“What fine am I at risk of if I don’t comply with the rules imposed by GDPR?” is a question often addressed by data controllers who sometimes choose not to adhere to the provisions imposed by data protection legislation, thinking that the chances of being sanctioned are minimal. However, the principle of prevention fully applies in the field of personal data protection, and data controllers should not overlook the fact that any data subject whose data is processed by them may, at some point, find themselves in a position to file a complaint with the Supervisory Authority (ANSPDCP), which will conduct a thorough investigation at the level of these data controllers.
Each Member State to which the General Data Protection Regulation applies has the right to establish its own criteria for assessing the amount of fines imposed on negligent data controllers, taking into account the economic and legal conditions specific to each such Member State. For this reason, the amount of GDPR sanctions varies from one state to another, and the competent authorities act in a more or less discretionary manner.
To assist both data controllers and Supervisory Authorities at the Member State level, the European Data Protection Board adopted in May the final version of Guide 04/2022 on the determination of fines in data protection matters (hereinafter referred to as the “Guide”).
This Guide was designed to help supervisory authorities in Member States apply violations against data controllers who do not comply with the provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR”) in a more predictable and therefore more transparent manner. Additionally, this predictability brought by the new Guide benefits data controllers who can now anticipate the maximum fines they may incur in case of GDPR non-compliance.
To ensure a more balanced community practice regarding the calculation of fines, the European Data Protection Board, through this Guide, provides member state authorities with a specific methodology, but as a recommendation rather than an obligation. This methodology presented in the Guide includes five stages that must be followed in the process of determining the amount of a GDPR fine:
- Identifying the processing operations and evaluating the application of Article 83(3) of the GDPR.
Article 83(3) of the GDPR refers to “where a controller or processor intentionally or negligently, for the same processing operation or related processing operations, infringes several provisions of this Regulation,” providing the following: “the total amount of the administrative fine shall not exceed the amount specified for the most serious infringement.”
- Identifying the minimum limit of the administrative sanction, based on:
- the classification provided by Articles 83(4) to 83(6) of the GDPR;
- the seriousness of the GDPR violations, according to Articles 82(2)(a), (b), and (g) of the GDPR;
- the total global turnover of the liable controller, an element that should be taken into account if an effective, proportionate, and dissuasive fine is to be applied.
- Assessing aggravating and mitigating circumstances regarding the past or current conduct of the controller/processor and accordingly increasing or reducing the fine. Therefore, the concept of so-called “previous conduct” in terms of GDPR violations by liable data controllers is discussed, as repetitive incorrect behavior can lead to substantially increased sanctions.
- Identifying the maximum limit of the fine amount.
- Conducting an analysis to determine if the final calculated fine meets the requirements of effectiveness, dissuasiveness, and proportionality, as provided in Article 83(1) of the GDPR.
It is important to mention that the Guide does not aim to ensure a uniform practice at the union level regarding the amount of fines imposed under the GDPR, but is offered as a recommendation, a supporting tool for authorities in their sanctioning activity, so as to ensure that the imposed fines are as accurate as possible in order to hold data controllers accountable who do not comply with the GDPR.
Thus, national supervisory authorities will continue to have the freedom to assess the amount of fines imposed, respecting the legal provisions and the principles of effectiveness, dissuasiveness, and proportionality applicable in the field of personal data protection.
The lawyers in our team have relevant experience in investigations conducted by the ANSPDCP, so in the case of a Supervisory Authority investigation, they can provide specialized legal advice and assistance to achieve favorable results.
Contact – Mihaela Bălău (+4) 0754 028 818