned from national approaches, including the Dutch structured methodology, while creating consistency across all member states.

All DPAs now use the same five-step calculation process:

1. Identify sanctionable conduct and determine if multiple infringements occurred
2. Establish a starting point based on violation category, severity, and company turnover
3. Apply aggravating or mitigating factors
4. Check against legal maximums (€20 million or 4% turnover)
5. Verify the final amount is effective, proportionate, and dissuasive

This creates both challenge and opportunity:

Challenge: Structured enforcement with published starting points means you can’t hope for lenience on first violations of core principles across the entire EU.

Opportunity: You can now calculate risk exposure. You can build business cases for compliance investment. You can compare the cost of proper data protection against the mathematical reality of penalties.

 

The Canadian Connection: Law 25 and Beyond

Quebec’s Law 25 has similar extraterritorial reach and escalating penalties. While the calculation method differs, the principle is the same: regulators are getting more structured and more aggressive about enforcement.

For Canadian companies operating internationally, the question isn’t “Which jurisdiction’s privacy law applies to us?” It’s “How many privacy regimes do we need to comply with simultaneously?”

The evolution from the Dutch model to EU-wide harmonized guidelines offers a preview of where global privacy enforcement is heading: clear categories, published baselines, structured adjustment factors, and substantial penalties for core violations.

 

Serious Violations Can’t Be Fixed with Better Marketing

Here’s the thing about GDPR compliance: you can’t fix serious violations with better customer service or faster response times. If your fundamental data processing is unlawful – if you’re collecting data without legal basis, processing it for purposes you never disclosed, or mishandling special categories – you’re already in the worst category under any framework.

The time to get this right is before you enter the market, not after regulators come knocking.

 

Conclusion: Transparency Cuts Both Ways

The Dutch AP’s 2019 four-category system represented something unusual in privacy regulation: genuine transparency about enforcement intentions. They told companies exactly what they considered serious, exactly where penalties started, and exactly what factors they’d consider when adjusting fines.

This transparency pioneered an approach that has now been adopted EU-wide through the EDPB’s harmonized guidelines. The structured methodology applies across all 27 member states, creating unprecedented consistency in how privacy violations are penalized.

This transparency should prompt reciprocal transparency from businesses. If you’re clear about what you’re doing with personal data, document your legal bases properly, and respect core principles like lawfulness and fairness, you stay out of high-severity categories.

If you’re sloppy, secretive, or cavalier about people’s data – if you think “everyone does it this way” – EU regulators have published their response through structured frameworks with substantial baseline fines, adjusted based on circumstances.

That’s not a threat. It’s information. What you do with it determines whether you’re building a sustainable international business or calculating settlement amounts.

 

Key Takeaways for Canadian Companies

1. As of June 2023, the Dutch AP uses EDPB harmonized guidelines for businesses, not the 2019 four-category system. Understanding the historical Dutch approach remains valuable for grasping enforcement principles.
2. Under any framework (historical Dutch or current EDPB), serious violations involve core principles: transparency, lawfulness, fairness, special categories – not administrative paperwork failures.
3. Know your legal basis for every processing activity before entering European markets. “We need it for business” isn’t one of the six lawful bases.
4. The structured approach is now EU-wide: all regulators follow harmonized frameworks with clear penalty methodologies rather than purely discretionary systems.
5. Small companies aren’t exempt: regulators adjust for ability to pay but still impose substantial fines to maintain deterrent effect.
6. Repeat violations carry automatic 50% increases under both Dutch and EDPB frameworks: compliance isn’t optional if you plan to stay in the market long-term.

Additional Resources

Current EDPB Guidelines:

• EDPB Guidelines 04/2022 on the Calculation of Administrative Fines (Final PDF): https://www.edpb.europa.eu/system/files/2023-06/edpb_guidelines_042022_calculationofadministrativefines_en.pdf
• EDPB Public Consultation Page: https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-042022-calculation-administrative_en

Dutch AP Resources:

• Dutch AP – New Fining Policy for GDPR Violations (English/Dutch): https://www.autoriteitpersoonsgegevens.nl/actueel/nieuw-boetebeleid-voor-overtredingen-avg
• Dutch AP – Fines and Sanctions Overview: https://www.autoriteitpersoonsgegevens.nl/en/about-the-ap/fines-and-other-sanctions-from-the-ap
• Dutch AP – Boetebeleidsregels 2023 (Government Organizations – Dutch Only): https://www.autoriteitpersoonsgegevens.nl/documenten/boetebeleidsregels-autoriteit-persoonsgegevens-2023

Historical Context:

• Hogan Lovells – Dutch DPA Sets GDPR Fines Structure (March 2019): https://www.lexology.com/library/detail.aspx?g=aacee959-9c44-472b-a6b7-2e29988ff47a
• Bird & Bird – Dutch Regulator Guidelines Analysis (April 2019): https://www.twobirds.com/en/insights/2019/netherlands/dutch-regulators-publishes-guidelines-for-the-calculation-of-administrative-fines-under-the-gdpr

About Newport Thomson Privacy Consulting

We help Canadian companies navigate international privacy requirements including GDPR, PIPEDA, and Quebec’s Law 25. Our approach emphasizes practical compliance frameworks that work in real business contexts, because understanding the rules and knowing how to operationalize them matter more than simply memorizing regulations.

We’re happy to discuss your European market entry strategy and how to build privacy compliance into your operations from day one. For most markets, a full, documented Privacy Management Program is the minimum requirement.

Contact: dlackey@newportthomson.com | 416 524 7844