AP

Clearview AI built a facial recognition database of over 30 billion photographs scraped from the internet — including images of Dutch residents — without any lawful basis, consent, or transparency, violating GDPR Arts. 5, 6, 9, and 14. The AP also issued a personal liability warning to Clearview's directors, noting the company had ignored prior enforcement actions by EU counterparts in France, Italy, Greece, and the UK. Clearview was additionally ordered to cease all processing of Dutch residents' data and to delete existing records.

Uber transferred personal data of European drivers — including location data, photos, payment details, and taxi licence information — to the US without adequate GDPR Chapter V transfer safeguards after the Privacy Shield invalidation. The Dutch AP, acting as lead supervisory authority following complaints filed by the French drivers' rights association LLLM, found that Uber's Standard Contractual Clauses were not correctly implemented in practice and that no supplementary measures addressed US government surveillance risks. This remains the largest ever GDPR fine for unlawful international data transfers.

Netflix failed to adequately inform subscribers about how their personal data was processed between 2018 and 2020, violating GDPR Arts. 13 and 14 transparency obligations. Netflix's privacy statements did not clearly explain which data was collected, for what purpose, how long it was retained, or with which third parties it was shared. The AP led the investigation as Netflix's EU headquarters are in Amsterdam, with the inquiry initiated following coordinated NOYB complaints filed across multiple EU jurisdictions.

Transavia Airlines suffered a 2019 data breach in which hackers compromised employee login credentials and accessed the personal data — names, dates of birth, and flight reservation details — of approximately 25,000 passengers and crew members. The AP found Transavia had failed to implement multi-factor authentication on employee systems with access to passenger records, a standalone violation of GDPR Art. 32 independent of the breach itself. The absence of this basic control was found to have directly enabled the compromise.

Haga Ziekenhuis (Hague Academic Hospital) failed to implement adequate access controls and audit logging for electronic patient records, violating GDPR Art. 32 and Dutch medical confidentiality obligations. The AP's investigation, triggered by media reports that dozens of hospital staff had unlawfully accessed the records of a high-profile patient without clinical justification, found systemic failures in role-based access controls and alert mechanisms. The hospital was ordered to implement corrective measures within four months under threat of additional periodic penalties.

Booking.com failed to report a personal data breach to the AP within the mandatory 72-hour window under GDPR Art. 33, delaying notification by more than three weeks. In late 2018, fraudsters using phishing attacks against hotel partners compromised employee accounts and accessed the personal and payment card data of approximately 40,000 customers. The AP found Booking.com's internal escalation procedures failed to trigger timely regulatory reporting and that customers were also not promptly informed.