The recent publication of the Article 29 Working Party’s Guidelines on the application and setting of administrative fines for the purposes of the GDPR (the “Guidelines”), will be of particular interest to organisations eager to assess and manage the risk of incurring any fines for breach of GDPR obligations.
The Guidelines demonstrate the scope for national supervisory authorities to acknowledge good behaviour both before and after a breach of the GDPR and, in particular, bona fide attempts both to comply with obligations and mitigate any damage caused by non-compliance. Doing one’s best to comply will not be a defence, but it will be a strong mitigating factor.
The Guidelines highlight the general principles applicable to fines under GDPR and provide further colour in relation to the factors identified in Article 83(2)(a)-(k) which should be considered by national supervisory authorities in: (i) choosing whether to implement a fine; and (ii) if so, deciding on the amount of the fine.
Principles relevant to Fines
The Guidelines explore the principles relevant to the imposition of fines across the EU. The principles to be considered by supervisory authorities in exercising their powers are:
- equivalent sanctions – the Guidelines are to be applied by supervisory authorities in the spirit of cooperation to ensure consistency of application and enforcement of the GDPR;
- fines to be effective, proportionate and dissuasive – the Guidelines indicate that the corrective measures taken by supervisory authorities must reflect the objective of such measures, i.e. to re-establish compliance, to punish unlawful behaviour or both;
- each individual case – each case must be assessed individually and supervisory authorities must consider all corrective measures, i.e. fines alone, other measures under Article 58(2) or both; and
- harmonization – the Guidelines highlight the complexities of the fining regime, call for both informal and formal cooperation between supervisory authorities and note that decisions in relation to fines will be subject to appeal in the national courts.
Factors to be taken into Account under Article 83(2)
The Guidelines also provide further explanation of, and examples of circumstances within, the various factors set out in Article 83(2)(a)-(k). Such guidance/examples include that:
- in relation to Article 83(2)(a), where there are several infringements together, supervisory authorities will be able to apply administrative fines at the level applicable to the gravest infringement;
- failure to: (i) read and abide by existing policies; or (ii) apply technical updates in a timely manner; may be indicative of negligence under Article 83(2)(b);
- previous breaches which are different but committed in the same manner, e.g. due to insufficient organisational knowledge, will still be relevant to Article 83(2)(e);
- cooperation will not be given “due regard” under Article 83(2)(f) where this is already required by law, e.g. facilitating access to premises by supervisory authorities;
- where an approved code of conduct or self-regulatory scheme has been adhered too and the supervisory authority is satisfied that appropriate action will be taken by the community in charge of administering the code or scheme, the supervisory authority can refrain from imposing a penalty under Article 83(2)(j); and
- in relation to Article 83(2)(k), where a controller profits from infringement of the GDPR this will be a strong indication that a fine should be imposed.