Under article 83 of the new european general data protection regulation (GDPR) applicable from May 2018, the amount of potential fine has drastically increased.
Even though authorities have other powers to enforce the GDPR such as issuing warning or order, they may eventually serve a fine of up to 20 million euros or up to 4% of the global annual turnover of the precedent financial year, whichever is higher.
There are two different categories of infringements :
the ones subject to a fine of up to 20 million or 4% of the global annual turnover and
the ones subject to a less important fine of up to 10 million euros or up to 2% of the global annual turnover.
Below a list of infringements subject to these administrative fines:
1. Administrative fine of up to 20 million or 4% of the global annual turnover
The potential sanction applies to data controller or processor in breach of the following:
- the data protection principles (purpose limitation, fair collection etc. see here for more details)
- the lawfulness of processing (data processing must be based on consent, performance of a contract, legal obligation, legitimate interest etc.)
- the conditions for obtaining a valid data subject’s consent where data processing is based on consent (see here for more details on how to obtain a valid consent)
- additional conditions for processing special categories of data or criminal data (e.g; explicit consent etc. ) (see article 9 of the GDPR)
Data subject’s rights are the following:
- right of access;
- right to object;
- right to restriction;
- right to erasure;
- right to restriction;
- right to rectification;
- right to data portability (see here for more details)
Where personal data is transferred outside the EU to a country or an international organisation not providing an adequate level of protection, additional guarantee must be implemented for the transfer to be compliant with the GDPR.
Among the tools available to transfer data to a third country a data controller or processor may implement BCR, EU model clauses, Privacy Shield.
Under specific circumstances, a data controller or processor may rely on a derogation where it is applicable.
The Chapter IX of the GDPR refers to specific law each Member States can enact on the following matters:
- Use of personal data in the context of employment
- Freedom of information and speech,
- Access to public/official documents,
- Use of national identification number,
- Derogations for archiving, historical and scientific purposes or
- Use by religious association and church is regulated by specific member states laws.
Processing personal data in breach of these local law is still a breach of the GDPR.
Supervisory Authorities have a right to serve fine but also to issue order and warning.
Being in breach of the orders or measure listed above is subject to a fine.
2. Administrative fine of up to 10 million or 2% of the global annual turnover
When a child is under 16, parent’s consent is necessary to process child’s personal data. The age limit may be lowered to 13 by Member State law.
Where a data controller does not need to identify data subjects anymore, it should not collect or keep data enabling their identification for the sole purpose of complying with the GDPR.
It is not clear what could be an infraction but we guess that for example, where a data controller continue identifying data subjects for the sole purpose of being able to handle a subject access request, it is in breach of the regulation.
Data Protection by design and by default principles apply to data controllers only (see here for more details on these principles)
If no appropriate organisational and/or technical measures such as policies are in place for ensuring compliance with data protection principles (see here), it should be considered as a breach.
Data protection officers are not directly liable for any data controller or processor’s breach of the GDPR.
Therefore a breach of article 39 relating to DPO's mission should mean that if the Data Protection officer is prevented from accomplishing their mission, data controller or processor is in breach of the GDPR.
See here for more information about the DPO role and responsibilities.
Certification and code of conduct are ways for data controller or processor to prove their compliance with the GDPR on certain points (it works like a label or a seal).
Some companies may agree to be bound by a code of conduct designed for a sector of activities and to be monitored by a monitoring body or to be certified by an independent body.
Breach of the certification by a controller or a processor as well as breach of duty by the independent and monitoring bodies is a breach of the GDPR