Article 35c (powers Autoriteit persoonsgegevens)

• 1

  The Autoriteit persoonsgegevens has jurisdiction:

  • a.

    warning the controller or processor that the proposed processing operations are likely to violate the provisions of or under this Act;

  • b.

    impose an administrative enforcement order to enforce the provisions of or under this Act;

  • c.

    impose an administrative fine if the controller acts in violation of the provisions of or pursuant to:

    • -

      Articles 4a, 4b, 4c, 6c, 31d, 32, 33a, 33b and 36 of up to the amount of the fine of the fifth category of Article 23, fourth paragraph, of the Penal Code;

    • -

      Articles 5, 7a, 24a, 24b, 25 and 28 of up to the amount of the fine of the sixth category of Article 23, fourth paragraph, of the Penal Code;

  • d.

    provide an opinion to the controller following a prior consultation referred to in Article 33b, paragraph 1;

  • e.

    require the controller to notify a personal data breach to the data subject.

• 2

  In deciding on the imposition of an administrative fine referred to in paragraph 4 and the amount thereof, due consideration shall be given to each specific case:

  • a)

    the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question as well as the number of data subjects affected and the extent of the harm suffered by them;

  • b)

    the intentional or negligent nature of the infringement;

  • c)

    the measures taken by the controller or processor to mitigate the harm suffered by data subjects;

  • d)

    The extent to which the controller or processor is responsible given the technical and organizational measures it has implemented in accordance with Articles 4a and 4b;

  • e)

    previous relevant breaches by the controller or processor;

  • f)

    The extent of cooperation with the Autoriteit persoonsgegevens Authority to remedy the breach and mitigate its potential negative consequences;

  • g)

    The categories of personal data affected by the breach;

  • h)

    the manner in which the Autoriteit persoonsgegevens Authority became aware of the breach, in particular whether, and if so to what extent, the controller or processor notified the breach;

  • i.

    compliance with the measures referred to in the first paragraph, to the extent that they were previously taken with respect to the controller or processor in question with respect to the same matter.

• 3

  The effect of the decision to impose the administrative fine referred to in subsection 1(c) shall be suspended until the period for objection or appeal has expired or, if an objection or appeal has been filed, the objection or appeal has been decided.

• 4

  The powers referred to in subsection (1)(d) and (e) count as a decision within the meaning of the General Administrative Law Act.