EU Regulation 2016/679 - Decision Register

SUPERVISORY AUTHORITY PROFILE / DUTCH AP

Dutch Autoriteit Persoonsgegevens (AP) GDPR Fines, Enforcement Record

The Netherlands' supervisory authority distinguishes itself with substantial public-sector enforcement, the Belastingdienst algorithmic-discrimination case, and the 2024 Uber €290M Chapter V fine.

Cumulative fines

~€500M+

Largest fine

€290M (Uber 2024)

Public-sector cases

10+ landmark

Belastingdienst fine

€3.7M (2021)

Active since

1989 (as AP since 2016)

EDUCATIONAL ONLY

This page is a reference summary of a published regulator decision. It is not legal advice. Consult a qualified data protection lawyer for advice on your specific situation. The UK GDPR is a separate regime from the EU GDPR following Brexit. Always read the source decision in full before relying on any figure or quote.

PROFILE

Mandate and constitution

The Autoriteit Persoonsgegevens (AP) is the Dutch supervisory authority for the GDPR, established in its current form by the Uitvoeringswet Algemene Verordening Gegevensbescherming (UAVG) of 2018, the Dutch implementing statute for the GDPR. Its predecessor, the College Bescherming Persoonsgegevens (CBP), was the supervisory authority under the previous Wet Bescherming Persoonsgegevens regime. The AP is headquartered in The Hague.

Governance is by a three-member Board (Chair plus two members), appointed by the Crown on the recommendation of the Minister of Legal Protection. The Board adopts decisions and sanctions. The AP's budget is allocated by the Dutch Parliament; the authority is statutorily independent of the executive branch.

Fining philosophy and public-sector focus

The AP is distinctive among EU DPAs for the proportion of its decisions involving public-sector controllers. The Belastingdienst (Tax Authority) childcare-benefit case, the Politie (Police) facial-recognition decisions, the UWV (Employee Insurance Agency) processing decisions, and various municipal smart-city cases form a substantial part of the AP's enforcement record. The willingness to take regulatory action against fellow Dutch government agencies is a marked feature of the AP's identity.

On private-sector enforcement, the AP's pattern is a smaller number of higher-profile cases rather than the AEPD-style volume model. Fines tend to be well-reasoned and to focus on systemic processing failures (lawful basis, transparency, security architecture) rather than incidental procedural lapses. The Uber €290M fine is the largest single AP sanction and is in the upper tier of EU-wide GDPR enforcement.

The Belastingdienst case in detail

The Dutch Tax Authority case (often referred to as the Toeslagenaffaire, or benefits affair) is one of the most politically significant data-protection enforcement actions in EU history. Between 2013 and 2019, the Belastingdienst operated an algorithmic risk-assessment system in its childcare-benefit fraud detection unit (Toeslagen). The system used various indicators including the claimant's nationality and dual-nationality status to assign a fraud risk score. Claimants with non-Dutch nationality, particularly those of Turkish or Moroccan background, were systematically scored higher and subjected to more intrusive investigation, asset freezes and benefit reclaim demands.

Thousands of families were wrongly accused of fraud, with severe financial and personal consequences including bankruptcy, family separation and lasting mental-health impact. The Dutch government (Rutte III cabinet) resigned in January 2021 in part because of the affair. The Parliamentary inquiry concluded that the unjust treatment was systemic, affecting families across the country for nearly a decade.

The AP's investigation focused on the data-protection-law dimensions. The AP found that processing of nationality data for fraud-risk-scoring was unlawful under Articles 5(1)(a) (lawfulness, fairness), 5(1)(c) (data minimisation), 6 (no valid lawful basis), and 9 (no valid Article 9(2) basis for processing what was effectively special-category data on ethnic origin inferred from nationality). The AP imposed a €3.7 million fine on the Belastingdienst in December 2021. The fine is symbolic relative to the harm caused, but the AP's formal finding has become the doctrinal anchor for subsequent algorithmic-discrimination jurisprudence across the EU.

The Uber €290M decision

In August 2024, the AP imposed a €290 million fine on Uber Technologies Inc following a multi-year cross-border inquiry. The substantive finding tracks the Meta Chapter V framework: Uber had transferred personal data of European Uber drivers (including identity documents, location histories, photographs and payment information) to Uber group entities in the United States in circumstances where Standard Contractual Clauses alone did not provide essentially equivalent protection under Schrems II.

