The Article 29 Working Party has published draft guidelines that a supervisory authority (SA) should take into account prior to issuing administrative fines under the General Data Protection Regulation (GDPR). Detailed instructions for calculating the size of fines are expected to be included in a future updated version of the guidelines.
Under the GDPR, the scope and nature of administrative fines which SAs can impose on non-compliant organisations has significantly increased. Such fines may be up to €20 million or 4% of total worldwide annual turnover (whichever is greater) of the undertaking for breaches of GDPR.
It is clear that a failure to address data protection compliance obligations could prove very costly for organisations, especially as the guidelines take a broad view of "undertaking", considering it to mean a parent company and all involved subsidiaries.
Of course, the figures above are maximum caps rather than “price tags” for specific breaches. Fines are also not the only corrective measures available to SAs under the GDPR (other measures include warnings, reprimands and various orders).
Nevertheless, the guidelines emphasise that fines are a powerful part of an SA’s toolbox, which should be wielded in appropriate circumstances. Fines are not necessarily to be relied upon as a “last resort”.
The guidelines state that SAs must assess each case individually to identify the most "effective, proportionate and dissuasive" corrective measure (or combination of measures) having regard to a number of assessment criteria (both aggravating and mitigating). These criteria include:
- The nature, gravity and duration of the breach;
- The number of data subjects involved;
- The scope and purpose of the processing;
- The damage suffered by data subjects (and any action taken by the organisation to mitigate this damage);
- The degree of responsibility of the organisation including the technical and organisation measures implemented by it;
- The intentional or negligent character of the breach; and
- The degree of cooperation with the SA in order to remedy the breach.
While an SA may ultimately uses its discretion in deciding which corrective measure(s) is/are most suitable in the circumstances, the guidelines stress the need for SAs to achieve consistency with regard to the amounts of fines they set and with regard to their choice of corrective measure(s). Cooperation between SAs is encouraged. The expected guidance on calculating the size of fines should assist in achieving reasonable uniformity of approach across member states, as should the GDPR's consistency mechanism.