EU DATA PROTECTION AUTHORITIES — LANDSCAPE¶
OWNER: julian
UPDATED: 2026-03-24
SCOPE: EU DPA landscape, Dutch AP as GE's primary authority, enforcement trends, complaint handling
SERVES: julian (compliance officer), amber (auditor)
ALSO_USED_BY: aimee (client scoping — jurisdiction awareness), margot (client communication)
GE'S_PRIMARY_DPA¶
AUTORITEIT_PERSOONSGEGEVENS (AP)¶
FULL_NAME: Autoriteit Persoonsgegevens
ENGLISH: Dutch Data Protection Authority
WEBSITE: autoriteitpersoonsgegevens.nl
HEADQUARTERS: The Hague, Netherlands
JURISDICTION_OVER_GE: GE is established in the Netherlands → AP is lead supervisory authority
RULE: even if GE processes data of individuals in other EU member states, AP is the LEAD authority under the one-stop-shop mechanism (Art. 56 GDPR)
CONTACT:
- General: via website contact form
- Breach notification: https://datalekken.autoriteitpersoonsgegevens.nl
- Complaints: https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/gebruik-uw-privacyrechten/klacht-melden-bij-de-ap
- DPO registration: https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-europese-privacywetgeving/functionaris-voor-de-gegevensbescherming-fg
AP_ENFORCEMENT_POWERS¶
INVESTIGATIVE_POWERS (Art. 58(1)):
- Order controller/processor to provide any information required
- Carry out investigations (data protection audits)
- Obtain access to premises
- Obtain access to any personal data and information
CORRECTIVE_POWERS (Art. 58(2)):
- Issue warnings
- Issue reprimands
- Order compliance (fulfill data subject requests, bring processing into compliance)
- Impose temporary or permanent processing ban
- Order rectification, restriction, or erasure of data
- Impose administrative fines (Art. 83)
FINE_RANGES:
- Category 1 (Art. 83(4)): up to EUR 10M or 2% global turnover — for controller/processor obligations
- Category 2 (Art. 83(5)): up to EUR 20M or 4% global turnover — for basic principles, data subject rights, transfers
- Category 3 (Art. 83(6)): up to EUR 20M or 4% global turnover — for failure to comply with AP order
AP_ENFORCEMENT_TRENDS_AND_PRIORITIES¶
CURRENT_FOCUS_AREAS (2025-2026)¶
BASED ON: AP annual plan, enforcement decisions, public statements
ONLINE_TRACKING:
- Cookie enforcement remains priority
- Focus on dark patterns in consent banners
- Cross-border enforcement via EDPB task force
- TREND: increasing fines for non-compliant cookie walls
GE_RELEVANCE: every client website project must have compliant cookie consent
DATA_TRADING:
- Focus on data brokers and advertising technology
- Transparency about data sharing with third parties
GE_RELEVANCE: low direct relevance, but client projects must not facilitate non-compliant data trading
CHILDREN'S_DATA:
- Heightened protection for minors' data online
- Age verification requirements
GE_RELEVANCE: if client product targets or may be used by children, enhanced privacy measures required
AI_AND_AUTOMATED_DECISION-MAKING:
- AP increasingly scrutinizing algorithmic systems
- Focus on automated decision-making transparency (Art. 22)
- Coordination with AI Act enforcement (AP designated as AI Act supervisory authority for non-high-risk)
GE_RELEVANCE: HIGH — GE is AI-native, must demonstrate Art. 22 compliance and AI transparency
GOVERNMENT_SECTOR:
- AP actively investigating government data processing (SyRI case legacy)
- Discriminatory profiling a priority topic
GE_RELEVANCE: if building for government clients, heightened scrutiny expected
RECENT_NOTABLE_FINES (Netherlands)¶
UBER_2024: EUR 290M
- Transferring EU driver data to US without adequate safeguards
- Relied on SCCs without sufficient supplementary measures
GE_LESSON: never transfer personal data to US without verified DPF certification or robust SCCs + TIA
CLEARVIEW_AI_2024: EUR 30.5M
- Illegal facial recognition database from scraped photos
- Processing without lawful basis, no transparency
GE_LESSON: web scraping of personal data is extremely high-risk
TAXATION_AUTHORITY (BELASTINGDIENST): multiple investigations
- Discriminatory profiling in fraud detection (toeslagenaffaire)
GE_LESSON: automated decision-making systems must be fair, transparent, and contestable
ENFORCEMENT_TREND_ANALYSIS¶
TRAJECTORY: fines increasing in size and frequency across EU
CROSS_BORDER: one-stop-shop mechanism means AP may enforce on behalf of other DPAs (and vice versa)
