The Article 29 Data Protection Working Party recently issued guidelines on fines for the purposes of the General Data Protection Regulation (‘GDPR’).
Article 83(1) of the GDPR states that supervisory authorities should identify corrective measures that are “effective, proportionate and dissuasive”. Article 83(2) is the starting point for assessing a case for the purpose of imposing a corrective measure. The guidelines assess the criteria in Article 83(2) and state the following:
(1) Where a fine has been chosen as one, or one of, several appropriate measures, the tiering system will be applied in order to identify the maximum fine that can be imposed according to the infringement.
(2) Where the breach does not impose a significant risk to the data subject a fine may (but not always) be replaced by a reprimand.
(3) Breaches that fall in the lower tier (2%, or up to 10 million Euros) might end up qualifying for the higher tier (4%, or up to 20 million Euros) in certain circumstances (for example where there have been previous breaches).
(4) The number of data subjects should be assessed to identify if the breach is an isolated event, or symptomatic of a more systemic breach, or of inadequate security routines.
(5) When assessing the purpose of processing, the supervisory authority should consider purpose specification and compatible use.
(6) The duration of an infringement may indicate willful conduct by the data controller, failure to take appropriate preventative measures, or an inability to apply appropriate technical and organizational measures.
(7) Intent includes both knowledge and willfulness in relation to the characteristics of the offence. For example: unlawful processing explicitly authorised by top management, disregard of advice from the Data Protection Officer, or disregard for existing policies.
(8) Past experience under the 95/46/EC Directive has shown that it can be appropriate to give some flexibility to those controllers and processors who have admitted infringements and taken responsibility to limit the consequences.
(9) The supervisory authority must consider the extent that the controller “did what it could be expected to do” given the nature, the purposes or the size of the processing under the obligations of the GDPR. Best practice and industry standards will be taken into account in making this assessment.
(10) Where the controller merely fulfills its obligation to notify the supervisory authority of a personal data breach this is not to be interpreted as an attenuating or mitigating factor.
(11) It is unlikely to be a minor infringement where a controller has acted carelessly without notifying the supervisory authority, or who has not notified all the details of the infringement because of a poor assessment.
(12) Where a controller or processor adhere to an approved code of conduct, and where those in charge of the code administer appropriate action against a member, the supervisory authority may not impose additional measures.
(13) Information about profit obtained as a result of a breach may be particularly important, as a fine will most likely be necessary where a profit is made to adequately compensate for the breach.
The guidelines can be downloaded here from the European Commission’s website.
If you would like any further information or advice, I can be contacted at: firstname.lastname@example.org