On 3 October 2017, the Article 29 Data Protection Working Party (hereinafter, “WP29”) adopted Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (hereinafter, “Guidelines”). The Guidelines are addressed to the supervisory authorities and aim to ensure a better application of the General Data Protection Regulation(hereinafter, “GDPR” or “Regulation”). In particular, in consideration of the paramount importance of administrative fines in the new enforcement regime, the Guidelines are intended to clarify how they should be properly applied.
In the Guidelines, WP29 – acting in its new role as European Data Protection Board (hereinafter, “EDPB”) – expresses its common understanding on the provisions of Article 83 of the GDPR and its interaction with Articles 58 and 70 of the GDPR, providing recommendations and best practices concerning the application of the Regulation and the setting of administrative fines as provided by Article 70(1)(e) and (k) of the GDPR.
Administrative fines, like all corrective measures in general, are considered pivotal tools to be used in appropriate circumstances in order to respond adequately, taking into consideration the nature, gravity and consequences of the breach. The supervisory authorities concerned should impose fines that are effective, proportionate and dissuasive as provided in Article 83 of the GDPR. Furthermore, in identifying an undertaking, they should consider the definition of undertaking provided by the Court of Justice of the European Union (hereinafter, “CJEU”) in Cases C-217/05 and C-170/83 (“an economic unit for the purpose of the subject-matter of the agreement in question even if in law that economic unit consists of several persons, natural or legal”).
When deciding whether a fine should be imposed and the amount of the fine, the supervisory authorities should use the criteria established in Article 83(2) of the GDPR, having regard to all the circumstances of each individual case, as specified in Recital 129 and 141 of the GDPR as well as in the above-mentioned Article 83(2) of the GDPR: the nature, the duration and the gravity of the infringement, the number of data subjects involved, the purpose of the processing and the eventual damage suffered by the data subject. Other important criteria that should be taken into consideration concern the manner in which the infringement becomes known to the supervisory authority and the degree of cooperation with the same, the absence of relevant previous infringements by the controller or the processor and the categories of personal data affected by the infringement (data directly or indirectly identifiable).
Article 83(4) and (6) of the GDPR establish two different maximum amounts for administrative fines: 10 million Euro (in the case of an undertaking, up to 2 % of the total worldwide annual turnover) and 20 million Euro (in the case of an undertaking, up to 4 % of the total worldwide annual turnover). Nevertheless, the competent supervisory authority may decide that in a particular case there is a higher or a more reduced need to react with a corrective measure in the form of a fine.
With regard to the occurrence of an infringement, the supervisory authority concerned must evaluate the intentional (e.g. an unlawful processing authorized explicitly by the top management hierarchy) or the negligent character (e.g. human error, failure to apply technical updates) of the infringement and whether actions have been undertaken by the controller or the processor to mitigate the damage suffered by data subjects.
In order to comply with the principle of accountability, in the case of an infringement, the controller or the processor should demonstrate the implementation of the technical measures pursuant to Article 32 of the GDPR as well as compliance with the principles of data protection by design or by default as provided in Article 25 of the GDPR.
Adherence to approved codes of conduct may also be used as a way to demonstrate compliance.
The supervisory authorities must restore compliance through all the corrective measures at their disposal. Such authorities will have the task to choose the most appropriate channel for pursuing their regulatory action, which could include penal sanctions at the national level where envisaged by the Member State concerned.
The EDPB recommends the creation of a permanent sub-group attached to a relevant part of the EDPB to support the case-handling exchange activities which could improve consistency in the interpretation and application of the Regulation across borders.
From the business point of view, companies – whether they act as controllers or processors – have to pay specific attention to:
- implement appropriate technical and organizational measures to ensure that processing is performed in accordance with the Regulation (see especially Article 25 and 32 of the GDPR);
- create a comprehensive Corporate Data Protection Compliance Framework which sets forth clear and actionable policies and procedures aimed to fulfil the principle of accountability and to prevent the infringement of the Regulation;
- train the workforces in order to improve the understanding of the Regulation and of their relevant tasks to assure compliance with it.