The Autoriteit Persoonsgegevens (AP) fined Uber €290 million in August 2024. The fine was for sending driver data to US servers without a valid transfer agreement. No GDPR case has produced a larger fine for a cross-border transfer. The AP also handled over 21,400 complaints in 2023. That makes it one of Europe's busiest data regulators.
What the AP Found in the Uber Case
Uber gathered data from drivers in the Netherlands and France. The data covered location history, identity documents, pay records, driving records, and tax files. All of it moved to US servers. The AP ruled the transfer method was not valid.
Three findings drove the decision:
- Weak transfer method: Uber used Binding Corporate Rules (BCRs). The AP found these did not cover the scope or sensitivity of the driver data involved.
- No Transfer Impact Assessment (TIA): Uber did not show that US law left the agreed transfer protections in place.
- Sensitive data by combination: Location data, pay, and performance scores together give a detailed picture of each driver. The AP treated this mix as equivalent to sensitive personal data.
The Uber case sets a clear rule. Staff and contractor data sent to the US needs the same TIA and extra measures as consumer data does.
AP Enforcement Focus Areas for 2025
Updated for 2026
The AP has named three areas it is watching closely in 2025.
Staff monitoring: Remote-work tracking tools are the top target. This includes productivity logs, screen capture, keystroke tracking, and remote location tools. Before deploying any such tool, companies must record why they rejected less intrusive options.
Cross-border data transfers: After the Uber ruling, the AP is checking transfer methods. Companies that rely on US, Asian, or other non-adequate-country services are in scope. Any company using US software tools for HR, project work, or customer data must have a current TIA on file.
Automated decisions: AI credit scoring, hiring filters, and performance systems trigger Article 22 duties. The AP targets organizations that make automated decisions without a real human review step. Workers and consumers must both be covered.
The BSN: A Protected National Identifier
The Burgerservicenummer (BSN) is a 9-digit ID number used in the Netherlands. It is validated using the Elfproef (eleven-proof) check. To run the check: multiply each digit by a weight from 9 down to −1, add the results, and the total must divide evenly by 11.
The BSN Act (Wet algemene bepalingen burgerservicenummer) limits BSN use to specific legal contexts. These are: tax, healthcare, government, and employer payroll. Using a BSN outside those contexts triggers BSN Act enforcement. GDPR liability applies on top of that.
Why generic tools miss BSNs: Many NLP tools do not include the Elfproef check. Without it, any 9-digit string gets flagged as a possible BSN. That creates false alarms in finance and admin documents. Mistyped BSNs are also missed. They fail the check but still look like a valid pattern. See our guide to EU national tax ID and PII detection for a full comparison across European ID formats.
NER for Dutch Text
Dutch (Nederlands) has features that trip up models trained on English.
Compound words: Dutch joins words together. Persoonsgegevens (personal data) and Burgerservicenummer (citizen ID number) are each a single word. Models built for English often split them at the wrong point. That breaks entity detection.
Name endings: The -je and -tje suffixes appear in first names — Annetje, Hansje. Name models need to handle both the base form and the short form.
Address formats: Street types include Straat, Laan, Weg, Plein, and Gracht. Postal codes use four digits plus two letters (example: 1234 AB). Each code maps to a single street, so it reveals more than most European postal codes do.
IBAN format: Dutch IBANs are 18 characters: NL + 2 check digits + 4-letter bank code + 10-digit account number. The country has high card payment use. Financial documents carry many IBANs as a result. For confidence-scoring methods across ID types, see binary PII detection and confidence scoring.
Technical Checklist for AP Compliance
To meet the AP's current standards, data systems need:
- BSN detection with Elfproef — pattern matching alone is not enough
- Dutch-language NER — a model such as spaCy
nl_core_newshandles compounds and short-form names - IBAN detection — format-aware, not generic
- Subprocessor records for all cross-border transfers
- TIAs for US vendors — a live AP audit priority after the Uber ruling
Post-Uber, a TIA for US vendors is a baseline requirement, not a best practice. For a full breakdown of the ruling and its transfer implications, see AP Uber fine and cross-border transfer enforcement.