On the 25th May 2018, many EU countries were not ready for the implementation of the GDPR -despite having two years of preparation. As you can imagine, many in the private sector are not prepared either. Thus, this article explores what provisions, if breached, are addressed as serious, with the imposition of the higher administrative fine; to give a point to start to the entities that are running against the clock.
Useful? Embed this infographic on your website.
TYPE OF PENALTIES
The GDPR provides different types of sanctions in case of non-compliance. The assessment of what is effective, proportional and dissuasive in each case will have to also reflect the objective pursued by the corrective measure chosen by the Data Protection Authority (DPA), that is either to re-establish compliance with the rules or to punish unlawful behaviour (or both).
-
WARNING – Art.58 (2)(a)
For a likely infringement, a warning can be used.
-
REPRIMAND – Art. 58 (2) (b)
In case of minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, the DPA has the option to issue a reprimand instead of a fine.
-
SUSPENSION OF DATA PROCESSING – Art. 58 (2) (f)
In case of an infringement, the DPA can impose the temporary or definitive ban on processing; without prejudice, to apply other corrective measures and/or administrative fine.
-
SUSPENSION OF DATA FLOW – Art. 58 (2) (j)
In case of an infringement, the DPA can impose the suspension of data flows to a recipient in a third country or to an international organisation; without prejudice, to apply other corrective measures and/or administrative fine.
-
ADMINISTRATIVE FINES – Art. 83
The Regulation prescribes two different maximum amounts of administrative fine:
- Lower fine: up to 10 million Euros or in case of an undertaking, up to 2% of the total annual worldwide turnover of the preceding financial year, whichever is higher; and,
- Higher fine: up to 20 million Euros or in case of an undertaking, up to 4% of the total annual worldwide turnover of the preceding financial year, whichever is higher.
Lower Administrative Fine – Art. 83(4)
The fail of the following obligations fall into this category:
- The obligations of the Data Controller and Data Processor as stipulated in the following articles:
Article 8: Conditions applicable to child consent
Article 11: Processing which does not require identification
Article 25: Data Protection by design and by default
Article 39: Tasks of the Data Protection Officer
Article 42: Certification
Article 43: Certification Bodies
- The obligations of the Certification Body as stipulated in the following articles:
Article 42: Certification
Article 43: Certification Bodies
- The obligations of the Monitoring Body as stipulated in article 41 (4):
“(…) shall, subject to the appropriate safeguards, take the appropriate action in case of infringement of the code by the controller or processor, including suspension or exclusion of the controller or processor concerned from the code (…)”
Higher Administrative Fine – Art. 83(5)(6)
The fail of the following obligations fall into this category:
- The basic principles for processing, including conditions for consent, pursuant to the following articles:
Article 5: Principles relating to the processing of personal data
Article 6: Lawfulness of Processing
Article 7: Conditions for Consent
Article 9: Processing of special categories of personal data
- The Data Subject’s Rights, pursuant to articles 12 to 22
- The Transfer of Personal Data to a recipient in a third country or an international organisation, pursuant to articles 44 to 49
- Any obligation pursuant to a Member State law adopted under Chapter IX: Provisions relating to specific processing situations e.g. processing and freedom of expression and information, processing in the context of employment, and others.
- Non-compliance with an order of a temporary or definitive limitation of processing or the suspension of data flows, issued by the DPA, pursuant to article 58(2) or failure to provide access in violation to article 58(1).
- Non-compliance with an order by the DPA as referred to in article 58(2) and in line with the determination criteria, be subject to the Higher Administrative Fine.
KEY POINTS:
- The DPA shall ensure that in each case the measure is effective, proportionate and dissuasive. For that, must follow the determination criteria set up in article 83 (2) GDPR.
- Article 58 GDPR provides some guidance as to which measures the DPA might choose, in accordance with the purpose. Some of the measures may even be possible to cumulate, but it is not a must.
- The imposition of the administrative fine, can be either accompanying a corrective measure (Article 58) or on its own.
- Member State law may allow for or even mandate the imposition of a fine for infringement of other provisions than those mentioned in Art. 83 (4) and (6) GDPR.
- It should be noticed that lower fines breaches as set out in article 83 (4) GDPR, might end up qualifying for higher fines in certain circumstances e.g., where a breach has previously been addressed and the controller or processor failed to comply with.
- In line with Recital 149 GDPR, “the Member States should be able to lay down the rules on criminal penalties for infringements of the GDPR, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation.” This is allowed, as far as it does not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.
- For the definition of an “undertaking”, should be noted the CJEU notion for the purposes of the application of articles 101 and 102 TFEU. An undertaking is understood to mean an economic unit, which may be formed by the parent company and all involved subsidiaries. Moreover, in line with Recital 150 GDPR, an undertaking must be understood to be the economic unit, which engages in commercial/economic activities, regardless of the legal person involved.
- DPA’s shall ensure a uniform application of fines. For that, they should use the consistency mechanism in line with Article 63 GDPR.
To sum up, if you are running against the clock, it is advisable to first look to remedy the obligations that because of its nature, if breached, are sanctioned with the higher administrative fine, such as Principles for the Processing of Personal Data, Data Subject’s Rights and Transborder Data Flows. Best of Lucks!
Jessica Lam
Latest posts by Jessica Lam (see all)
- Processing Personal Data - March 30, 2021
- What is Privacy? - February 25, 2021
- What is Privacy Engineering? - January 14, 2021