Municipality of Hilversum – €25,000 Fine (Netherlands, 2026)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Hilversum. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up measures against Salafist and ideological threats to the democratic legal order posed by Islamic radicals. One of these measures was a robust local approach to tackling radicalisation and travel to jihadist conflict areas. Municipalities played a central role in these measures but found that they lacked sufficient insight into Islamic communities. This resulted in some municipalities, including the controller, using an external research agency to collect the necessary data. The agency then used the so-called force field analysis method to map out social structures and key figures. This data processing took place without a sufficient legal basis, particularly as the processing focused on religious and political beliefs, and therefore on special category data.