GDPR : Sanction (Administrative fine)

The General Data Protection Regulation (GDPR), applicable since May 2018, gives the European Data Protection Authorities, since then called the Supervisory Authorities, the power to serve administrative fines of up to €20 million or 4% of the global annual turnover of the precedent financial year, whichever is higher.

Although the Authorities may still take other actions such as issueing warning or order, the GDPR has drastically increased the maximum amount of the administrative fines (from less than one million to more than 20 million euros). 

However, depending on the seriousness of the breach, two different ceiling apply:

  • The most serious GDPR infrigments are subject to a fine of up to 20 million euros or 4% of the global annual turnover (1); and
  • The other less serious GDPR infrigment are subject to a lower fine of up to 10 million euros or  2% of the global annual turnover (2).

 A breakdown of the GDPR breaches per category of fines is provided below. 

1. GDPR breaches subject to an administrative fine of up to €20 million or 4% of the global annual turnover

The potential sanction applies to data controller or processor in breach of the following:

- the data protection principles (purpose limitation, fair collection etc. see here for more details)

- the lawfulness of processing (data processing must be based on consent, performance of a contract, legal obligation, legitimate interest etc.)

- the conditions for obtaining a valid data subject’s consent where data processing is based on consent (see here for more details on how to obtain a valid consent)

- additional conditions for processing special categories of data or criminal data (e.g; explicit consent etc. ) (see article 9 of the GDPR)

Data subject’s rights are as follows:

- right of access; - right to object; - right to restriction; - right to erasure; - right to restriction; - right to rectification; - right to data portability  (see here for more details) Controllers must be able to handle individuals' right requests without delay and, in any event, within one month of the request. For more details about individuals' rights see here.

Where personal data is transferred outside the EU to a country or an international organisation not providing an adequate level of protection, Controllers and, in some cases, processors, must implement additional guarantees to ensure the level of protection of the personal data is adequate.

Several transfer mechanisms are available to controllers or processors such as BCR, EU model clauses, Privacy Shield. They may also rely on derogation such as individual's explicit consent, under specific circumstances.

The Chapter IX of the GDPR refers to specific law each Member States can enact on the following matters:

  • Use of personal data in the context of employment
  • Freedom of information and speech,
  • Access to public/official documents,
  • Use of national identification number,
  • Derogations for archiving, historical and scientific purposes or
  • Use by religious association and church is regulated by specific member states laws.

Processing personal data in breach of these local law is still a breach of the GDPR.

Supervisory Authorities have the right to serve fines and to issue orders and warnings. If controllers or processors does not comply with the order or warning served on them, it is another ground for the Authority to serve a fine.

2. GDPR breaches subject to an administrative fine of up to €10 million or 2% of the global annual turnover

When a child is under 16, parent’s consent is necessary to process child’s personal data. The age limit may be lowered to 13 by Member State law.

Where a data controller does not need to identify data subjects anymore, it should not collect or keep data enabling their identification for the sole purpose of complying with the GDPR.

It is not clear what could be an infraction but we guess that for example, where a data controller continue identifying data subjects for the sole purpose of being able to handle a subject access request, it is in breach of the regulation.

Data Protection by design and by default principles apply to data controllers only (see here for more details on these principles)

If no appropriate organisational and/or technical measures such as policies are in place for ensuring compliance with data protection principles (see here), it should be considered as a breach.

Article 26 of the GDPR provides that where two or more controllers jointly determines the purposes and the means of processing, they must determine in a transparent manner their respective responsibilities with regard to their obligations under the regulation by means of an arrangement. Under article 27, where the controller or the processor is located outside of the EU and subject to article 3(2) of the GDPR, it must appoint a Representative. Such appointment must be done in writing and the representative must be based in the EU.

Under article 28, when a processor processes of personal data on behalf of a controller, they must enter into a specific contract. The processor may not subcontract its obligations to another processor without the controller's prior consent. Where such consent is obtained, the processor must enter into an equivalent contract with its own processor.

Article 29 provides that any person acting under the authority of the controller or of the processor (including employee), must only process personal data on the controller's instructions.

Under Article 30, controllers and processors must maintain a record of their processing activities (unless an exemption applies)

They, as well as their representative, must cooperate with the supervisory authority.

Under article 32, controllers and processors must ensure the security of personal data.

In the event of a security breach, processors must notify their controller and the latter must notify the authority within 72 hours if there is a risk for the data subjects (article 33).

If there is a high risk for data subjects, they must also be notified (article 34).

Where a processing activity is likely to result in a high risk for data subjects (e.g. very intrusive processing), controllers must assess the risk for their rights and freedom by carrying out a data protection impact assessment (DPIA).

If the risks identified when carrying out the DPIA cannot be sufficiently mitigated, controllers must consult the supervisory authority.

Data protection officers are not directly liable for any data controller or processor’s breach of the GDPR.

Therefore a breach of article 39 relating to DPO's mission should mean that if the Data Protection officer is prevented from accomplishing their mission, data controller or processor is in breach of the GDPR.

See here for more information about the DPO role and responsibilities.

Certification and code of conduct are ways for data controller or processor to prove their compliance with the GDPR on certain points (it works like a label or a seal).

Some companies may agree to be bound by a code of conduct designed for a sector of activities and to be monitored by a monitoring body or to be certified by an independent body.

Breach of the certification by a controller or a processor as well as breach of duty by the independent and monitoring bodies is a breach of the GDPR

For any question, please contact Arnaud Blanc, French & UK qualified lawyer based in France.

GDPR : Sanction (Administrative fine)
Tagged on: