NIEUWS & INSIGHTS | Capita Selecta

Naarden-Vesting, The Netherlands, March 2025

Capita Selecta Executive Search & Leadership Advisory recently spoke with Monique Verdier, Vice-Chair of the Dutch Data Protection Authority (AP). The AP defends, among other things, the human right to be ‘digitally untraceable’ and sees the concept of ‘security’ in the GDPR as essential for the future of Europe.” During the dialogue, the social objectives of the organization, her career and her personal motivations were discussed, among other things. Given the current era and the speed of international and geopolitical events, more relevant than ever.

Given current events, the Dutch Data Protection Authority (DPA) has no difficulty in demonstrating its right to exist. Is this observation correct?

Yes, you could put it that way. We see wonderful technological developments that can really help us as a society. But we also see a number of developments which have not been properly considered at the beginning, and that might have negative consequences. Sometimes the consequences are worse than the benefit one is trying to achieve.

And I'm not just talking about data protection, but also about the social consequences and costs.

The work of the DPA is relevant and urgent. And we see all kinds of things: from just developing something without taking social and personal consequences into account,

to parties who are afraid to share data at all, fearing a fine. And the latter is just as bad.

At the start of the General Data Protection Regulation (GDPR), we emphasized fines in our communications, which was new and gave us the opportunity to draw a line in the sand. In recent years, we have placed more emphasis on the values protected by the GDPR: non-discrimination, personal autonomy and freedom and verifiable and transparent power. I hope that complying with the GDPR will become a matter of course, based on an intrinsic motivation to 'do the right thing' and not only take good care of your customer, employee or citizen, but also take good care of their data. Within this entire spectrum, advice and assistance, but also sometimes corrective measures and fines, are necessary.

Two years ago we became the coordinating supervisor of Algorithms and Artificial Intelligence (AI). We contribute to the preparations for the supervision of the AI Regulation. And when using AI, careful action is even more important. The risks are greater and partly hidden. As a human being, you often do not realize that an algorithm or AI is responsible for a decision, which unfairly affects you. We started the investigation into the ´Allowance Affair´ (In Dutch: De ‘Toeslagenaffaire’) based on one complaint.

“I hope that complying with the GDPR will become an intrinsic motivation to do the right thing”

What are the most important current developments that you are focusing on?

Firstly, and in random order, the unlawful trading of data has our full attention.

Not only the large Big Tech companies use this on a large scale but also trade information agencies. A kind of 'accepted' reaction has emerged in society: 'Oh well,

they already know everything about me, and it doesn't matter to me that I receive targeted advertising.' But when your data is combined with captured bank account numbers, BSN and passport data, it is possible to take over your identity. In that case,

you will experience that personal data is valuable and vulnerable.

Obviously, AI and algorithms are of great interest to us. Because it is important to develop and apply AI safely, the DPA will soon provide an overview of tools with which

AI can be developed safely. You must think about what you are doing and what you want to achieve at every stage of the process. Already in the design phase, you have to consider the consequences of your product. And of course, this way of thinking also applies to the development phase and the final applications. In fact, with every update

of AI, a new product is created. It is therefore a continuous and repetitive process.

If you have to arrange 'something regarding privacy' when launching a product, it will take a lot of time, if it is even possible. Take it into account from the very start. You will

be able to develop faster and more safely.

In the case of the Dutch Education Implementation Service (DUO), for example,

we had to take corrective action last year. In order to detect student financing fraud among students living away from home, this executive body turned out to only focus

on the type of education, distance between addresses and age when applying algorithms. But there was no justification for that at all. It is quite obvious that you

should not treat students as possible fraudsters without a reasonable indication.

That alone was discriminatory and therefore unlawful.

This is quite a remarkable example, after the learning experiences of the assumed fraud in the so called ‘Allowances Affair’.

Yes and unfortunately there are more. Our third spearhead therefore focuses on 'digital government'. We focus most of our knowledge, skills and resources on the government because citizens always have to deal with this government. Citizens have no choice,

so the government must set a good example. It is important that everyone, but especially the government, works with as little data as possible, stores the data securely and that algorithms and AI are used carefully. And that's where things regularly go wrong. Never deriving from wrong intentions, but with certain undesirable effect. Incorrect inferences can be incorporated in the model, in the interpretation or in the omission of what we call 'meaningful human intervention'. Therefore, studying and thinking things through in advance and providing them with an ethical framework is highly desirable.

The AP started an investigation into DUO, but the violation was so obvious that we

did not wait for the report to be completed before informing the minister. Because the minister subsequently repaid the fines, it was not necessary to complete the investigation. We would rather have the damage undone than pay a fine.

I don't really understand the unlimited data hunger of organizations that want to do the right thing. Or the use of so-called 'smart' products. Simply deploying a novelty and asking for as much data as possible without thinking in advance what you really need is not cost-effective. Regardless of the question whether it is allowed. The hunger as such seems greater than the question of where the hunger comes from. “What do you really want to know and why” should be leading. And if you know something, what are you really going to do differently? I regularly receive calls saying that the GDPR is blocking meaningful developments. And when I ask further questions, we often find out that curiosity was the source, or that there was an assumption underlying the question and not a necessity. Data sharing to combat terrorism, for health and in debt counselling makes sense. But you don't have to put all Dutch people under surveillance to catch a few criminals, or know everything about someone to provide good care or assistance. Sometimes it means that we ask the legislator to change something in a law. But usually it resolves itself. It is actually remarkable that the GDPR is 'blamed' for everything. Privacy legislation has been around for a long time, but only since the GDPR has been introduced that the general public has started to pay attention to it.

What does the concept of 'legitimate interest' stand for?

In short, you may use someone's data if you have a legal basis for doing so.

The best-known basis is simply permission from the person concerned. Another possible basis is the so-called 'legitimate interest': an interest that is so great that you may infringe on people's privacy because of that interest. As fundamental rights protectors, we believed that a purely commercial interest should never count as a 'legitimate interest'. The European Court ruled against the DPA in this regard. But the Court's ruling is not a license for companies and other organizations to do anything with personal data without permission, just because they can make money with it. A commercial interest may count as a legitimate interest, but you must meet two more conditions: a necessity test and a weighing of interests. It follows from the Court's ruling that the interests of the citizen weigh heavily in these conditions. Obviously we follow the court's ruling.

Do you have sufficient technical knowledge and skills in-house?

Our work takes place in the digital world, so we have always had technology experts

in-house in addition to, for example, lawyers. In recent years, we have also hired philosophers and ethicists in order to be able to have a good conversation internally and to behave more as a thought leader regarding matters that concern society and citizens.

By this I mean that we are also involved in topics concerning the sharing of data that are allowed, but are harmful indeed. Regarding the ‘Allowances Affair’ for example, we wondered how it was possible that judges did not notice that they only had people with foreign names in front of them. We furthermore developed a perspective concerning the paying of ransoms in ransomware attacks, partly because it is no guarantee that the captured data will not be sold, but also because you maintain a system that is reprehensible.

Do you see differences in the way in which 'the market' and 'the government' deal with the subject of collecting, storing, processing and securing data?

No, but I see differences in the way 'Big Tech' deals with it versus the rest of companies and organizations. I mean 'Big Tech' and companies that make money from data trading, regardless of how they gained that data. In the Netherlands I see a lot of good will.

We do see companies and organizations that in did not carefully think about their security, and do not have the appropriate security standards in place.

How do you view 'data pollution'?

The challenges regarding contaminated data are enormous, see for example how we recently acted and warned the Ministry of Education, Culture and Science (‘OCW’) and the National Archives about the Central Archives for Special Legal Procedure (CABR), the largest war archive in the Netherlands. People who were members of the Dutch Skating Federation (NSB) can also be included in this, even though they had nothing to do with the National Socialist Movement (NSB). It is a very simple example of risky data pollution with potentially serious consequences.

Can contaminated data on the world wide web be combated?

Not by us. It isn’t in our jurisdiction either. It also seems almost impossible. You must therefore strengthen people's awareness of how they can deal with this pollution.

What used to be in an encyclopaedia was verified and therefore true, although it was almost outdated at the time of printing. If you assume that what is on the internet is correct, you will be disappointed. Media also regularly rely on the same sources.

Stay alert and think about everything you read: is this correct? Where does the information come from?

