HomeKnowledge base › GDPR fines in the Netherlands: lessons from the figures
Data breach

GDPR fines in the Netherlands: lessons from the figures

GDPR fines in the Netherlands, the lessons from the Autoriteit Persoonsgegevens figures

Since 2018 the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has published every fine it imposes, with the violation and the amount for each case. That is a wealth of information, because it shows where things go wrong in practice. The newspapers lead with the record fines of tens of millions. Those, however, are rare and almost always concern large, digital data flows. For an ordinary organisation a different pattern is far more instructive. A fixed group of fines is about three obligations that good data hygiene touches directly. This article reads the figures and translates them into what you can do with them yourself.

The record fines make the newspapers, but they are exceptional

Let us start honestly. The largest GDPR fines in the Netherlands are not about a stray paper folder. In 2024 Uber received a fine of 290 million euro for failing to adequately protect data when transferring it to the United States. Clearview received 30.5 million euro for a facial recognition database. The Dutch Tax Administration received a fine of 3.7 million euro in 2022 for unlawful processing in the childcare benefits scandal. These are cases about international data flows, prohibited technology and structurally unlawful policy.

For most organisations those amounts are neither realistic nor instructive. You do not move millions of profiles to another continent. More interesting is the layer beneath. The fines of a few hundred thousand euro, imposed on hospitals, municipalities, a university of applied sciences, a travel company. That is where the pattern that does resemble your situation sits.

The fines that do matter to you

Anyone who reads through the published fines sees three violations recurring again and again. Inadequate security of personal data, a data breach reported late or not at all, and data kept far too long. Below is a selection of fines from those categories, all in a range that a normal organisation can be hit by.

A selection of GDPR fines for avoidable data errors (AP)
Enschede municipality, excessive retention (2021) €600,000
Booking.com, data breach reported late (2021) €475,000
HagaZiekenhuis, inadequate security (2019) €460,000
UWV, data breach reported late (2021) €450,000
Transavia, inadequate security (2021) €400,000
HAN, inadequate security (2021) €175,000

Source. Fining decisions of the Autoriteit Persoonsgegevens, published on autoriteitpersoonsgegevens.nl. A selection of fines for security (Article 32), data breaches reported late (Article 33) and excessive retention (Article 5). Amounts rounded.

What stands out is how often healthcare appears in this list. HagaZiekenhuis and, in other years, the OLVG received a fine because staff could view patient records without any need to. That fits with what we saw earlier. In our analysis per sector, healthcare had already been the leader in data breaches for years. A lot of sensitive data simply means a lot of risk.

Three obligations that data hygiene touches

The fines therefore fall roughly into three categories. It is worth looking, per category, at what you can do about it yourself, and where the limit lies of what tidying up and destruction can solve.

Security of personal data (Article 32)

This is the largest group. Think of access that is too broad, missing logging, weak passwords. Part of that is purely digital and has nothing to do with paper. But part of it does. An archive cabinet left open, boxes of files in a corridor, old paper accessible to anyone who walks past. That is also a shortcoming in security. For the paper part a simple rule applies. What you no longer need no longer has to be guarded. Have it confidentially destroyed and it is no longer a risk.

Data breaches reported late or not at all (Article 33)

Several fines were not about the breach itself, but about the handling. Uber, Booking.com and UWV received a fine because a data breach was reported late. The rule is clear. You report a data breach to the Autoriteit Persoonsgegevens within 72 hours. Make sure you know how to do that before things go wrong. The full process is set out in the step-by-step plan to report a data breach within 72 hours.

Excessive retention of data (Article 5)

The GDPR asks for data minimisation. You do not keep personal data longer than necessary. Enschede municipality and Voorschoten municipality received a fine connected to this obligation. This is the category where destruction helps most directly. Once a retention period has passed, keeping data is no longer diligence but a risk. Knowing which period applies where is the first step. For that there is the cheatsheet of GDPR retention periods.

What makes a fine expensive or cheap

The size of a fine is not fixed. The Autoriteit Persoonsgegevens looks at the nature, the seriousness and the duration of the violation, at the number of people affected and at the harm they suffered. It also counts how an organisation responds. In the case of the HAN university of applied sciences, which received a fine for inadequate security after a data breach, the fine was reduced partly because of the remedial measures taken, from the base fine to 175,000 euro.

