The Netherlands
Municipality of Tilburg
GDPR enforcement action by Dutch Supervisory Authority for Data Protection (AP) on 2026-02-03.
Case details
- Authority
- Dutch Supervisory Authority for Data Protection (AP)
- Date
- 2026-02-03
- Controller / Processor
- Municipality of Tilburg
- Sector
- Public Sector and Education
- Quoted Articles
- Art. 6 (1) GDPR, Art. 9 GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Tilburg. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up measures against Salafist and ideological threats to the democratic legal order posed by Islamic radicals. One of these measures was a robust local approach to tackling radicalisation and travel to jihadist conflict areas. Municipalities played a central role in these measures but found that they lacked sufficient insight into Islamic communities. This resulted in some municipalities, including the controller, using an external research agency to collect the necessary data. The agency then used the so-called force field analysis method to map out social structures and key figures. This data processing took place without a sufficient legal basis, particularly as the processing focused on religious and political beliefs, and therefore on special category data.
Related fines