The EU Commission has expressed concerns about the Dutch data protection authority’s strict interpretation of “legitimate interests”, considering it to be “not in line with the GDPR, the guidelines of the Article 29 Working Party/EDPB and the case law of the European Court of Justice (CJEU)”. Those concerns focus on guidance issued by the Autoriteit

The Dutch Data Protection Authority (Dutch DPA) has issued fixed and periodic fines to a government ministry over its lack of security measures and transparency about who it shares personal data with, while the Danish Data Protection Agency (Danish DPA) has issued fines to a national bank for its lack of documentation on the deletion of personal data.
Continue Reading European DPAs in Action: Periodic Penalties and Deletion of Personal Data