Joke Bodewits and Benjamino Blok of Hogan Lovells write:
On 14 March 2019, the Dutch data protection authority (Autoriteit Persoonsgegevens, DPA) announced (in Dutch) its fining structure for violations of the European General Data Protection Regulation (GDPR) and the Dutch law implementing the GDPR (Implementation Act).
The GDPR sets two levels of administrative fines that may apply depending on which GDPR provisions have been infringed: The higher of €10 million or 2% of global revenue and the higher of €20 million or 4% of global revenue. At both levels, the GDPR sets maximums for administrative fines and calls on member state authorities to determine what fine is appropriate in individual cases.
The Dutch DPA has introduced the four categories as set out in the table below.
Read more on Chronicle of Data Protection.