Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (GDPR) were published at the end of October by the Article 29 Working Party (WP 29). In my previous post, I have outlined the principles set out in the Guidelines.
In this post, I give a summary of WP 29’s comments to the following aspects set out in Article 83 (2) of the GDPR that need to be assessed when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case:
(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
a) the nature, gravity and duration of the infringement:
Regarding the nature of the infringement, under Section 148 of the Preamble to the Regulation, it is necessary to examine whether there has been a "minor infringement" of the provisions of the Regulation, since in such cases the fine may be replaced by a reprimand. (This, of course, is not an obligation for the authority, but an option.) The same possibility exists if the data controller is a natural person and “the fine likely to be imposed would constitute a disproportionate burden”.
The Guidelines also point out that “breaches of the Regulation, which by their nature might fall into the category of up to 10 million or up to 2% of total annual worldwide turnover […] might end up qualifying for a higher tier (Euro 20 million) category in certain circumstances”. “This would be likely to be the case where such breaches have previously been addressed in an order from the supervisory authority, an order which the controller or processor failed to comply with (see Article 83 (6))”.
In the case of gravity, the authorities take into account that there have been several different infringements at the same time. In addition, the authorities consider the following factors in combination:
- The number of data subjects affected by the infringement (i.e. whether there is a “isolated event or [it is] symptomatic of a more systemic breach or lack of adequate routines in place”). Of course, an isolated event can also affect a large number of data subjects. In such cases, this may be determined, “depending on the circumstances of the case for example, the total number of registrants in the database in question, the number of users of a service, the number of customers, or in relation to the population of the country, as appropriate”.
- It is also necessary to evaluate the purpose of data processing. (In this respect, please also see WP 29’s Opinion 3/2013 on purpose limitation.)
- If the data subjects affected have suffered damage, the level of the damage must also be taken into account (see Section 75 of the Preamble to the Regulation).
The duration of the infringement may refer to willful conduct by the data controller or failure to take appropriate preventive measures or to impose the necessary technical and organizational measures.
b) the intentional or negligent character of the infringement
In the case of intentional infringement, there is, of course, a greater likelihood of fines being applied.
“Circumstances indicative of intentional breaches might be unlawful processing authorised explicitly by the top management hierarchy of the controller, or in spite of advice from the data protection officer or in disregard for existing policies, for example obtaining and processing data about employees at a competitor with an intention to discredit that competitor in the market.”
According to the Guidelines, examples of intention may also be:
- “amending personal data to give a misleading (positive) impression about whether targets have been met – we have seen this in the context of targets for hospital waiting times,
- the trade of personal data for marketing purpose i.e. selling data as ‘opted in’ without checking/disregarding data subjects’ views about how their data should be used.”
The following factors may indicate negligence:
- "failure to read and abide by existing policies,
- human error,
- failure to check for personal data in information published,
- failure to apply technical updates in a timely manner,
- failure to adopt policies (rather than simply failure to apply them)"
It is important for data controllers to use structures and resources appropriate to their activities, based on the risk-based approach of the Regulation.
c) any action taken by the controller or processor to mitigate the damage suffered by data subjects:
The following examples may be mentioned:
- “contacting other controllers/processors who may have been involved in an extension of the processing e.g. if there has been a piece of data mistakenly shared with third parties.
- timely action taken by the data controller/processor to stop the infringement from continuing or expanding to a level or phase which would have had a far more serious impact than it did.
d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32:
The principle of accountability has a central role in the GDPR. The following questions may arise, among other things, in this respect:
- “Has the controller implemented technical measures that follow the principles of data protection by design or by default (article 25)?
- Has the controller implemented organisational measures that give effect to the principles of data protection by design and by default (article 25) at all levels of the organisation?
- Has the controller/processor implemented an appropriate level of security (article 32)?
- Are the relevant data protection routines/policies known and applied at the appropriate level of management in the organisation? (Article 24).”
When considering the above, data controllers should take into account "good practices", industry standards, and codes of conduct (if any).
e) any relevant previous infringements by the controller or processor:
The track record ("past") of the data controller or data processor who committed the infringement can be considered here. The authority may carry out a fairly wide-ranging evaluation, as the Guidelines provide that essentially any violation of any provision of the Regulation may be "relevant".
f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement:
The assessment of this criterion is mainly due to the determination of the amount of the fine (i.e., essentially, when it has already been decided that a fine will in any event be imposed).
In itself, fulfillment of a legal obligation (e.g. allowing an "on-site inspection" by the authority) cannot in itself mitigate the consequences.
g) the categories of personal data affected by the infringement:
The following questions may arise:
- “Does the infringement concern processing of special categories of data set out in articles 9 or 10 of the Regulation?
- Is the data directly identifiable/ indirectly identifiable?
- Does the processing involve data whose dissemination would cause immediate damage/distress to the individual (which falls outside the category of article 9 or 10)?
- Is the data directly available without technical protections, or is it encrypted?”
h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement:
The mandatory notification of the data breaches pursuant to the Regulation cannot constitute a mitigating factor.
i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures:
Here, as opposed to Point e) above, it is an assessment of the measure "with regard to the same subject matter". (That is, it is more narrowly evaluated by the authority than in case of Point e).)
j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42:
In some cases, the authority may be satisfied that the community responsible for implementing the Code of Conduct will take the necessary actions. (It is therefore possible to have self-regulation, but of course the authority is not bound by any decision made by the self-regulatory body.)
However, “non-compliance with self-regulatory measures could also reveal the controller’s/processor’s negligence or intentional behaviour of non-compliance.”
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement:
This point allows the evaluation of other aspects not mentioned above. According to the Guidelines, if the data controller has obtained profit as a result of the infringement, it may be a strong indication that a fine need to be imposed