And as for the future: it is becoming increasingly important. Take ChatGPT, a wonderful tool with efficiency benefits. But see also the limitation. ChatGPT predicts the most logical sentence, regardless of reality. I have looked myself up and I am being assigned with additional positions that I do not have. Learning to think critically is of vital importance. We must put extra effort into this. I am a board member at ‘Rotterdam Vakmanstad’, a foundation that provides extra lessons at schools with children who could use something extra. One of these lessons is philosophy. It turns out that even 5-year-olds are capable of thinking things through, let's encourage that by making philosophy a compulsory part of the curriculum up to and including secondary school. Let's ensure that future generations find it normal to make ethical considerations. Choose based on values.

“The concept of 'security' in the GDPR is essential for the future of Europe.”

Is Europe leading the way when it comes to privacy protection?

Of course! The GDPR is a European law. A law that was created to protect citizens against abuse and discrimination and that defends democracy and the individual freedoms of citizens. It took a lot of time and to date, this is the most lobbied process in the EU. Fortunately, 'WikiLeaks' has really increased the attention for personal data.

The GDPR is a law with 'open standards', which places a lot of responsibility with the user. This also means that a lot of standard interpretation still needs to be developed and coordinated. The Tech world is developing quickly, so 'never a dull moment' here.

We closely monitor developments in the US, because we are dependent on American Big Tech. We are pleased that more and more people are realizing this dependency and are looking for safer alternatives.

Looking at the issues and concerns surrounding disinformation, cyber security, privacy and data collection: Where are we in terms of development?

We are at the point where the tide cannot be turned back. We can think all kinds of things about it, but it is already there. We have to learn to relate to what is there. Technological developments are moving so quickly that more and more data is becoming available and the threat arises that anonymity will in fact no longer exist.

By combining data it is easy to trace apparently anonymous data back to a person.

And while Article 17 of the GDPR has established the 'right to be forgotten'. But because data is frequently reused, it is impossible to have your data completely deleted.

The Dutch Data Protection Authority is an independent government organization that serves the 'public interest'. What does 'public leadership' mean to you?

I never really think about that. I wish to contribute to leaving a better world behind.

I want to have made a difference for people who are much less able to influence or change things. I do this for individuals and I have done this within the organizations in which I was and still am involved. The responsibility that the AP bears is great. We play an exemplary role and bear an extra great responsibility because we judge everyone, while we ourselves have dismissal protection. This is necessary from the perspective of independence, but it also requires something. One of the reasons why I hold various supervisory board positions, why I do volunteer work and coach directors: I want to keep one foot in society, feel what is going on.

In this job you have to relate to the circumstances: helping and taking measures, standing up for the interests of citizens and keeping the system workable, being accessible while having little capacity, working together and supervising and coordinating within Europe and quickly providing clarity, having the legal reality and doing the right thing. I could go on like this for a while. It is navigating and about making choices. For me, the GDPR is a tool to protect citizens in a digital world. To protect against discrimination, profiling and worse.

For me personally, 'leadership' within an organization means 'showing how it can be done'. It is not the status that you derive from your position, but from your personality and your own attitude. Making a difference for your employees, so that together you can make a difference for the citizen. Big or small is irrelevant. It is about doing the right thing, regardless of your own or political interests. Intellect, wisdom, creativity and good listening are elements that are necessary for this.

What are the qualities of a public leader?

Knowing what is going on in society, being able to understand citizens and employees, seeing the big picture, knowing where you want to go and being creative to take a new path if the chosen path turns out to be a dead end. Looking for a way, weighing and choosing. Be brave, even in the face of headwinds. With the interests of the citizen first.

When you look at where you come from and where you are today: 'What has your personal path been?

As an eighteen-year-old Mathematics student, I wanted to develop an enigma code that could not be cracked. Haha, I didn't even get close to that. The environment within the Mathematics study did not provide me with the energy and inspiration I was looking for.

I found my place within Industrial Engineering and Management: serious people, broadly interested, who also liked to party, and I was able to graduate in Mathematics. After my studies, I started at Van Leer Packaging in the Port of Rotterdam. Even though I felt great about my engineering degree, that's where I really matured. It was there that

I encountered a classic hierarchical environment for the first time. In blue overalls I was able to make some excellent improvements among the 'boys'. But afterwards I made sure that people became visible, that their opinions were asked and noticed, that they were recognized for their expertise and not for the fact that they did not have any diplomas.