The AP's decision is notable for its detailed analysis of the driver-personal-data category. Uber drivers are not consumers in the ordinary sense; they are platform workers whose livelihood depends on the platform. The AP treated the worker dimension as an aggravating factor, on the rationale that workers have less practical capacity than ordinary consumers to refuse unlawful processing of their data without losing their income. The worker-protection framing is novel in Chapter V enforcement and is likely to influence subsequent gig-economy cases across the EU.

Recent enforcement trends

The AP's 2024-2026 priorities include algorithmic decision-making in the public sector (continuing the Belastingdienst line), platform-worker data, credit-scoring and AI-driven assessment in financial services, and connected vehicles. The AP has also been notably active on data-broker enforcement, including a 2023 decision against an unnamed data-broker for unlawful processing of telephone-marketing-list data.

FREQUENTLY ASKED

About the Dutch AP

What is the Dutch Tax Authority childcare-benefit case?
Between 2013 and 2019, the Dutch Belastingdienst (Tax and Customs Administration) used an algorithmic risk-assessment system that disproportionately flagged families with dual nationality, particularly those with Turkish or Moroccan backgrounds, as suspected fraud cases in childcare-benefit claims. Thousands of families were wrongly accused and required to repay benefits, with severe financial and personal consequences. The AP found that the Belastingdienst had processed nationality data unlawfully and discriminatorily, in violation of Articles 5, 6 and 9 GDPR, and fined the Tax Authority €3.7M in 2021.
Why is the Uber €290M fine significant?
In August 2024, the Dutch AP imposed a €290 million fine on Uber Technologies Inc for transferring personal data of European Uber drivers to the United States without a valid Article 46 transfer mechanism, following the Schrems II framework. The fine is one of the largest single GDPR fines outside the Big-Tech Irish-DPC cluster, and was issued under one-stop-shop rules with the Netherlands as lead authority because Uber's European entity is established in Amsterdam.
Does the AP enforce on Big Tech?
The AP acts as concerned authority in Irish DPC and Luxembourg CNPD inquiries against Big Tech. Independently, the AP is lead authority for any controller with main establishment in the Netherlands, which historically has included Uber, Booking.com, Tomtom, ASML and others.
How does the AP differ stylistically from the DPC?
The AP is notably faster to publish detailed reasoning, more willing to engage with public-policy questions about algorithmic discrimination, and more focused on public-sector enforcement than the DPC. The Belastingdienst case illustrates this: the AP took action against a national government agency on systemic-discrimination grounds, a posture that would be unusual for many other EU DPAs.
Who heads the AP?
The AP is led by a Chair (currently Aleid Wolfsen, in office since 2016 with mandate renewed). The Chair is supported by two further Board members; the Board adopts major decisions and sanctions. The AP is headquartered in The Hague.
What other Dutch decisions are notable?
Booking.com (€475k, 2021) for late breach notification. PVV (€100k, 2022) for an unlawful Excel file shared between political activists. Various municipal-level decisions on smart-city processing. Healthcare-sector decisions including the OLVG hospital (€440k, 2021) for inadequate access controls.

CROSS-REFERENCES

Related references

RELATED CASE

Meta €1.2B (2023)

The doctrinal precedent for Chapter V enforcement, now extended in the Uber AP decision.

Open reference →

ARTICLES 44-49

International Transfer Enforcement

The Schrems II framework applied across DPC and AP cases.

Open reference →

PEER DPA

Irish DPC

Cross-border Big Tech context contrasting with the AP's Uber lead role.

Open reference →

ARTICLE 5

Article 5 Enforcement

Algorithmic-discrimination jurisprudence anchored by the Belastingdienst case.

Open reference →

PEER DPA

Germany BfDI + Länder

Federated public-sector enforcement model for comparison.

Open reference →

REGISTER

Full Decision Register

All major indexed GDPR fines.

Open reference →

SOURCES & CITATIONS

Primary sources

Figures as of May 2026. Verified against published DPA decisions.

REGISTER UPDATED 2026-04-28