Understanding the Dutch Approach to GDPR Fines: Why Canadian Companies Need to Pay Attention

⚠️ IMPORTANT UPDATE

This article accurately describes the Dutch AP’s pioneering 2019 fining structure, which was the first of its kind in the EU. However, Canadian businesses should note that as of June 2023, the Dutch AP now applies the EDPB’s harmonized Fining Guidelines for calculating fines for undertakings (businesses). The four-category system described below now applies only to government organizations and individuals not acting as businesses.

For the current methodology applicable to Canadian businesses operating in the Netherlands, see the EDPB Guidelines on the Calculation of Administrative Fines. The Dutch historical approach described below remains valuable for understanding how EU enforcement evolved and what principles still apply today.

The Problem with “Up to €20 Million”

When the GDPR came into force in 2018, everyone focused on the headline-grabbing maximum fines: up to €20 million or 4% of global annual turnover. But here’s the thing, those are ceilings, not starting points. Most European data protection authorities kept their actual calculation methods opaque, leaving companies guessing about real exposure. It was difficult to calculate business risk.

The Dutch took a different approach. In March 2019, the Autoriteit Persoonsgegevens (AP) published something rare: actual numbers. They created a four-tier structure that told you upfront where the penalty conversation started.

This approach mattered for Canadian companies doing business in Europe, particularly those shipping to the Netherlands or doing business with Dutch customers. While the specific four-category system has since been replaced by EU-wide harmonized guidelines, understanding this pioneering Dutch model helps explain how structured GDPR enforcement works today.