Update Data Protection 14/2016
The new regulations on fines under the General Data Protection Regulation
The new General Data Protection Regulation (GDPR) will take direct effect on May 25, 2018. The GDPR will also introduce new regulations on fines that go beyond the current rulings of the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG). The comments below are intended to provide an overview of the new provisions as well as of the differences compared to the current legal position. Following this, the comments also set out to illustrate the resulting practical consequences for persons and undertakings with responsibility under data protection law.
Current rulings under the BDSG
Section 43 Subsections 1 and 2 BDSG currently provide for a graduated catalogue with various elements of fines. Differing maximum amounts apply depending on the nature of the violation of data protection law: while violations of the provisions listed in Section 43 Subsection 1 BDSG are liable to punishment by fines of up to 50,000 EUR, violations under Section 43 Subsection 2 BDSG can result in fines of up to 300,000 EUR. In addition, the law also explicitly provides for the possibility of fines above these figures.
New provisions under the GDPR
The new provisions of the GDPR now provide for various new rulings that go beyond the current rulings of the BDSG. This concerns in particular an extension of the violations punishable by fines as well as the amount of the possible fines. Likewise new is the fact that it is no longer only the responsible data controller that can receive a fine for violation of GDPR rulings, but also any data processors involved. The latter are therefore now also exposed to the risk of a fine. The GDPR does not regulate the sanctioning of the responsible (natural) players in a company, such as managers and directors. In this respect however, the current draft legislation of the German lawmakers includes provisions for direct fines for those responsible persons. It remains to be seen in what form these rulings will ultimately be adopted. The possibility must however be reckoned with that the responsible persons of a company will also be exposed to the risk of a fine in future.
Extended elements of fines
In a similar manner to the BDSG, Articles 83 Subsections 4, 5 and 6 GDPR differentiate in terms of the nature of the data protection obligations violated, and establish correspondingly differing fine frameworks. In contrast to the BDSG, the elements liable to punishment by fines have been extended, with the result that the overwhelming majority of GDPR regulations, imposing obligations on the data controller or data processor, are now punishable by fines. In this respect, particular attention must be drawn to the obligation to take suitable and appropriate technical and organizational measures, as well as to the obligations in terms of "privacy by design" and "privacy by default". Accordingly, violations of these obligations can now be sanctioned by the data protection supervisory authorities. It remains to be seen in which specific constellations the data protection supervisory authorities will affirm a violation of these concrete obligations in future as these obligations do not set out precise rules but rather include general obligations. Nevertheless, the inclusion in the catalogue of elements contained in Article 83 GDPR shows that the lawmakers attach high importance to the above mentioned obligations. Both the data controller as well as data processors should therefore also pay particular attention to compliance with these.
New framework of fines
In addition to the extension of the elements of fines, the relevant maximum amounts have also been increased. For example, the possibility exists of imposing a fine of up to 10 million EUR for violation of the elements contained in Article 83 Subsection 4. Specifically, matters are covered such as incorrect or non-production of records of processing activities pursuant to Article 30 GDPR. At the same time, the new rulings provide for fines of up to 20 million EUR for violations of the elements stated in Article 83 Subsections 5 and 6 GDPR. This includes such actions as the processing of personal data without legal permission or the consent of the parties concerned.
Alternatively, the maximum amounts stated can also be exceeded in the case of undertakings. For example, it is expressly possible to impose fines of up to 2% (Article 83 Subsection 4 GDPR) or 4% (Article 83 Subsections 5 and 6 GDPR) of total worldwide annual turnover of the preceding financial year. In this respect it should be noted in particular that, as per Recital 150 of the GDPR, the functional term of an undertaking under European anti-trust law must be applied. Building on from this, the Bavarian Data Protection Authority has assumed in a recently published comment (available at: www.lda.bayern.de/media/baylda_ds-gvo_7_sanctions.pdf - source in German) that, in the case of undertakings belonging to a group of companies or a combine, not only the annual turnover of the legal entity to be punished but the annual turnover of the entire group or combine are relevant. This means that the data protection supervisory authorities now have substantial sanctioning powers.
Criteria for determining fines
This is also further strengthened by the fact that, while the explicit wording of Article 83 Subsection 1 GDPR states that fines must always be proportionate, the regulation simultaneously also stipulates now that the fine should have a deterrent effect. Thanks in particular to the last of these components, data protection supervisory authorities now have the fundamental possibility of exercising their discretionary powers such that individual companies can receive substantial fines in certain circumstances, in order to set a deterrent example.
However, violation of one of the obligations stated in Article 83 Subsections 4 to 6 GDPR must not necessarily result in the imposition of a fine. In addition to the general ruling in Article 83 Subsection 1 GDPR already mentioned, under which the imposition of a fine must serve as a deterrent and be proportionate, Article 83 Subsection 2 GDPR includes an extensive list of assessment criteria that must be taken into account by the data protection supervisory authority when deciding whether to impose a corresponding fine and in what amount. As such, the data protection supervisory authorities are required to carry out an overall assessment based on the respective criteria in each individual case. Nevertheless, the decision on how the individual criteria are ultimately assessed is left to the authority itself.
In particular, the criteria listed include the degree of fault on the part of the data controller or processor as regards a violation, any remedial measures taken to reduce damage incurred, as well as the extent of the cooperation with the supervisory authority in terms of redressing a violation and minimizing its effects. On the other hand however, previous violations and other aggravating circumstances must also be taken into account. Further criteria listed in Article 83 Subsection 2 GDPR can also apply in addition.
As the wording of the regulation makes clear, the data protection supervisory authorities are in general entitled to waive a fine - depending on the outcome of the overall assessment of the criteria. Even in the event of a violation of data protection law, it is therefore advisable to have suitable remedial measures available and apply them, and also to cooperate actively with the data protection supervisory authorities. This is important as it minimizes the risk of deterrent and thus substantial fines being imposed.
Summary and practical tips
The above explanation of the new rulings on fines makes it clear that data controllers as well as data processors will be exposed to the risk of far-reaching sanctions. Compliance with the rules of the GDPR - which have again increased overall as a result of the new GDPR - no longer constitutes a side issue, but rather has become a core task of every company. In addition to the general powers of the data protection supervisory authorities (Article 58 GDPR), above all the new rulings on fines give authorities extensive discretion in terms of sanctioning violations of the provisions of the GDPR.
To avoid such risks, it is therefore advisable to establish suitable organizational and technical measures throughout an undertaking, in order to ensure comprehensive and effective compliance with the data protection provisions of the GDPR. Additionally however, corresponding processes must also be envisaged that enable speedy and effective removal of any violations of data protection law. In this context, it is advisable to involve the data protection supervisory authorities in an appropriate and transparent manner and to cooperate with them. As explained above, such factors must be taken into account as mitigating circumstances when imposing fines. These possibilities should not be underestimated.
Further references
Data Protection Update No. 11/2016 - Safe Harbor judgment - Hamburg data protection authority imposes initial fines concerning data transfers to the USA