The GDPR introduced an antitrust-type sanction regime with fines which, for severe infringements, may amount up to 20 million euros or 4% of the annual turnover, whichever is greater. The Working Party of Article 29 recently issued its much expected draft Guidelines for the consistent application of such fines. The intention of these Guidelines is to ensure that similar fines will be imposed by the national DPAs for similar cases, resulting in a uniform application of the GDPR throughout the EU (principle of equivalence).
The Guidelines constitute an elaboration on the assessment criteria set forth by the GDPR itself and should be applied on an ad hoc basis by the national DPAs. The most significant criteria are the following:
(a) The nature, gravity and duration of the infringement and the categories of personal data concerned
The above should be assessed taking into consideration the number of the individuals affected (e.g. the number of registrants in a database, users of an application or customers etc.), the specified purpose of the processing and the use of the data in a compatible manner with that purpose, as well as the level of damages occurred. Whether the personal data affected are sensitive is of equal importance for assessing the severity of the breach.
(b) Intentional or negligent infringement
Circumstances that are indicative of intention might be the unlawful processing authorised by the top management or in disregard of existing privacy policies known to the employees. On the other hand, failure to read and abide by existing policies, human error, failure to apply technical updates in a timely manner or failure to adopt (rather than simply failure to apply them) are indicators of a negligent behaviour.
(c) Responsibility of the controller/processor regarding technical and organisational measures
Examples of what is practically assessed here is whether technical, organisational and security measures at all levels of the organisation have been taken, whether privacy policies are known and actually applied, whether best practice regimes are followed or whether organisations have adhered to approved codes of conduct and certification mechanisms.
(d) Action to mitigate the damage suffered by the individuals
Even when no such measures were taken, organisations that have admitted to their infringement and taken responsibility to correct or limit the impact of their actions might be treated with some flexibility.
Recommendation
In view of the entry into force of the GDPR and the draft Guidelines, there may be a significant shift of the approach to be adopted by the Hellenic DPA on the level of fines. By way of practical advice to organisations acting either as controllers or processors, the strengthening of their position at the current stage and prior to the occurrence of a GDPR infringement can be effected through a solid GDPR compliance exercise that should include:
- Design and implementation of appropriate data protection policies and procedures;
- Review and implementation of appropriate technical and organisational measures that would protect the personal data within their organisation and outside it (when data are processed by service providers); and
- Training of employees and increase of their awareness to improve understanding of the GDPR and to ensure actual implementation of the relevant policies and procedures (ongoing task).