The lesson from that is sober. Acting demonstrably with care pays off, even when something does go wrong. Being able to show that you secure data properly, tidy it up on time and handle a breach correctly makes the difference between a low and a high fine. That is precisely why proof matters so much. A certificate of destruction shows that paper was destroyed at the right level and at the right moment.

What you can do in concrete terms

The fines translate into a short checklist. No expensive technology, but order.

  • Clear out what is past its period. Keeping data after the retention period is not diligence, but risk.
  • Secure the paper too. An archive cabinet and a box in the corridor fall under Article 32 just as much as a server.
  • Record retention periods. Knowing what may go when prevents both premature and late destruction.
  • Arrange your data breach process. Make sure you can file a report within 72 hours.
  • Keep proof. Certificates and a record of processing demonstrate that you act with care.

If you first want to know where the weak spots in your archive are, run through 6 signs your archive is a GDPR risk. And because most data breaches do not arise from hackers but from everyday mistakes with paper, it is worth knowing that paper is the biggest cause of data breaches.

What it costs to clear out that pile

Clearing out paper that is past its retention period is not a big investment. You pay a fixed price per box or roll container, from about 30 euro for the first box, with the certificate included. Within 20 km of Amsterdam we charge no call-out fee. Through pooled routes a fixed price is possible nationwide too. Set against a fine of a few hundred thousand euro, and the reputational damage that comes with it, that is a small price for removing an avoidable risk.

A real-world example

A medium-sized organisation goes through its own archive after reading a fining decision. In a storeroom there turn out to be boxes of personnel and client files whose retention period has long passed. Exactly the kind of data that falls under excessive retention, and that becomes a problem the moment there is an incident. The boxes are collected sealed and destroyed at the right level, with a certificate for each collection. The record of processing now shows when which documents were destroyed. Should the Autoriteit Persoonsgegevens ever come by, it takes a few minutes to demonstrate that the archive was cleared out with care. How you build up that proof is set out in demonstrable destruction for the GDPR.

Remove the avoidable risk from your archive?

Tell us how many boxes or binders are past their retention period and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate as proof for your GDPR file. No call-out fee within 20 km of Amsterdam.

Request a quote

Frequently asked questions

What is the highest GDPR fine in the Netherlands?

The highest fine from the Autoriteit Persoonsgegevens to date is the 290 million euro fine imposed on Uber in 2024, for failing to adequately protect data when transferring it to the United States. Amounts like this are exceptional and concern large, international data flows, not the situation of an average organisation.

Do I automatically get a fine after a data breach?

No. A data breach does not automatically lead to a fine. The Autoriteit Persoonsgegevens looks at whether you had suitable security, whether you reported the breach on time and what measures you took. Fines usually fall in cases of structural negligence, not for a one-off mistake that was handled properly.

Can destroying documents prevent a fine?

Not every fine. Destruction does nothing about a weak password or missing two-factor authentication. It does reduce two categories that recur in the fines. Excessive retention of data and inadequate security of paper containing personal data. What you no longer have cannot leak.

Where can I view all GDPR fines?

On the website of the Autoriteit Persoonsgegevens. The AP publishes there all fines and sanctions imposed and published since 2018, with the violation and the amount for each case.

What makes a fine higher or lower?

The Autoriteit Persoonsgegevens looks at the nature, seriousness and duration of the violation, the number of people affected and the harm suffered. Remedial measures count in your favour. In the HAN case the fine was partly for that reason reduced from the base fine to 175,000 euro.

Conclusion

The GDPR fines from the Autoriteit Persoonsgegevens read like a manual for what you had better not do. The million-euro fines are spectacular, but rare and far from your practice. The real lesson sits in the layer beneath. Again and again it comes down to inadequate security, a data breach reported late and data kept too long. Two of those three categories are entirely in your own hands. Clear out what is past its period, secure your paper too and keep the proof that you did it properly. That does not prevent a weak password, but it does remove an avoidable risk that turns up in the fine figures time and again.

See also: this analysis belongs with two earlier pieces. Paper is the biggest cause of data breaches and data breaches by sector, healthcare is in the lead. Together they show where the risk sits and what it can cost.


Remove an avoidable risk from your archive? Request a quote via desnipperaar.nl or first read how demonstrable destruction for the GDPR forms your proof. We collect the sensitive paper sealed.