Aphaia Blog editor Vasiliki Antoniadou explores GDPR administrative fines that businesses can expect based on WP29 guidelines.
GDPR gives to the supervisory authorities the power to impose administrative fines following two different maximum amounts according to the severity of the data breach. Under GDPR administrative fines rules, for instance, an infringement of the basic principles of processing or of the international transfer may incur a fine up to 20.000.000 euros/ 4% of the annual global turnover while failure to maintain written records may incur a fine of up to 10.000.000 euros/ 2% of the annual global turnover.
Each suspected breach should be assessed individually by the supervisory authority and the need for an administrative fine should be examined on a case by case basis. However, the supervisory authorities are required to cooperate in order to ensure consistent implementation of the regulation and apply equivalent sanctions.
In this spirit the future European Data Protection Board and the national supervisory authorities are expected to follow the recently published guidelines by the Data Protection Working Party (WP29). In particular the guidelines analyse the multiple criteria set up by GDPR in order to assess the suitability of administrative fines as well as the height of the fine where applicable.
As a general principle, the corrective measures should be “effective, proportionate and dissuasive”. If a minor infringement takes place that is believed not to cause significant risk to the rights of the data subjects, the fine may be replaced with a reprimand. On the contrary, a breach seemingly falling in the lower cap of administrative fine may receive a higher fine due to for instance failure to comply with a previous order.
Moreover, the intentional or negligent nature of the breach is also taken into account for assessment purposes with the intentional breach to receive a stricter sanction. Similarly the fine is more likely to be higher in cases where the number of the data subjects affected is large, the duration of the breach is long or the damage caused is great.
Processor’s or Controller’s responsible action
Notably, the degree of responsibility of the processor / controller before and after the breach is fundamental for the imposition and subsequently the calculation of the fine.
In particular, the authorities will evaluate to what extent the controller “did what it could be expected to do” prior to the infringement. Were technical and organisational measures adopted and appropriate data protection policies and routines implemented? Previous data protection breaches are also of importance since they may indicate general indifference towards the norms and lack of awareness.
After the infringement has occurred, a timely and effective reaction on behalf of the controller/ processor that will cease the breach and limit the related damage will be taken into consideration. On the other hand lack of notification and cooperation with the supervisory authority about the breach will have adverse effects.
In addition, adherence to codes of conduct or approved certification mechanisms contributes to a higher level of responsibility and accountability. One should note though that the actions imposed by the code community could be deemed sufficient for GDPR compliance by the authorities.