On September 1, 2016, the Bavarian Data Protection Authority (BayLDA) issued a brief paper outlining the basic principles of the future sanction regime under the European General Data Protection Regulation (GDPR). The document is available at the following link: https://www.lda.bayern.de/media/baylda_ds-gvo_7_sanctions.pdf (German-language only).
The GDPR will become effective on May 25, 2018, after a transition period of two years. European supervisory authorities are currently working to achieve a more uniform view of the new basis and requirements for data protection at the European level. In the meantime, the BayLDA plans to periodically publish papers such as this one on selected topics. The BayLDA explicitly notes that is not a binding interpretation of the regulation.
Amount and Scope of Administrative Violations and Fines Increased
According to the GDPR, administrative fines shall be effective, proportionate and dissuasive. Some infringements are subject to administrative fines of up to 20 million EUR or 4% of the organization’s total annual global turnover.
Further, as explained with reference to the “economic enterprise concept” in the explanatory memorandum of the Treaty on the Functioning of the European Union (recital 150), if the sanctioned entity is part of an “undertaking,” the total annual turnover of the entire undertaking is the relevant amount from which the 4% fine will be deducted, not just the annual turnover of the specific sanctioned entity (i.e. the individual controller or processor). Please see our post of July 26, 2016 titled “EU: GDPR – Group revenues at risk of fines” for more information on the meaning of an “undertaking.”
The GDPR provides for a significantly wider range of offences than does the current German Federal Data Protection Law (BDSG). Under the GDPR, violation of the vast majority of provisions regulating data controllers and processors is subject to a fine. The GDPR provisions regarding administrative fines demonstrate the European Commission’s (EC’s) intention to provide for financial sanctions for data protection infringements and to enable severe sanctions if necessary. Exceptions should exist only for minor infringements and when a fine would be disproportionately burdensome.
The GDPR imposes fines on both controllers and processors. In addition, accredited certification bodies under Article 43 of the GDPR, which are responsible for properly assessing and certifying compliance by data controllers and processors with data protection regulation and organizational codes of conduct, may be subject to administrative fines due to breach of their obligations.
According to the BayLDA, it can be assumed that organizations may be held responsible for violations committed by their employees. However, the GDPR does not regulate the extent to which fines may be imposed on employees themselves. This issue remains unclear.
Fines Imposed for Violations of Technical and Organizational Measures
In an important change from the BDSG, the GDPR provides that violations of the duty to take appropriate and adequate technical and organizational measures to protect personal data are an administrative offense subject to fines. Also significant is the fact that the GDPR sets out fines for violations of the obligation to ensure implementation of the principles of privacy by design and privacy by default. These changes underscore the great value the EC places on the importance of technical and organizational measures and the principles of privacy by design and privacy by default for effective data protection.
Factors Influencing the Amount of Fines
According to the EC, a number of factors must be considered when determining the amount of fines. Previous breaches of data protection law should be considered an aggravating factor. The extent to which the controller or processor cooperated with the supervisory data protection authority should be considered. Further, if the controller or processor gives the supervisory authority incomplete or inaccurate information during the course of an investigation, this should be considered an aggravating factor, as recognized by the European Court of Justice in the field of competition law.
As stated by the EC, the GDPR is intended to lead to a uniform application of sanctions in Europe In the future, the European Data Protection Board may develop relevant guidelines.
All organizations operating as either a data controller or processor in any EU member state should be aware of the significant increase in both the amount and scope of potential fines under the GDPR. In particular, administrative fines under the GDPR may be up to 4% of the total worldwide annual turnover of the preceding financial year in the case of an “undertaking.” Such enhanced financial penalties for data protection violations are intended to prevent organizations from incurring any profit in the event of a data protection breach.
In addition, organizations should carefully note the imposition of fines due to violations regarding technical and organizational measures and the principles of privacy by design and privacy by default. Organizations should ensure that that appropriate technical and organizational measures are in place and that they have appropriately implemented the principles of privacy by design and privacy by default before the GDPR becomes effective in 2018.