Though rather unconsciously at the time, I also broke patterns in other areas. Later on I worked internationally and managed factories. It's nice to be able to see the effect of your actions in such a concrete way. When further professional growth turned out to be achieved only by working and living abroad, the Leiden University Medical Centre came on my way. A leap into the deep, but an opportunity with the substantive and interpersonal complexity I was looking for. It turned out to be fantastic with many enthusiastic people. And there was still a lot to develop in terms of business administration. For me it is important that something is meaningful. I want it to make sense that I was there. I want to leave it better than I found it. As director of the hospital in Dordrecht, I was in the wrong place. I quit there quite quickly, and then I got cancer.

After a year and a half of treatment and recovery, the Groene Hart Hospital (GHZ) in Gouda asked me to introduce ‘medical leadership’, and I later became a Director.

It is special to work in the hospital where you are being treated. At the GHZ I was given the opportunity to have additional positions. I find it fantastic to gain knowledge from different areas and share it with others. It makes my world bigger and it makes my thinking more independent. Smiling: besides, I can distribute my energy this way, so that it doesn't bother anyone.

When I was approached for vice-chairman of DPA, I looked at the head-hunter strangely because my experiences with the DPA were not positive. But because he indicated that Aleid (Wolfsen), our chairman, really wanted innovation, I started the conversation.

I am so glad that I did it! In this position all my experiences, knowledge and skills come together and I am given the space to work from my heart. I can share everything I have learned here and I learn something new every week. The DPA is a young organization,

I sometimes compare it to a scale-up. With all the pros and cons that come with it.

We are still developing and have needed time to develop as a supervisor. Here I can contribute to a safer world, express my vision on personal leadership and help build an DPA that provides value-driven supervision and shapes society. I always wonder what exactly it is about, whether it fits within our vision, whether we are consistent and whether it contributes to a safer world. People respond seriously when I indicate that everything in me screams 'no' and I have no arguments for it. Then we investigate the underlying 'feeling'. I promised myself a long time ago that I only want to work where I can be fully myself and where I have something to contribute. Then working does not cost any energy. That makes life beautiful.

Monique Verdier 'the outsider'?

(Laughing) From the age of eleven I made my own brightly coloured dresses in an era when everyone dressed in jeans. A girl at the technical university was rare at the time, an engineer on the work floor was special and an engineer on the Board of Directors of a hospital was not common either.

An outsider? It has brought me a lot. I have always had to relate to people who didn't understand me and who I didn't understand either. Then you learn to connect at a values level, so that from there you can discover why someone thinks what he thinks. Stimulate your curiosity when someone has a different opinion, instead of immediately judging.

I learned early on to put myself in the shoes of others, I realize that my truth is not the truth and I have been able to consciously fill my intuition, which has allowed me to fully trust it for years. And I experience what real freedom is.

“Go for the maximum, you will always end up in a beautiful place.”

What have been the life-defining moments or influences for you?

When I got cancer and underwent chemo, I discovered that what I wanted I could no longer do. My head stopped working. Before that, I always thought that if you wanted to, you could do anything, and I had been approaching other people in that way. This insight has softened me.

With cancer you know that you are not going to die right away. I told myself that I had to at least continue to live until the children had completed secondary school. Years later,

I suddenly realized that that moment arrived. The chemo has caused a lot of residual damage, and I became chronically ill. My left foot receives little stimulation. I can only walk by focussed thinking. From the moment that, I realized my goal was achieved.

I could walk in high heels again! As if the energy that was stuck in 'having to' was released and could be used for walking. That insight has set me free from my own 'musts' and I no longer lose energy on 'my own have to ’.

As a child I 'knew' things about people that they did not know themselves. I just said that and got strange reactions. My Indonesian grandmother wanted to protect me from this with the words: 'Don't say everything you know and don't do everything you can.' I put that 'knowing' away as a child and only found it again later. It took quite a while to come to terms with it: I wanted to 'save' people who didn't want to be saved, at least not by me, haha. I am now able to let such an insight pass by with the confidence that it will 'fall into my head' if the other person can hear it. This trust means that I am in my heart and not in my head. I use my analytical skills to unravel my feelings, making it easy for me to put my finger on the sore spot. By saying that I can solve things before they become big.

