On 1 September 2016, the Bavarian Data Protection Authority (“DPA”) issued a new guidance paper on sanctions under the new EU General Data Protection Regulation (“GDPR”) in the course of a series of non-binding guidance papers on selected topics in relation to the GDPR, which the DPA publishes periodically, and which can be found on the DPA’s official website.
Starting Point: Article 83 GDPR
The DPA’s first finding is that, compared to the current legal framework under the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), the GDPR, i.e. Article 83, does provide for a much wider array of infringements that are subject to sanctions. Most breaches might result in administrative fines, whereas exceptions shall apply only in cases of minor infringements or if the fine likely to be imposed would constitute a disproportionate burden (recital 148 of the GDPR).
Technical and Organisational Measures
The DPA also expressly notes that under the GDPR, infringements regarding technical and organisational measures can result in administrative fines, which the DPA deems to be an important innovation as compared to the current legal situation in Germany. Another key change is that the GDPR also provides for administrative fines concerning infringements of the obligation to implement the legal principles of privacy by design and privacy by default; the DPA takes the view that this evidences the grate value attributed to these items.
Potential Addressees of Administrative Fines
The DPA emphasizes that administrative fines can be imposed upon both data controllers and data processors. Further, certification bodies and bodies accredited to monitor compliance with a code of conduct might be subject to administrative fines.
The DPA assumes that undertakings shall be liable for infringements which are committed by the undertaking’s employees. The question whether administrative fines can also be imposed upon employees is not regulated by the GDPR. The DPA concludes that it remains to be seen whether the implementations on a national level will address this open issue.
Increased Amount of Fines
Article 83(1) GDPR sets forth that administrative fines “shall in each individual case be effective, proportioned and dissuasive”. The DPA highlights that under the GDPR certain infringements might result in fines up to EUR 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The DPA states that, when determining the relevant worldwide annual turnover, not only the individual company, but the whole group of companies, shall be taken into account. In the view of the DPA this shall result from recital 150 of the GDPR, which expressly makes reference to the “economic concept of undertakings” contained in Articles 101 and 102 of the Treaty on the Functioning of the European Union.
Relevant Factors for Determining the Amount of Fines
A number of criteria need to be considered when determining the amount of the relevant administrative fine, in particular previous infringements, and / or the scope of collaboration with the competent supervisory authority. If an undertaking provides, in the course of pending investigations, the supervisory authority with incorrect or incomplete information, this shall be regarded as an aggravating factor. The DPA takes the position that this is a general rule which has also been acknowledged by the Court of Justice of the European Union regarding violations of competition law.
Since the GDPR’s aim is to create a uniform level of fines across the European Union, the DPA calls on the European Data Protection Board, as established by the GDPR, to develop guidelines for determination of the amount of administrative fines.
The DPA concludes that the relevant provisions of the GDPR on sanctions are an expression of the legislator’s intention to consequently and seriously sanction infringements. This shall be a clear message for enterprises which should take data protection issues seriously.