WP29 Guidelines on Administrative Fines under the GDPRPosted in : Supplementary Articles NI on 10 November 2017
Readers will be aware that large fines (up to €20m or 4% of global turnover) may be levied for data breaches after May 25th 2018 as a result of the implementation of the GDPR.
Readers should also be aware that fines (up to €10m or 2% of global turnover) may be levied for administrative breaches, such as failing to appoint a mandatory Data Protection Officer, where required.
Fines have been common in some EU jurisdictions for many years but have not been applied in others. How might consistency between EU Member States be achieved from May 2018?
The Article 29 Working Party (the advisory body comprised of a representative from the data authorities from each EU Member State) has adopted draft guidelines on issuing administrative fines. The powers of supervisory authorities are outlined in Article 58 of the Regulation and the assessment criteria are provided for in Article 83. The provisions of Article 58 stipulate the tools supervisory authorities may employ to address infringement or non-compliance from a data controller or processor.
Imposition of ‘Equivalent Sanctions’
Supervisory authorities must ensure consistency in their use of corrective powers, and the application of administrative fines in particular. Equivalent sanctions in all Member States as well as effective cooperation between supervisory authorities of different Member States is seen as a way “to prevent divergences hampering the free movement of personal data within the internal market”. In cross-border cases, consistency shall be achieved primarily through the cooperation mechanism and the consistency mechanism set forth by the new Regulation.
Effective, Proportionate and Dissuasive
Administrative fines should adequately respond to the nature, gravity and consequences of the breach and supervisory authorities should assess all the facts of the case in a manner that is consistent and objectively justified. The assessment as to what is effective, proportionate and dissuasive will be linked to the objective pursued by the corrective measure, whether it is to re-establish compliance with the rules or as a punitive measure for unlawful behaviour.
Each Individual Case
Article 83 of the Regulation provides a harmonised approach to breaches of obligations expressly listed in paras (4)-(6). The Regulation requires assessment of each case individually… “when deciding whether (our emphasis) to impose an administrative fine, and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following…”
This must include consideration of the corrective measures, including imposition of a fine, either accompanying a corrective measure or on its own. Supervisory authorities are encouraged to use a considered and balanced approach in their use of corrective measures, in order to achieve both an effective and dissuasive as well as a proportionate reaction to the breach.
Active Participation and Information Exchange
The decisions in which the supervisory authorities exercise their fining powers conferred to them will be subject to appeal before national courts. Supervisory authorities shall cooperate with each other and where relevant, with the European Commission through the cooperation mechanisms as set out in the Regulation in order to support formal and informal information exchanges.
Article 83 (2) provides a list of criteria that the supervisory authorities are expected to use in the assessment of whether a fine should be imposed and the amount of the fine. Supervisory authorities are advised to consider the nature, gravity and duration of the infringement. If the breach is deemed a ‘minor infringement’ it may be possible to replace the fine by a reprimand following a concrete assessment of all the circumstances of the case. A breach may constitute a minor infringement if it does not pose a significant risk to the rights of the data subjects concerned and does not affect the essence of the obligation in question. A fine may also be replaced where the data controller is a ‘natural person’ and the fine likely to be imposed would constitute a disproportionate burden. Does this infer that a fine MUST be imposed where the infringement is not considered insignificant or does not involve an individual?
Specific infringements are not given a specific price tag in the Regulation, only a cap:
“The scope, purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them” will be indicative of the gravity of the infringement.
The number of data subjects involved should be assessed in order to identify whether this is an isolated event or indicative of a more systemic breach or lack of adequate routines in place. The purpose of the processing must also be assessed, and if the data subjects have suffered damage, the level of the damage has to be taken into consideration.
Duration of the infringement may be illustrative of:
a) Wilful conduct on the data controller’s part, or
b) Failure to take appropriate preventive measures, or
c) Inability to put in place the required technical and organisational measures.
Intentional breaches, demonstrating contempt for the provisions of the law, are more severe than unintentional ones and therefore may be more likely to warrant the application of an administrative fine.
Data controllers and processors have an obligation to implement technical and organisational measures to ensure a level of security appropriate to the risk, to carry out data protection impact assessments and mitigate risks.
If the entity has adopted measures to reduce the consequences of the breach, this will be taken into account by the supervisory authority in their choice of corrective measures.
Supervisory authorities will also assess the track record of the entity and whether it has committed infringements in the past. It will also take into account the level of cooperation in an attempt to remedy the infringement and mitigate the possible adverse effects and consider whether there are any aggravating or mitigating factors pertaining to the circumstances of the case, for example, any financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
Other guidelines include:
Legal-Island’s Data Protection Update: Ensuring Your HR Department is GDPR-Compliant conference, in Association with Pinsent Masons, is on 14th March 2018.
The Legal-Island Data Protection eLearning training is tailored specifically to provide comprehensive compliance training. To obtain free trial access and review the Data Protection eLearning module on behalf of your organisation or discuss your organisation's requirements further, please contact Debbie on 028 9446 3888 or firstname.lastname@example.org.
More on Data Protection & Freedom of Information
- Can an employer refuse a request from an unsuccessful job applicant to delete any of their data in its possession as it may be necessary for the defence of legal claims?
- If employees willingly provide personal email addresses at the start of their employment and their personal email addresses were used to contact them while they worked from home during the Coronavirus Lockdown, is this a breach of data protection?
- Can we ask staff to let us know if they have been vaccinated, and can we keep a record of this?
- Does the chief executive have the right to view sensitive personal data without an employee’s consent?
- Data Protection Implications of Selling From the UK into the EU after Brexit
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.