How do 'leadership' and 'sustainability' relate to each other?

For me, personal leadership applies to everyone and not just leaders. To do this sustainably, I think two things are important: the first is the effect you have on the other person. I call that 'my part of us'. As soon as there is interaction, there is a part of you and the other in what you have together. For example, if you are angry, ask yourself whether it makes sense to express that anger. If expressing it does not provide relief and you only burden the other person with it, there is no point in expressing it. You often make that assessment in a split second, and that is why it is important to realize that words have meaning and that the meaning is often different for you than for the other person. After all, there are more others than you.

Sustainable leadership is also about making your employees independent. So don't solve the problem for them, but help them realize that they can do it themselves, encourage them to show courage and investigate what works well for them.

That’s ‘sustainability’ for me.

“After all, there are more others than you.”

'Sustainability' defined as 'something that lasts'?

Yes, and for leaders: create an environment in which everyone can and may be themselves and in which everyone can develop themselves and show what they can do. An organization as a living organism that remains alive even when the leader leaves.

Sustainability from the perspective that you can pass it on to the generations to come.

What does the concept of 'wisdom' mean to you?

Sensing what is needed and realizing what is possible. Using all the knowledge, feelings and experience you have, and putting this into words in such a way that the other person can hear it. Something like that?

Looking around your room: What does 'colour' mean to you?

I really like bright colours because it emphasizes individuality. It's okay to be different. You are good just the way you are. You can show yourself. We need diversity. Embrace the differences and let's use them to work together, achieve better results and have fun. That means colour to me. It makes me happy.

Which quote would you like to end today with?

“Reach for the moon. Even if you'll miss it, you will land among the stars." Go for the maximum possible and not for a perfect result; As long as you have done the maximum that was possible at that moment, your goal has been achieved and you can be satisfied.

For me that means “If you go for the maximum, you will always end up in a beautiful place.”

About Monique Verdier

Monique Verdier has been vice chairman and member of the board of the DPA since January 1, 2019, and was reappointed for a period of 5 years with effect from January 1, 2024. Prior to her work at the DPA, Monique was active as a director, advisor and supervisor in healthcare. She was Director of Patient Care and member of the board of directors of the Goudse Groene Hart Hospital and member of the board of directors of the Albert Schweitzer Hospital in Dordrecht.

Monique works at the DPA for 3 days a week. In addition to her work as a director, she is an executive coach and gives workshops in the field of leadership and personal development.

She holds a number of additional positions, including chairman of the supervisory board at Vitalis Zorg, vice chairman of the supervisory board at CuraMare, member of the supervisory board of Spijkenisse Medisch Centrum Coöperatief U.A. and board member Rotterdam Vakmanstad. In her position at the DPA, Verdier has no involvement in research and/or decision-making about these latter organizations.

Monique Verdier studied Mathematics and Industrial Engineering in Eindhoven (1989).

The Dutch Data Protection Authority (DPA) is the independent supervisor of personal data that protects people in a digital world. The organization ensures that all people have the fundamental right to have their personal data protected, and that everyone adheres to privacy legislation. The DPA defends the human right 'to be digitally untraceable'.

The General Data Protection Regulation Implementation Act (U)GDPR defines 'personal data' as 'all information that is either directly about someone or can be indirectly traced back to this person.'

The DPA is an independent administrative body (in Dutch: ‘ZBO’) with legal personality. It carries out specific supervisory tasks, has the power to impose fines and is part of the public authority. In cooperation with other European supervisors, the DPA plays an active role in the development of European regulation.

March 2025 | Edward van den Boorn

This article was created by Capita Selecta – Executive Search & Leadership Advisory.

Capita Selecta translates organizational and strategic challenges into pragmatic and concrete personnel solutions. We advise, guide, and develop teams and individuals in alignment with the strategy and organization. Our Executive Search services identify, select, present, and support innovative and future-proof leadership and management.

Over the past 30 years, the firm has developed into a renowned partner for the recruitment and development of leaders and senior executives for national and international companies and organizations based in the Netherlands.

Capita Selecta Executive Search & Leadership Advisory gaat verhuizen.

Interview with Monique Verdier Vice chairman, Dutch Data Protection Authority (DPA)

Rein Sevenstern MSc. per October 1, 2023 Associate Partner at Capita Selecta.