Sanctions under the GDPR, the administrative fine
According to the GDPR, supervisory authorities may adopt various sanctions against and impose an administrative fine on non-compliant entities.
The Article 29 Data Protection Working Party (WP29) issued guidelines on the application and setting of administrative fines on 3 October 2017 (WP253), which provides guidance to supervisory authorities on how to impose fines.
Below you will find a Q&A concerning the most important issues about imposing an administrative fine.
1. Is it mandatory for a supervisory authority to impose a fine?
There is no such general obligation. The GDPR provides that if a supervisory authority establishes an infringement, it is required to impose appropriate sanction(s). The supervisory authority has to identify and assess the infringements individually and is required to find the most appropriate corrective measure, which may – depending on the circumstances of the infringement – lead to the imposition of an administrative fine.
Supervisory authorities are required to ensure that the fines they impose are effective, proportionate and dissuasive.
2. What factors do supervisory authorities have to take into account when imposing a fine?
The GDPR gives a list of the criteria supervisory authorities are required to include in their assessment. Such factors are as follows:
(a) the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement (for example, if special categories of data are affected, if the person is directly identifiable);
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where certain authority measures have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct or approved certification mechanisms; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
Once the supervisory authority has assessed the above factors in regard of a specific infringement, it establishes the severity level of the same and applies the sanction(s) it finds most appropriate.
3. What is the amount of the fine?
The GDPR differentiates between two main categories of infringements and links a maximum fine to each category.
On the one hand, if, for example, certain administrative tasks are not fulfilled (for example, no DPO has been designated, no DPIA has been prepared, no written data processing agreement has been concluded), the controller / processor will be subject to an administrative fine up to EUR 10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
On the other hand, if, for example, there is no valid legal basis for processing or the principles have not been observed or the rights of the data subjects are not ensured, the controller / processor will be subject to an administrative fine up to EUR 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
It is worth noting that the word “undertaking” is understood to mean an economic unit, which may include the parent company and other companies belonging to the group.
The WP29 also emphasizes in its guidelines that if a violation belonging to the first category of infringements takes place, an infringement falling under the second category may also have taken place, in which case, the higher maximum amount will apply.
4. What other sanctions (corrective measures) may a supervisory authority impose?
The GDPR gives a list of such sanctions. The supervisory authority may, for example,
- issue warnings to a controller or processor that the intended processing operations are likely to infringe the provisions of the GDPR;
- issue reprimands to a controller or a processor where processing operations have infringed the GDPR;
- order the controller or the processor to comply with the data subject's requests;
- order the controller or processor to bring its processing operations into compliance with the GDPR;
- order the controller to communicate a personal data breach to the data subject;
- impose a temporary or definitive limitation including a ban on processing;
- order the suspension of data flows to a recipient in a third country.
The WP29 encourages the supervisory authorities to take a balanced approach when using their power to impose corrective measures. A sanction by way of a fine should not be viewed as a last resort but should not be overly used either.
5. May the supervisory authority impose several sanctions at the same time?
Yes. The supervisory authority has a discretionary power to decide which sanctions it wishes to impose. The GDPR requires supervisory authorities to impose sanctions that properly reflect the infringement.
6. Will sanctions be imposed consistently throughout the European Union by the various supervisory authorities?
This is certainly one of the purposes of the GDPR.
In cross border cases, this can be achieved through the cooperation of the supervisory authorities, and through the consistency mechanism (via the European Data Protection Board).
In national cases, the supervisory authorities will be required to apply the guidelines with a view to ensuring the consistency of the application of the GDPR. The guidelines explicitly say that “it should be avoided that different corrective measures are chosen by the supervisory authorities in similar cases”.
At the same time, the WP29 adds that “the practice of applying administrative fines consistently across the European Union is an evolving art.” This is something that the supervisory authorities can reach through a continuous cooperation and exchange of information (e.g. workshops). The WP29 recommends creating a sub-group attached to the European Data Protection Board, which could support this ongoing activity.
7. May sanctions other than those specified in the GDPR be imposed?
The GDPR authorizes Member States to impose other penalties applicable to infringements of the GDPR, in particular, for infringements which are not subject to administrative fines. Thus, it is advisable to consult national law to see if other sanctions may also apply.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary (firstname.lastname@example.org)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.