DPA Gets Power to Fine Controllers and Processors
A bill was sent to Parliament giving the Dutch Data Protection Authority (CBP) the power to fine controllers and processors for violation of the Dutch Personal Data Protection Act and any other laws containing data protection rules on Monday, 24 November.
Interestingly, the bill also allows the CBP to fine individual employees for failure to meet their confidentiality obligations (Art. 12 PDPA). This may be the case where employees intentionally disclose personal data to unauthorized persons, an act also punishable under criminal law, but also where employees have been grossly negligent causing a data breach. Last but not least, the Dutch CBP (College Bescherming Persoonsgegevens) will change its name to the Personal Data Authority (Autoriteit Persoonsgegevens).