When does the Dutch DPA issue a fine?

The AP issues fines for serious, deliberate, or repeated violations, or when previously ordered corrective measures have not been followed. Not every violation leads directly to a fine: the AP works through an escalation ladder from investigation to warning, corrective order, and finally administrative fine.

What are the AP's 2026 enforcement priorities?

The AP's three top priorities in 2026 are: (1) transparency violations (Articles 12-14 GDPR), (2) pre-consent tracking and dark patterns in cookie consent, and (3) online profiling and data minimisation failures. These align with the EDPB's 2026 Coordinated Enforcement Framework active right now.

How can I reduce the risk of an AP fine?

Document your compliance efforts, cooperate proactively with investigations, and self-report incidents where required. The AP considers: the nature and severity of the violation, cooperation level, proactive measures taken, and whether prior warnings were ignored.

What is the difference between a corrective order and a fine?

A corrective order (last onder dwangsom) requires you to make a change or pay a periodic amount. An administrative fine is a sanction for a violation already committed. The AP chooses based on circumstances: corrective orders for ongoing violations, fines for serious or repeated ones.

How the Dutch DPA Decides Whether to Fine You: 2026 Enforcement Policy Explained

GDPR, Compliance

6/3/2026

Many business owners carry a low-level anxiety about the Dutch DPA. Not because they think they are deliberately breaking the law, but because the rules feel vague and the consequences feel large. When does the AP actually come after you? And when does it not?

In 2026, that became clearer than ever before. The Autoriteit Persoonsgegevens published its enforcement policy, including priorities and how it makes decisions. That means you can now read exactly how the AP decides, what it focuses on hardest, and what you can do to reduce your risk.

This article breaks it down: how the escalation ladder works, which three areas sit at the top of the AP's list, and what you can do about it today.

What Are the AP's Enforcement Priorities in 2026?

The AP does not act at random. Its 2026 enforcement policy names three concrete priorities where the regulator is actively checking companies.

Transparency violations (Articles 12-14 GDPR)

Privacy notices that are generic, outdated, or fail to explain how data is collected indirectly. The AP expects your privacy policy to be specific: which data, why, on which legal basis, and how long you keep it. A three-paragraph boilerplate copied from the internet five years ago does not meet that standard.

Pre-consent tracking and dark patterns

Scripts loading before a visitor gives consent, a cookie banner without a visible "reject all" button, and consent UX designed to mislead visitors into accepting. This is an area where the AP already has active investigations running. The EDPB named cookies and consent as a priority in its 2026 Coordinated Enforcement Framework. Twenty-five supervisory authorities, including the AP, are actively checking companies on this right now.

Online profiling and data minimisation failures

Processing more data than necessary, profiling without a valid legal basis, and automated decision-making that is not transparently disclosed. This affects e-commerce businesses, marketing teams, and anyone tracking user behaviour for personalisation.

These three priorities are not coincidental. They align directly with what the EDPB designated as the coordinated European enforcement focus for this year. If you fall short in any of these three areas, you carry the highest risk.

How Does the Escalation Ladder Work?

Not every violation leads directly to a fine. The AP works through an escalation ladder, and most enforcement trajectories start far short of a financial penalty.

Stage 1: Fact-finding and questionnaire

The AP makes contact, asks questions, and gathers information about the situation. This is information collection. How you respond at this point has a direct effect on how the trajectory develops.

Stage 2: Warning or recommendation

Informal correction without a formal sanction. The AP explains what is wrong and what needs to change. If you take this seriously and demonstrably improve, the matter often ends here.

Stage 3: Corrective order (last onder dwangsom)

This is a binding corrective measure. You must make a change within a set deadline. If you do not, you pay a periodic amount for as long as the violation continues. This is not yet a fine for the violation already committed; it is a mechanism to compel you to fix the problem.

Stage 4: Administrative fine (bestuurlijke boete)

This is the sanction for a violation already committed. The AP uses this for serious violations, deliberate non-compliance, or when earlier measures have been ignored.

The transition between stages is not automatic. The AP weighs at each step whether escalation is proportionate. That is good news if you are genuinely working on compliance.

What Increases the Risk of a Fine?

Several factors increase the likelihood that the AP will escalate to a formal sanction. Repeated violations after a prior warning carry significant weight. If the AP has been in contact before and finds the same problems again, the probability of a fine is considerably higher than for a first-time finding.

Deliberate non-compliance is another heavily weighted criterion. There is a clear difference between an organisation that overlooked something and one that consciously chose not to follow the rules. In the second case, the AP is less inclined to work through warnings.

Large-scale data processing and special category data increase the severity of any violation. Processing health data, biometric data, or data about children raises the assessed risk. So does any situation where a large number of people are affected.

Failing to cooperate with an investigation, or not reporting known data breaches as required, are also factors the AP explicitly mentions. Cooperation is not a guarantee of leniency, but its absence makes things considerably worse.

What Reduces the Risk of a Fine?

Documented compliance effort, even if imperfect, clearly works in your favour. The AP does not only look at whether you are fully compliant; it also looks at whether you genuinely tried to be. An organisation that demonstrably worked on privacy but missed a gap stands in a much better position than one that did nothing at all.

Proactive cooperation with investigations has the same effect. Answering questions promptly, providing relevant documentation, and showing that you understand the problem gives the AP less reason to escalate.

Self-reporting incidents also counts in your favour. A data breach you report yourself, on time, is treated differently from one the AP discovers via a complaint. The first shows that you know your obligations and act on them. The second raises questions about why you did not report it yourself.

Having a formal GDPR processing register and an up-to-date privacy policy are baseline documents the AP expects to find. They do not prove full compliance, but their absence is a direct signal that privacy is not a priority.

Self-Assessment: How Well Protected Are You?

Five questions to assess your current exposure.

Is your privacy notice current, specific, and does it cover indirect data collection? A notice from three years ago that does not mention you use an analytics tool, or that does not specify the legal basis for each processing activity, does not meet the transparency requirements the AP is prioritising this year.

Does your cookie banner have a visible "reject all" button and does no script load before consent is given? Pre-consent tracking is one of the three top priorities. If you are unsure, open your own website in a private browser window and watch the network requests before you click anything. What you see there is what the AP sees too.

Do you have a processing register with all processors and legal bases documented? This is the foundation. Without this document it is difficult to demonstrate that you made deliberate choices about which data you process and why.

Have you documented how you handle data subject requests and breach notifications? Processes do not need to be perfect, but they need to exist and be demonstrably followed. If you cannot show how you handle an access request or a data breach, that is a blind spot the AP will notice.

Do you have a process for regular compliance review? Privacy is not a one-time exercise. Your systems, suppliers, and processing activities change. If there is no moment at which you periodically check whether everything is still correct, gaps will inevitably appear.

If any of these questions leave you uncertain, or if the answer is no, that is precisely where to start.

What You Can Do Now

The AP's enforcement policy makes clear where the risks are. The three priorities are not vague: transparency, cookie consent, and profiling are areas you can check and improve concretely.

ComplianceHive helps you with exactly the three areas the AP is checking in 2026: a current GDPR compliance administration, a processing register with all legal bases documented, and documented workflows for handling data subject requests. In the GDPR features of ComplianceHive, you work through the elements the AP checks first, including your privacy policy, your cookie consent, and your processing register.

Not to tick a box, but to be able to demonstrate that you are taking it seriously.