COOPERATION: AP participates in EDPB enforcement task forces
BINDING_DECISIONS: EDPB binding decisions resolve disagreements between DPAs
COMPLAINT-DRIVEN: many investigations triggered by NOYB and similar advocacy organizations
PROACTIVE: AP also initiates own investigations based on sector-wide assessments
CROSS-BORDER_COOPERATION_MECHANISM (Art. 56-76)¶
ONE-STOP-SHOP (Art. 56)¶
HOW_IT_WORKS:
1. GE established in Netherlands → AP is lead supervisory authority
2. IF GE processes data of individuals in other member states THEN AP coordinates with concerned DPAs
3. Lead DPA (AP) makes draft decision → shares with concerned DPAs → 4-week objection period
4. IF no objections → decision adopted
5. IF objections → attempt to reach consensus → if no consensus → EDPB binding decision (Art. 65)
GE_BENEFIT: single point of contact for cross-border processing
GE_RISK: concerned DPAs can trigger stricter enforcement via EDPB
CONCERNED_DPAs¶
IF GE builds product for German client with German end-users:
- AP remains lead authority (GE establishment)
- BfDI or state DPA (Germany) is concerned DPA
- Both coordinate under one-stop-shop
IF GE builds product for French client:
- AP leads, CNIL is concerned
- French data subjects can also complain to CNIL
RULE: GE should always identify which DPAs may be concerned per client project
RULE: julian maintains register of projects with cross-border processing
KEY_EU_DATA_PROTECTION_AUTHORITIES¶
TIER_1 — MOST_ACTIVE_ENFORCERS¶
CNIL (France):
- Commission Nationale de l'Informatique et des Libertes
- Very active, large fines (Google EUR 150M, Amazon EUR 746M)
- Strong on cookie enforcement and privacy-by-design
- Published practical GDPR guidance widely referenced across EU
IRISH_DPC (Ireland):
- Data Protection Commission
- Lead DPA for many tech giants (Meta, Google, Apple, Microsoft — HQ in Ireland)
- Criticized for slow enforcement, improved under EDPB pressure
- Large fines: Meta EUR 1.2B (international transfers)
GE_RELEVANCE: if client uses Irish-headquartered tech services, DPC decisions relevant
BFDI (Germany):
- Bundesbeauftragter fur den Datenschutz (federal level)
- Plus 16 state DPAs (Landesdatenschutzbeauftragte)
- Very strict on employee data processing
- Strong technical guidance
GE_RELEVANCE: German clients may have heightened data protection expectations
AEPD (Spain):
- Agencia Espanola de Proteccion de Datos
- High volume of enforcement decisions
- Strong on cookie compliance and video surveillance
GARANTE (Italy):
- Garante per la protezione dei dati personali
- First to ban ChatGPT (temporarily, 2023)
- Active on AI and automated processing
GE_RELEVANCE: Italian approach to AI regulation may preview broader EU trends
TIER_2 — NOTABLE_AUTHORITIES¶
ICO (UK):
- Information Commissioner's Office
- Post-Brexit, UK GDPR separate but similar
- Strong guidance resources widely used globally
- UK AI regulation diverging from EU (principles-based approach)
NOTE: UK not EU but UK GDPR still relevant for UK-targeting clients
EDPB (European level):
- European Data Protection Board
- NOT a DPA — coordination body of all EU DPAs
- Issues guidelines, recommendations, binding decisions
- CRITICAL: EDPB guidelines are de facto law (DPAs follow them)
- Key guidelines: consent, legitimate interest, DPO, international transfers, DPIA
GE_RELEVANCE: EDPB guidelines should be treated as binding requirements
COMPLAINT_HANDLING_PROCEDURES¶
DATA_SUBJECT_COMPLAINT_TO_AP¶
IF data subject complains to AP about GE's processing:
STEP_1: AP receives complaint, assesses admissibility
STEP_2: AP may contact GE for information (Art. 58(1)(a))
STEP_3: GE must respond within AP's specified timeframe (typically 4-6 weeks)
STEP_4: AP assesses compliance, may investigate further
STEP_5: AP decides — dismiss complaint, issue warning, order compliance, impose fine
GE_RESPONSE_PROCEDURE:
1. Julian receives AP inquiry
2. Julian assesses and gathers evidence
3. Response drafted by julian, reviewed by dirk-jan
4. Response submitted within deadline
5. Document everything in complaint register
6. IF deficiency found → immediate corrective action
RULE: NEVER ignore or delay response to AP inquiry
RULE: be cooperative and transparent — obstruction is a separate violation
DIRECT_COMPLAINT_TO_GE¶
IF data subject contacts GE directly:
