The Dutch DPA Fine ICS for not conducting a DPIA

The Dutch Data Protection Authority (AP) has fined International Card Services B.V. (ICS) 150,000 euros for not conducting a required Data Protection Impact Assessment (DPIA), as mandated by the General Data Protection Regulation (GDPR). DPIAs are crucial for organizations to systematically identify and mitigate privacy risks associated with processing personal data.


DPIAs are essential for legal compliance, ensuring organizations meet GDPR requirements. They offer a proactive approach to privacy management, allowing organizations to identify, evaluate, and address potential risks before they escalate. This not only helps in preventing costly data breaches but also showcases an organization’s commitment to transparency, accountability, and responsible data processing.

DPIA Key elements

Here are several reasons why conducting DPIAs is so important:


1) Risk Identification and Mitigation:


  • DPIAs help organizations systematically identify and evaluate the risks that may arise from their data processing activities. This includes assessing the likelihood and severity of potential negative impacts on individuals’ privacy.
  • By recognizing and understanding these risks, organizations can implement appropriate measures to mitigate them, reducing the likelihood of data breaches, identity theft, or other privacy-related issues.

2) Legal Compliance:


  • GDPR requires organizations to conduct DPIAs for processing activities that are likely to result in high risks to individuals’ rights and freedoms. Failing to conduct a DPIA when required can lead to legal consequences, including fines and penalties.

3) Transparency and Accountability:


  • Performing DPIAs demonstrates an organization’s commitment to transparency and accountability in its data processing practices. It shows that the organization is proactively assessing and addressing potential privacy risks, promoting a culture of responsibility.

4) Building Trust with Stakeholders:


  • Individuals are becoming increasingly aware of the importance of privacy, and they expect organizations to handle their personal data responsibly. Conducting DPIAs helps build trust with customers, employees, and other stakeholders by showcasing a commitment to protecting their privacy.


5) Proactive Privacy Management:


  • DPIAs are a proactive tool for privacy management. Instead of reacting to privacy issues after they occur, organizations can anticipate and address potential problems in advance, minimizing the negative impact on individuals and the organization’s reputation.

6) Avoiding Costly Data Breaches:


  • Identifying and mitigating risks through DPIAs can help organizations avoid costly data breaches. The financial and reputational damage caused by a data breach can be significant, and DPIAs serve as a preventive measure to minimize such risks.

7) Continuous Improvement:


  • DPIAs are not a one-time activity; they contribute to a continuous improvement cycle. Organizations should regularly revisit and update DPIAs to account for changes in processing activities, technology, or regulations, ensuring ongoing compliance and effectiveness.

In summary, conducting DPIAs is a proactive and essential practice for organizations to meet legal requirements, protect individuals’ privacy, build trust, and avoid the negative consequences associated with privacy breaches. It is a foundational element of a robust privacy management framework in today’s data-driven landscape.


Does your organization need to conduct any DPIAs or do you have any questions on this topic? Contact us, the Experts in Data Privacy at for assistance.