The Dutch Data Protection Authority (AP) is unable to sufficiently check whether or not organizations comply with the strict privacy legislation. According to the AP, its annual budget must be increased by tens of millions of euros. However, outgoing Minister for Legal Protection, Sander Dekker, has already stated he will not increase the current budget. Instead, he will leave that decision to the new cabinet.
The fact that the AP is limited in its abilities does not mean it is not enforcing the law. For example, the AP recently imposed a € 15,000 fine on a maintenance company for violating the rules laid out in the General Data Protection Regulation (GDPR). The company’s absenteeism registration contained data on the health of employees. Because the names, specific health complaints and indicated signs of pain of individual employees was registered, more privacy-sensitive data was included in the absenteeism register than is permitted by law. Moreover, the absenteeism registration was accessible online without any security in place. Only authorized staff may have access to an online absenteeism registration.