The General Data Protection Regulation (GDPR) provides the Data Protection Authorities with different options in case of non-compliance with the data protection rules
- likely infringement – a warning may be issued;
- infringement: the possibilities include a reprimand, a temporary or definitive ban on processing and a fine of up to €20 million or 4% of the business’s total annual worldwide turnover.
It is worth noting that in the case of an infringement, the DPA may impose a monetary fine instead of, or in addition to, the reprimand and/or ban on processing.
The authority must ensure that fines imposed in each individual case are effective, proportionate and dissuasive. It will take into account a number of factors such as the nature, gravity and duration of the infringement, its intentional or negligent character, any action taken to mitigate the damage suffered by individuals, the degree of cooperation of the organisation, etc.
A company sells online household material. Through its website, consumers can buy kitchen appliances, tables, chairs and other domestic goods by entering their bank details. The website suffered a cyber-attack leading to personal details being rendered available to the attacker. In this case, the lack of appropriate technical measures by the company seems to have been the cause of the data loss.
In this instance, various factors will be considered by the supervisory authority before deciding what corrective tool to use. Factors such as: how serious was the deficiency in the IT system? How long had the IT infrastructure been exposed to such a risk? Were tests carried out in the past to prevent such an attack? How many customers had their data stolen/disclosed? What type of personal data was affected – did it include sensitive data? All these and other considerations will be taken into account by the supervisory authority.
- Articles 58, 60, 83 and 84 and Recitals (129), (148), (150) and (151) of the GDPR
- Article 29 Working Party Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, 3 October 2017