Since January, under certain conditions, substantial penalties can be imposed for breaching the Personal Data Protection Act [Wet bescherming persoonsgegevens (Wbp)]. The duty to report data breaches has also been in force since that time. This means that existing processor’s agreements had to/must be amended. Some people are now however under the impression that there is a penalty for not having a processor’s agreement. This impression is reinforced by the marketing material of some (legal) consultancy firms. This is not correct however.
The obligation to enter into a processor’s agreement is set out in section 14 Wbp. Or expressed more precisely: the obligation to record certain elements of the agreement with a processor in writing is set out in section 14 Wbp. Which elements these are, I have set out in a different post.
Power to impose a penalty
The power of the Dutch Data Protection Authority to impose a penalty is set out in section 66 Wbp. The penalty attracting most attention, is the penalty of maximum 820,000 euro per breach, set out in paragraph 2 of this section. This subsection reads as follows:
The Dutch Data Protection Authority may impose a penalty of maximum the amount of the fine of the sixth category of section 23(4) of the Dutch Criminal Code in respect of the breach of the provisions of or pursuant to sections 6 up to and including 8, 9(1) and (4), 10(1), 11 up to and including 13, 16, 24, 33, 34(1),(2) and (3), 34a, 35(1 – second sentence, (2), (3) and (4), 36(2), (3) and (4), 38 up to and including 40(2) and (3), 41(2) and (3), 42(1) and (4), 76, 77 or 78(3) and (4), as well as section 5:20 General Administrative Law Act. Section 23(7) of the Dutch Criminal Code applies equally.
No reference to processor’s agreement in the penalty section
As you can see, section 66 does not refer to section 14 Wbp. There is therefore no administrative penalty for not entering into a processor’s agreement.
It is possible to impose an order subject to a periodic penalty payment
The above does not alter the fact that the Dutch Data Protection Authority can impose an order subject to a periodic penalty payment. In that case you are given a certain period of time to as yet enter into a processor’s agreement. During this first period, you do not yet pay any fine (5:32a Awb). If, after this first period of time, you still have not entered into a processor’s agreement, you pay a specific amount per period in which the order is not being complied with (amount and period are set out in the order). This penalty can really mount up (but within the limits of reasonableness, see section 5:32b Awb). Of course, remedies can be commenced against any imposed order subject to a periodic penalty payment.
Other limits on the power to impose a penalty
As you can see, there is a penalty for the breach of many (but not all) other sections of the Wbp. This does not mean that there are no limits on the power to impose a penalty. I addressed this previously on this weblog and it was further expanded upon in an article in P&I. Some nuance is therefore called for in respect of much of the information on the power to impose penalties that can be read elsewhere.
If you have questions about the processor’s agreement or the Dutch Data Protection Authority’s power to impose penalties, please do not hesitate to contact us.
By Mark Jansen