Adatvédelem mindenkinek / Data protection for everyone

Setting of administrative fines based on the General Data Protection Regulation I.

2017. november 17. 14:00 - poklaszlo

Overview of the WP29 Guidelines on Administrative Fines

The high amount of the administrative fine, which can reach a maximum amount of EUR 20 million or, in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, makes it extremely important for data controllers and data processors to be prepared for the application of the EU’s new General Data Protection Regulation (GDPR).

Given the magnitude of the amount of the administrative fine, the Guidelines of Article 29 Working Party (WP 29) on the application and setting of administrative fines for the purposes of the GDPR were highly anticipated. The Guidelines were published at the end of October.

The GDPR specifies the types of infringements that may be sanctioned by the administrative fine with a higher cap (EUR 20 million or up to 4% of the total worldwide annual turnover) and by the administrative fine with a lower cap (EUR 10 million or up to 2% of the total worldwide annual turnover).

In addition to the above, the Regulation also contains the criteria that must be taken into account when imposing an administrative fine (see Article 83 (2) GDPR). However, with regard to the imposition of fines, the key question is how these criteria are interpreted by the supervisory authorities. WP 29’s Guidelines on administrative fines provide some help in this respect. Below, we will briefly review the main findings of the Guidelines.

WP29 declares that “consistent enforcement of the data protection rules is central to a harmonized data protection regime in Europe. Administrative fines are a central element in the new enforcement regime introduced by the Regulation […]”. (Appropriate means of enforcement by the supervisory authorities in relation to certain powers of the authorities are listed in Article 58 of the GDPR.)

The most important role of the Guidelines is therefore to demonstrate the common denominator of the Member States' authorities and the European Data Protection Board (this body will essentially take over the role of WP29, with wider and far more detailed legal functions and tasks), in the course of assessing the criteria when administrative fines are imposed.

The Guidelines first of all set out the principles that the supervisory authorities take into account when taking measures set out in Article 58 (2) (b) to (j) of the Regulation (including the possibility of imposing fines). These principles are as follows:

1. Infringement of the Regulation should lead to the imposition of “equivalent sanctions”. In this respect, the Working Party refers to paragraphs 10, 11 and 13 of the GDPR Preamble.

2. Like all corrective measures chosen by the supervisory authorities, administrative fines should be “effective, proportionate and dissuasive”. (See Article 83 (1) of the Regulation.) The Guidelines underline that in order to impose effective, proportionate and dissuasive penalties, “where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes”. “[…] namely that the concept of an undertaking is understood to mean an economic unit, which may be formed by the parent company and all involved subsidiaries. In accordance with EU law and case-law, an undertaking must be understood to be the economic unit, which engages in commercial/economic activities, regardless of the legal person involved (See paragraph 150 of the GDPR Preamble and Case C-41/90, paragraph 21, and Case C-217/05, paragraph 40, which states that “[t]he Court has also stated that, in the same context, the term ‘undertaking’ must be understood as designating an economic unit for the purpose of the subject-matter of the agreement in question even if in law that economic unit consists of several persons, natural or legal.”) It is an important question how this interpretation will affect, for example, the interpretation of the concept of an undertaking when the authorities calculate the total worldwide annual turnover for determining the cap of the fine.

3. The competent supervisory authority will make an assessment “in each individual case”. The Guidelines emphasize that the authorities should take the most appropriate measures and choose the most appropriate from all possible sanctions. The need to impose fines must also be assessed in this regard. This means that the authorities must consider all of the available corrective measures.

4. A harmonized approach to administrative fines in the field of data protection requires active participation and information exchange among supervisory authorities.

Following the establishment of these principles, the Guidelines examine the following criteria set out in Article 83 (2) of the Regulation, which must be assessed:

(a)    the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage suffered by them;

(b)    the intentional or negligent character of the infringement;

(c)     any action taken by the controller or processor to mitigate the damage suffered by data subjects;

(d)    the degree of responsibility of the controller or processor, taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

(e)    any relevant previous infringements by the controller or processor;

(f)      the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

(g)    the categories of personal data affected by the infringement;

(h)    the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the  infringement;

(i)      where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

(j)      adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

(k)    any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

The comments of the Guidelines regarding the assessment of the above criteria will be discussed in a separate post.