On 16 July 2019, the Dutch Data Protection Authority imposed a fine on a Dutch hospital, the ‘HagaZiekenhuis’, amounting to EUR 460,000. This was the first fine in the Netherlands since the GDPR (AVG) took effect on 25 May 2018. This fine has been mitigated to EUR 350,000 in a court ruling of the District Court of The Hague, published yesterday (15 April 2021).
The court agrees with one of the hospital’s arguments: the fine is disproportionate.
In the proceedings, the hospital brings forth several reasons for undoing or mitigating the fine. The court agrees with one of the hospital’s arguments: the fine is disproportionate. The court takes the following into consideration:
- For violating article 32 of the GDPR (taking appropriate technical and organizational measures) the Authority uses a standard fine amount of EUR 310,000. The court does not consider this standard fine to be unreasonable.
- The Authority had increased the basic fine for the hospital twice with EUR 75,000. Hence with EUR 150,000 all together. The Authority applied this increase given i) the nature, seriousness and duration of the infringement; and ii) the intentional/negligent nature of the infringement.
- According to the court, both the fine-increasing component ‘nature, seriousness and duration’ and ‘negligence’ are present in this case.
- However, the court finds that twice an increase of EUR 75,000, resulting in a total fine of EUR 460,000 is not proportionate. The court refers to, among others, the measures taken by the hospital, which indicate ‘willingness’ to address the problems and which ‘nuance’ the negligence. The fact that the hospital was legally obliged to take these measures does not detract from this, according to the court.
- The court rules that the Authority has not taken these components into consideration when deciding upon the fine. Therefore, it sees reason to reduce the fine by EUR 110,000 resulting in a remaining fine of EUR 350,000 (EUR 310.000 standard fine apparently increased by an amount of EUR 40.000).
This ruling leaves a great deal to be desired from a mathematical perspective. Although the court rules that an increase of the standard fine is appropriate, it does not provide any clarity on (the calculation of) the increase of EUR 40,000. This is quite disappointing. For instance, it would have been interesting to know if the court followed the Authority’s view on imposing twice an additional amount to the standard fine but only used a lower amount than EUR 75,000 for both components, or if the court applied an entirely different calculation method.
Although the court rules that an increase of the standard fine is appropriate, it does not provide any clarity on (the calculation of) the increase of EUR 40,000.
This court ruling might offer perspective for the OLVG hospital, which recently received a fine for a similar violation of the GDPR. Read more about the fine imposed on the OLVG hospital in our news item of 12 February 2021.
The decision of the Authority can be found here and the court ruling here.