On Monday, 24 November, a bill was sent to Parliament giving the Dutch Data Protection Authority (CBP) the power to fine controllers and processors for violation of the Dutch Personal Data Protection Act and any other laws containing data protection rules. In, addition, the Dutch CBP (College Bescherming Persoonsgegevens) will change its name to the Personal Data Authority (Autoriteit Persoonsgegevens).
The fine, which may be as high as 810,000 euro, adjusted periodically, may be issued for a number of specified articles in the Personal Data Protection Act.
Interestingly, the bill also allows the CBP to fine individual employees for failure to meet their confidentiality obligations (Art. 12 PDPA). This may be the case where employees intentionally disclose personal data to unauthorized persons, an act also punishable under criminal law, but also where employees have been grossly negligent causing a data breach. The bill is expected to be enacted by July 1, 2015.