Can the Dutch DPA (AP) fine small businesses?

Yes. The AP does not exempt small businesses from GDPR fines. In practice, enforcement often starts with a warning letter, but repeated violations lead to formal investigations and fines.

What was the largest GDPR fine issued in the Netherlands?

Uber received a €290 million fine from the Dutch DPA in 2024 for unlawfully transferring driver data to the US. This is the largest fine issued by the AP to date.

What are common reasons for GDPR fines in the Netherlands?

Cookie banners without a real reject option, tracking before consent, late data breach reporting, insufficient privacy notices, and unlawful data transfers to third countries.

GDPR & Privacy

GDPR Fines in the Netherlands: Real Cases and What They Cost

Steven | TrustYourWebsite · 6 April 2026

The GDPR has been enforceable since May 2018. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has spent years building its enforcement capacity. In 2024 and 2025 that translated into real fines — not just warnings.

The maximum penalty under the GDPR is €20 million or 4% of global annual turnover, whichever is higher. The AP rarely goes straight to the maximum. But it does fine, and the amounts are rising.

Uber — €290 million (2024)

The AP issued a €290 million fine against Uber in 2024 for transferring European driver data to US servers without adequate safeguards. Uber used internal data transfer mechanisms that did not meet the requirements of the GDPR for international data transfers. This is the largest fine ever issued by the AP.

Uber — €10 million (2023)

A year before the transfer fine, Uber received a €10 million fine for failing to provide drivers with adequate information about how their personal data was being processed. Drivers had no clear way to exercise their rights under Articles 13 and 14 of the GDPR.

TikTok — €750,000 (2023)

The AP fined TikTok €750,000 for providing its privacy notice in English only — not in Dutch — to Dutch child users. Young users could not understand what data was being collected and why. The language of the privacy notice must be understandable to the target audience.

Booking.com — €475,000 (2021)

Booking.com was fined €475,000 for reporting a data breach 22 days late to the AP. The GDPR requires breach notification within 72 hours. Booking.com reported a breach affecting 4,109 customers — including passport copies and credit card data — but waited three weeks.

Transavia — €400,000 (2020)

The Dutch airline Transavia received a €400,000 fine for failing to adequately secure personal data. A cyberattack exposed data of 83,000 passengers. The AP found that Transavia had not implemented appropriate technical and organizational security measures as required by Article 32 of the GDPR.

AS Watson / Kruidvat — €600,000 → €50,000 (2024)

The AP issued a €600,000 fine to Kruidvat for placing tracking cookies before visitors gave consent, and for using pre-ticked consent boxes. After appeal, the fine was reduced to €50,000, but the violation itself was upheld. Kruidvat had to restructure its cookie banner.

Coolblue — €40,000 (2024)

Coolblue was fined €40,000 for the same type of violation: pre-ticked cookie consent boxes and automatically accepting cookies when users clicked "continue." The AP ruled this did not constitute valid consent under the GDPR.

Municipality of Enschede — €600,000 (2021)

The municipality of Enschede received a €600,000 fine for tracking pedestrians in the city centre via WiFi signals. The system logged MAC addresses without consent. The AP ruled that MAC addresses are personal data even when not linked to a name. A court overturned the fine in 2024 on procedural grounds, but the AP's underlying interpretation — that MAC address tracking requires a legal basis — stands.

Since 2024, the AP has a dedicated budget of €500,000 per year for cookie enforcement. The target is 500 warning letters per year.

In April 2025, the AP sent warning letters to more than 200 websites — online retailers, media companies, and insurers — for cookie banners that lacked a real reject option or that loaded tracking scripts before consent. About three-quarters adjusted their banners within the deadline. The rest face formal investigation.

The most common violations that triggered letters:

Reject button harder to find than the accept button
No reject option at all
Tracking scripts loading before any banner is shown
Pre-ticked consent checkboxes
Cookie walls (requiring consent to access the website)

Read more in our guide on cookie banner requirements for Dutch websites and the AP warning letter on cookie banners.

How the AP Determines Fine Amounts

The AP uses a fine framework published in its fine policy (boetebeleidsregels). Factors that increase a fine:

Number of people affected — the more data subjects, the higher the fine
Nature of the data — special category data (health, religion, biometrics) triggers higher penalties
Duration — violations that have been ongoing for years are treated more seriously
Intent or negligence — deliberate violations are fined more heavily than accidental ones
Prior warnings — ignoring a previous AP warning is an aggravating factor
Cooperation — actively cooperating with the AP investigation is a mitigating factor

For small businesses with few customers and limited impact, the AP often starts with a warning letter. But once a warning is issued and not acted upon, a formal investigation and fine follow automatically.

The Three Violations Most Likely to Affect Your Business

Installing Google Analytics, Facebook Pixel, or similar tools and letting them run without a proper consent mechanism is the violation the AP actively scans for. It requires:

A cookie banner where reject is as easy as accept
No tracking scripts loading before consent
No pre-ticked boxes

2. Late data breach reporting

If a data breach affects personal data and poses a risk to individuals, you must notify the AP within 72 hours. Many businesses miss this deadline because they are unaware of the requirement or cannot quickly assess whether a breach is notifiable. Read our data breach reporting guide for the decision tree.

3. Inadequate privacy notice

Your website must have a privacy notice that tells users what data you collect, why, on what legal basis, how long you keep it, and who you share it with. Missing this entirely, or having one that does not cover the services on your website, violates Articles 13 and 14.

What This Means for Small Businesses

The GDPR maximum is theoretical. In practice, the AP calibrates fines to the size and circumstances of the business. But "small" is not a defence — it just changes the amount.

More immediately relevant to small businesses: GDPR violations can result in claims from data subjects (under Article 82), complaints to the AP that trigger audits, and reputational damage. None of these require the AP to initiate enforcement.

The most effective approach is prevention. A proper cookie banner, a compliant privacy notice, and a documented process for data breach reporting together address the three most common violations. Read our GDPR compliance checklist for Dutch businesses to see where you stand.

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Scan your site free

Website Guides

Cookie Banner Dark Patterns: What They Are and Why They're Illegal

The EDPB taxonomy of cookie banner dark patterns: 12 manipulative design techniques that make consent invalid under GDPR. With examples and what to use instead.

Cookie Banner Requirements in the Netherlands (2026)

What must a Dutch cookie banner look like to be compliant? The AP's 9 rules, what counts as valid consent, and what gets businesses fined.

Data Breach Reporting in the Netherlands: The 72-Hour Decision Tree

Must you report a data breach to the Dutch DPA (AP)? A 72-hour decision tree for small businesses: what counts as a reportable breach, what to include, and deadlines.

The Biggest Dutch GDPR Fines