Under article 83 of the european general data protection regulation (GDPR) applicable, the amount of potential fine has drastically increased compared to the previsous applicable legislation.
Even though data protection authorities may issue warning or order beforehand, they may also serve a fine of up to 20 million euros or 4% of the global annual turnover of the precedent financial year, whichever is higher.
However, depending on the seriousness of the breach, two different ceiling apply:
Serious infrigments are subject to a fine of up to 20 million or 4% of the global annual turnover (1); and
The other ones are subject to a lower fine of up to 10 million euros or 2% of the global annual turnover (2).
1. Administrative fine of up to 20 million or 4% of the global annual turnover
The potential sanction applies to data controller or processor in breach of the following:
- the data protection principles (purpose limitation, fair collection etc. see here for more details)
- the lawfulness of processing (data processing must be based on consent, performance of a contract, legal obligation, legitimate interest etc.)
- the conditions for obtaining a valid data subject’s consent where data processing is based on consent (see here for more details on how to obtain a valid consent)
- additional conditions for processing special categories of data or criminal data (e.g; explicit consent etc. ) (see article 9 of the GDPR)
Data subject’s rights are the following:
- right of access;
- right to object;
- right to restriction;
- right to erasure;
- right to restriction;
- right to rectification;
- right to data portability (see here for more details)
Where personal data is transferred outside the EU to a country or an international organisation not providing an adequate level of protection, additional guarantee must be implemented for the transfer to be compliant with the GDPR.
Among the tools available to transfer data to a third country a data controller or processor may implement BCR, EU model clauses, Privacy Shield.
Under specific circumstances, a data controller or processor may rely on a derogation where it is applicable.
The Chapter IX of the GDPR refers to specific law each Member States can enact on the following matters:
- Use of personal data in the context of employment
- Freedom of information and speech,
- Access to public/official documents,
- Use of national identification number,
- Derogations for archiving, historical and scientific purposes or
- Use by religious association and church is regulated by specific member states laws.
Processing personal data in breach of these local law is still a breach of the GDPR.
Supervisory Authorities have a right to serve fine but also to issue order and warning.
Being in breach of the orders or measure listed above is subject to a fine.
2. Administrative fine of up to 10 million or 2% of the global annual turnover
When a child is under 16, parent’s consent is necessary to process child’s personal data. The age limit may be lowered to 13 by Member State law.
Where a data controller does not need to identify data subjects anymore, it should not collect or keep data enabling their identification for the sole purpose of complying with the GDPR.
It is not clear what could be an infraction but we guess that for example, where a data controller continue identifying data subjects for the sole purpose of being able to handle a subject access request, it is in breach of the regulation.
Data Protection by design and by default principles apply to data controllers only (see here for more details on these principles)
If no appropriate organisational and/or technical measures such as policies are in place for ensuring compliance with data protection principles (see here), it should be considered as a breach.
Under article 28, when a processor processes of personal data on behalf of a controller, they must enter into a specific contract. The processor may not subcontract its obligations to another processor without the controller's prior consent. Where such consent is obtained, the processor must enter into an equivalent contract with its own processor.
Article 29 provides that any person acting under the authority of the controller or of the processor (including employee), must only process personal data on the controller's instructions.
Under Article 30, controllers and processors must maintain a record of their processing activities (unless an exemption applies)
They, as well as their representative, must cooperate with the supervisory authority.
Under article 32, controllers and processors must ensure the security of personal data.
In the event of a security breach, processors must notify their controller and the latter must notify the authority within 72 hours if there is a risk for the data subjects (article 33).
If there is a high risk for data subjects, they must also be notified (article 34).
Where a processing activity is likely to result in a high risk for data subjects (e.g. very intrusive processing), controllers must assess the risk for their rights and freedom by carrying out a data protection impact assessment (DPIA).
If the risks identified when carrying out the DPIA cannot be sufficiently mitigated, controllers must consult the supervisory authority.
Data protection officers are not directly liable for any data controller or processor’s breach of the GDPR.
Therefore a breach of article 39 relating to DPO's mission should mean that if the Data Protection officer is prevented from accomplishing their mission, data controller or processor is in breach of the GDPR.
See here for more information about the DPO role and responsibilities.
Certification and code of conduct are ways for data controller or processor to prove their compliance with the GDPR on certain points (it works like a label or a seal).
Some companies may agree to be bound by a code of conduct designed for a sector of activities and to be monitored by a monitoring body or to be certified by an independent body.
Breach of the certification by a controller or a processor as well as breach of duty by the independent and monitoring bodies is a breach of the GDPR