The Dutch Autoriteit Persoonsgegevens (AP) issued a €290 million fine against Uber in August 2024 for unauthorized EU-US data transfer of driver personal data — the largest GDPR fine for a data transfer violation in EU history. Combined with 21,400+ complaints processed in 2023, the Dutch AP has established itself as one of Europe's most consequential enforcement authorities.
The Uber Fine: What the AP Found
Uber collected personal data of Dutch and French Uber drivers — including location data, communications, identity documents, driving records, and tax information. This data was transferred to Uber's US servers without adequate transfer mechanisms.
The key findings:
- Inadequate transfer mechanism: Uber relied on Binding Corporate Rules (BCRs) that the AP found inadequate for the volume and sensitivity of driver personal data being transferred
- No Transfer Impact Assessment: Uber failed to conduct a TIA demonstrating that US law did not undermine the transfer protections
- Driver data is sensitive: Location data, earnings data, and performance ratings — combined — enable comprehensive surveillance of individual drivers. The AP classified this combination as equivalent to sensitive personal data requiring heightened protection
The €290M fine is the largest single-case cross-border transfer violation fine in EU enforcement history. It establishes that data transfers of employee/contractor personal data to the US require the same rigorous TIA and supplementary measures as consumer data transfers.
Dutch AP's Enforcement Priorities in 2025
The AP has published its 2025 enforcement focus areas:
Employee monitoring (43% of cases): Remote work surveillance technology — productivity tracking, screen capture, keystroke logging, location monitoring of remote workers — remains the Dutch AP's primary enforcement target. The AP requires proportionality documentation for any employee monitoring: less intrusive alternatives must be considered and documented before implementing surveillance technology.
Cross-border data transfers (31% of cases): Post-Uber, the AP is auditing transfer mechanisms for Dutch companies with US, Asian, and non-adequate-country operations. Companies using US SaaS tools for HR, project management, or customer data must have updated TIAs.
Automated decision-making (26% of cases): Automated credit scoring, algorithm-based hiring screening, and AI-driven performance evaluation create Article 22 obligations. Dutch AP enforcement focuses on organizations that use algorithmic decisions affecting Dutch employees or consumers without adequate human review mechanisms.
The BSN: The Netherlands' Primary Identifier
The Burgerservicenummer (BSN) is the Netherlands' 9-digit citizen service number, using the Elfproef (eleven-proof) validation algorithm — a weighted sum modulus-11 check.
The Elfproef: multiply each digit by a decreasing weight (9, 8, 7, 6, 5, 4, 3, 2, -1), sum the products, and the result must be divisible by 11.
The BSN is among the most legally protected identifiers in the Netherlands — the BSN Act (Wet algemene bepalingen burgerservicenummer) restricts its use to specific authorized contexts (tax, healthcare, government services, employer payroll). Organizations that process BSN outside authorized contexts face specific AP enforcement under the BSN Act in addition to GDPR.
The detection problem: 56% of generic NLP tools fail to correctly validate BSN numbers (AP technical assessment). Without Elfproef implementation:
- Any 9-digit number gets flagged as potential BSN — generating massive false positives in financial and administrative documents
- Transposed or errored BSNs (common in manual data entry) are missed because they fail Elfproef but pattern-match the 9-digit format
Dutch Language NER Requirements
Dutch (Nederlands) has specific linguistic features relevant to PII detection:
Compound words: Dutch extensively compounds words — "persoonsgegevens" (personal data), "Burgerservicenummer" (citizen service number). NLP tokenizers trained on English or other analytic languages often tokenize Dutch compounds incorrectly.
Diminutives: Dutch frequently uses diminutive forms (-je, -tje endings) for names — "Annetje," "Hansje." Name recognition models must handle both base forms and diminutives.
Dutch address formats: "Straat," "Laan," "Weg," "Plein," "Gracht" for street types. Postal code format: 4 digits + 2 letters (e.g., 1234 AB). Dutch postal codes are highly specific (individual streets) — more identifying than German or British postal codes.
IBAN NL format: Dutch IBANs start with NL + 2 check digits + 4-letter bank code + 10-digit account number. The Netherlands has one of Europe's highest contactless payment penetration rates, meaning Dutch financial documents are dense with IBAN numbers.
For Dutch AP compliance: BSN detection with Elfproef validation, Dutch-language NER (spaCy nl_core_news), Dutch IBAN detection, and documented subprocessor management for cross-border transfers are the technical baseline. Post-Uber, Transfer Impact Assessments for US vendor relationships are no longer optional — they are active AP audit targets.
Sources: