The German Data Protection Authorities (“DPAs”) released a paper on fines under Art. 83 General Data Protection Regulation (“GDPR”) in July 2017. Fines are hanging like a Sword of Damocles over the organizations that are getting ready for GDPR, since the upper limits of fines have been increased substantially. For example, German DPAs can currently impose fines of up to EUR 300,000. Under the GDPR, fines can amount to up to EUR 20 million or 4% of the worldwide annual turnover.
Levels of fines
The DPAs explain the different levels of fines that can be imposed against a controller or processor, and give examples of the relevant cases.
- Fines of up to EUR 10 million or, in case of an “undertaking”, 2% of the total worldwide annual turnover of the preceding business year, whichever is higher, can be imposed, e.g., for the failure to implement appropriate technical and organizational security measures.
- “Particularly serious infringements” can result in fines up to EUR 20 million or, in case of an “undertaking”, 4% of the total worldwide annual turnover of the preceding business year, whichever is higher. Particularly serious infringements include violations of the rights of data subjects or processing without a justification.
- Non-compliance with an order by the supervisory authority under Art. 58 (2) GDPR may be subject to fines up to EUR 20 million or, in case of an “undertaking”, 4% of the total worldwide annual turnover of the preceding business year, whichever is higher.
Interpretation of “undertaking”
The paper explains that the DPAs’ interpretation of “undertaking” according to Art. 83 (4), (5) and (6) GDPR differs from the definition of “enterprise” in Art. 4 (18) GDPR. The DPAs argue that, in light of Recital 150 GDPR, the term “undertaking” has to be interpreted in accordance with the broader antitrust law definition of “undertaking”: Undertaking refers to parent companies and subsidiaries. Therefore, fines will be determined based on the total turnover of the entire corporate group.
Criteria for the amount of fines
The DPAs further explain that the fines must be effective, proportionate and dissuasive. The DPAs highlight the following factors that shall be considered when determining the fines (see Art. 83 (2) GDPR):
- Nature, gravity and duration of the infringement
- Categories of personal data affected
- The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement
- The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them
- Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided from the infringement
It remains to be seen how high the first GDPR fines will be, and if the DPAs will use the entire scope of fines right away. We expect that the European Data Protection Board will provide guidelines with regard to certain categories of infringements of the GDPR and relating levels of fines (Art. 70 (1) (k) GDPR).
The DPAs have published seven other papers regarding the interpretation of the GDPR on records of processing activities, processing personal data for advertising purposes, data transfers to third countries, data protection impact assessments, right to access, territorial scope and an action plan. The papers can be found here (only in German).