anonym.legal

By · Last updated 2026-05-29

Back to BlogGDPR & Compliance

Dutch AP: €290M Uber Fine & Transfers

The Dutch AP issued the EU's largest individual data transfer fine — €290M against Uber in 2024. Here's what cross-border transfer compliance requires for.

May 29, 20267 minute read
Dutch APNetherlands GDPRUber GDPR finecross-border data transferEU data transfer

The Dutch AP and the Uber Fine

In August 2024, the Dutch AP fined Uber €290 million. Uber sent EU driver data to US servers with no legal basis. That data included taxi licenses, criminal checks, medical records, and travel logs.

Uber moved the data after Schrems II struck down the EU-US Privacy Shield in July 2020. It kept those transfers running for two years. No Standard Contractual Clauses. No Article 46 tool of any kind.

This fine is the EU's largest for a data transfer breach. It ranks third among all GDPR fines ever. Transfer failures now carry huge costs. Not just breaches.

See our GDPR conformance guide for a quick overview.

AP Enforcement Priority Areas

The Dutch AP received over 21,400 complaints in 2023. It focuses on three areas.

Priority 1 — Worker monitoring (43% of cases): Many Netherlands firms have faced AP fines for watching their staff. Hidden cameras, bulk email checks, and GPS tracking without notice all trigger action. Dutch labor law adds extra rules on top of GDPR.

Priority 2 — Cross-border transfers (31% of cases): After the Uber fine and a joint probe with Ireland's DPC on Cloudflare (2023), the AP stepped up transfer oversight. Amsterdam's tech sector faces high risk here. Cloud firms, fintech, and fast-growth startups are all in scope.

Priority 3 — Marketing and profiling (26% of cases): This covers cookie consent, ad targeting, and direct marketing. The AP takes a strict view of "legitimate interest." It requires written tests with clear evidence.

Transfer Rules After Uber

Transfer Impact Assessments (TIAs): The EDPB requires a TIA for every transfer to a third country. The TIA must show the destination gives equal protection to EU law. The AP says a TIA must answer four questions:

  • What are the access laws in the destination country?
  • How far can the spy agencies reach?
  • What is the track record of government requests to the data importer?
  • What legal remedies can data subjects use?

Standard Contractual Clauses — not enough on their own: SCCs alone do not satisfy Article 46. If the TIA shows government access risk, extra safeguards are required.

Extra technical measures the AP accepts:

  • Encryption where the importer has no access to decryption keys
  • Removing direct IDs before transfer so the importer cannot link the data back to a person
  • Data reduction before transfer, cutting fields the importer does not need

The offline Desktop App runs all work on your device. It sends no data outside. This removes the transfer issue for that activity. See our security and compliance overview.

Employee Data and Dutch Labor Law

The AP's 43% focus on worker monitoring shows how GDPR and Dutch labor law overlap.

Three rules apply for Netherlands-based organizations:

Works council sign-off: A company with a works council must get its approval before rolling out any monitoring tool. This covers AI tools, email checks, and attendance systems.

Fit for purpose: Monitoring must match its stated goal. Hidden monitoring is not allowed. Open monitoring must be the least intrusive option.

Purpose limitation: HR data collected for one goal cannot be used for another. A new legal basis is needed.

These rules require three records: the council sign-off, the purpose check, and the controls. Our compliance checklist covers all three.

Netherlands PII Detection

PII tools in the Netherlands must handle local ID formats. Standard global tools often miss them:

  • BSN (Burger Service Nummer): 9-digit Dutch national ID — requires checksum validation
  • IBAN (NL prefix): Dutch IBAN with its own validation logic
  • Postal code (postcode): Format is 4 digits + space + 2 letters
  • DigiD: Government digital identity code
  • Healthcare numbers: BGZ and EP formats for patient records

A generic tool may catch IBAN but miss the BSN checksum or postcode format. Test BSN detection before you process national identity data. Do not assume coverage.

Steps for Netherlands Organizations

1. Transfer audit: List all data flows to third countries. Review SCCs in place. Run TIAs for key flows. Record extra technical measures where a TIA flags risk.

2. Worker monitoring review: List all monitoring tools, including AI. Check works council sign-off records. Confirm purpose checks exist in writing.

3. PII coverage check: Test BSN, postcode, and IBAN detection in your PII tools. Test accuracy on Dutch-language documents.

4. Tech sector exposure: Startups should record choices that cut transfer risk — EU-region cloud and local processing options. Cloud providers with EU-US setups should document their transfer tools and TIA approach.

anonym.legal uses EU-based Hetzner data centers with zero-knowledge design. The server never sees your plain-text content. A full server breach yields only AES-256-GCM ciphertext. Need local-only processing? The Desktop App runs entirely on your device with no external connections.

Sources

Related Articles

GDPR & Compliance

Japan My Number: Verhoeff & APPI

63% of generic tools fail My Number detection in Japanese documents. My Number uses Verhoeff algorithm — the most complex national ID checksum in Asia.

GDPR & Compliance

HDPA Greece: AFM & AMKA Detection

Greek AFM detected with 52% accuracy by generic tools. HDPA issued 89 decisions in 2024 — up 162% from 2022. Tourism and maritime sectors face distinct.

GDPR & Compliance

NAIH Hungary: TAJ-Szám and Adóazonosító Jel

Hungarian NER accuracy is 67% vs. EU average 82% — NAIH's 2024 assessment. TAJ-szám weighted checksum and adóazonosító jel detection gaps.

Ready to protect your data?

Start anonymizing PII with 285+ entity types across 48 languages.

Start Free TrialView Features

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

Related reading

We follow these rules

  • GDPR (EU 2016/679).
  • ISO/IEC 27001:2022.
  • NIS2 (EU 2022/2555).
  • HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our servers live in Falkenstein, Germany.

We use Hetzner. They hold ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

  • We never sell your information to third parties.
  • We never train models on what you upload.
  • We never keep your work after you delete it.
  • We never share keys with any outside firm.
  • We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.