Wednesday, March 11, 2026
HomenlGDPR Fine Slashed: Dutch Court Demands Better Reasoning from Data Watchdog
nl

GDPR Fine Slashed: Dutch Court Demands Better Reasoning from Data Watchdog

Frankie
By Frankie
0
14

The Bottom Line

  • Regulator fines can be successfully challenged. This ruling shows that courts will scrutinize the proportionality and reasoning behind a penalty, not just the existence of a violation.
  • Legacy systems are a major compliance risk. The “state-of-the-art” security standard is a moving target, requiring continuous review and investment, not a one-off assessment at implementation.
  • A strong legal strategy must target the regulator’s process. Exposing flaws in how a fine was calculated can be as effective as arguing against the underlying violation itself.

The Details

This case involved a significant administrative fine levied by the Dutch Data Protection Authority (DPA) against a tech company for allegedly insufficient data security measures under the GDPR. The company had suffered a data breach, which the DPA attributed to outdated encryption protocols on one of its legacy platforms. The DPA argued this was a clear violation of the GDPR’s requirement to implement “state-of-the-art” technical and organisational measures, and imposed a substantial penalty.

The company challenged the fine, arguing on two main fronts. First, they contended that the security measures were indeed “state-of-the-art” at the time the system was originally developed. Second, and more critically, they argued that the DPA’s fine was disproportionate and that the regulator had failed to adequately consider the company’s mitigating factors, including their cooperative stance post-breach and the significant cost of overhauling the legacy system.

The District Court delivered a nuanced judgment that serves as a crucial check on regulatory power. While the court agreed with the DPA on the substantive issue—that “state-of-the-art” is a dynamic standard that requires ongoing updates—it sided with the company regarding the penalty. The court found that the DPA had not provided a sufficiently transparent or compelling justification for the specific amount of the fine. It ruled that a regulator cannot simply point to a violation and a maximum penalty range; it must clearly articulate how it weighed all relevant circumstances. The fine was therefore significantly reduced, sending a clear message that the regulator’s decision-making process is just as important as the violation it seeks to punish.

Source

Rechtbank Zeeland-West-Brabant

Previous article
Dutch Court Warns: Minor Flaws Don’t Justify Terminating Major Contracts
Next article
“Good Faith” Isn’t a Blank Check: Dutch Court Rules on Vague Software Contracts
Frankie
Frankie
Frankie is the co-founder and "Chief Thinker" behind this newsletter. Where others might get lost in the noise of the digital world, Frankie finds clarity in the analog. He believes the best ideas don't come from a screen, but from quiet contemplation, deep reading, and the space to think without distraction.
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Load more

Recent Comments

EDITOR PICKS

POPULAR POSTS

POPULAR CATEGORY

ABOUT US

LawYours.news cuts through the complexity of European law. We provide timely analysis of the AI Act, cross-border trade, and key court rulings, delivering the "bottom line" impact for legal professionals and business owners.

Contact us: [email protected]

FOLLOW US