1. Acknowledge receipt within 48 hours
2. Classify: is this a DSR (data subject rights request) or a complaint?
3. IF DSR → handle per data subject rights procedure (gdpr-implementation.md)
4. IF complaint → investigate, respond within 1 month
5. IF cannot resolve → inform data subject of right to complain to AP
6. Log in complaint register regardless of outcome
ENFORCEMENT_DEFENSE_STRATEGIES¶
WHAT_REDUCES_FINES (Art. 83(2) factors)¶
MITIGATING_FACTORS:
- Nature, gravity, and duration of infringement (contained quickly = better)
- Intentional or negligent (negligent = lower fines than intentional)
- Actions taken to mitigate damage to data subjects
- Degree of responsibility (technical and organizational measures in place)
- Previous infringements (clean record = better)
- Cooperation with DPA (full and immediate cooperation)
- Categories of personal data affected (non-sensitive = lower risk)
- Manner in which infringement became known (self-reported = better)
- Adherence to approved codes of conduct or certification (ISO 27001 helps)
GE_ADVANTAGES:
- ISO 27001 certification demonstrates organizational measures
- SOC 2 Type II demonstrates operational effectiveness
- Automated evidence collection demonstrates proactive compliance
- Constitution and agent controls demonstrate privacy by design
- Self-reporting capability via breach notification procedure
WHAT_INCREASES_FINES¶
AGGRAVATING_FACTORS:
- Intentional violation
- Previous warnings/reprimands ignored
- Failure to cooperate with AP
- Financial benefit gained from violation
- Large number of data subjects affected
- Cross-border processing without proper safeguards
- Special category data involved
GE_RISKS:
- AI-driven processing may be seen as inherently higher risk
- Multi-model architecture = complex supply chain (sub-processor management critical)
- High change velocity = higher risk of configuration errors
AP_REPORTING_OBLIGATIONS¶
BREACH_NOTIFICATION (Art. 33)¶
WHERE: AP online breach notification portal
WHEN: within 72 hours of becoming aware
SEE_ALSO: gdpr-implementation.md BREACH_NOTIFICATION section
DPO_REGISTRATION (Art. 37(7))¶
IF GE appoints a DPO THEN register with AP
CURRENTLY: GE has julian as compliance officer (not formally DPO)
RULE: DPO mandatory IF core activities consist of regular and systematic monitoring of data subjects on a large scale, OR core activities consist of large-scale processing of special categories
GE_ASSESSMENT: GE's core activity is software development, not data processing → DPO not mandatory but recommended as scale grows
DPIA_PRIOR_CONSULTATION (Art. 36)¶
IF DPIA shows high residual risk that cannot be mitigated THEN consult AP before processing
TIMELINE: AP has 8 weeks to respond (extendable by 6 weeks)
SUBMIT: via AP consultation request procedure
ROPA_AVAILABILITY (Art. 30(4))¶
REQUIREMENT: make ROPA available to AP on request
FORMAT: structured, searchable, current
GE_IMPLEMENTATION: ROPA exportable from PostgreSQL in machine-readable format
CROSS_FRAMEWORK_DPA_ROLES¶
AP_AND_AI_ACT¶
AP designated as market surveillance authority for AI Act (non-high-risk AI systems) in Netherlands
IMPLICATION: AP will enforce BOTH GDPR AND AI Act for AI systems that process personal data
GE_RELEVANCE: single authority for both GDPR and AI Act compliance
AP_AND_NIS2¶
Dutch implementation (Cyberbeveiligingswet) will designate sector-specific authorities
AP role in NIS2: limited, but data protection aspects of incidents may involve AP
IMPLICATION: a single incident could trigger reporting to BOTH NIS2 authority AND AP
EDPS (European Data Protection Supervisor)¶
SCOPE: supervises EU institutions (not private companies)
RELEVANCE: issues guidance that influences DPA interpretation
ROLE_IN_AI_ACT: advisory role on AI systems used by EU institutions
DPA_MONITORING_CHECKLIST_FOR_JULIAN¶
WEEKLY¶
- Check AP news and enforcement decisions (autoriteitpersoonsgegevens.nl/nl/actueel)
- Check EDPB news and adopted guidelines (edpb.europa.eu)
- Monitor NOYB complaints (noyb.eu) for industry-relevant cases
MONTHLY¶
- Review AP enforcement trends for relevance to GE
- Update DPA contact register if personnel changes
- Review any pending AP consultations or inquiries
QUARTERLY¶
- Review EDPB guidelines adopted in quarter for impact on GE
- Update compliance posture based on enforcement trends
- Brief dirk-jan on regulatory developments at management review
ANNUALLY¶
- Review all DPA decisions from major authorities for pattern changes
- Update regulatory register with new precedents
- Review and update cross-border processing register
- Verify AP breach notification portal access and procedure
SEE_ALSO: gdpr-implementation.md, eu-ai-act.md, iso27001-overview.md, compliance-automation.md
READ_ALSO: domains/eu-regulation/index.md, domains/privacy/index.md