Written by Petr Šebatka and Jan Metelka

Less than 6 months remain for individuals and companies to get ready for the breakthrough regulation in personal data protection envisaged by the Regulation 2016/679 of 27 April 2016[1] (furthermore as “GDPR“).  Since the final version of this Regulation, experts have tried to clarify some remaining “grey” areas to leave as few room for doubts and misinterpretations as possible. The most relevant and valuable inputs came from the Article 29 Data Protection Working Party, which is composed of representatives of the supervisory authorities designed by each EU country, representatives of the authorities established for the EU institutions and bodies and a representative of the European Commission. Also in relation to GDPR, the guidelines and FAQs from the Article 29 Working Party were proven undeniably helpful in clearing some outstanding issues, such as the right to “data portability”[2], role of Data Protection Officers (“DPOs”)[3], role of the Lead Supervisory Authorities[4], or for example, the consequences of automated individual decisions making[5].

 

One of the main reasons for the fuss regarding GDPR and for quick implementation of all required obligations is the issue of fines, further described in the wording of Article 83 of GDPR. A fine may be granted up to a maximum of EUR 10,000,000 (or up to 2% of the total worldwide annual turnover in the case of an enterprise) or up to EUR 20,000,000 (or up to 4% of the total worldwide annual turnover in the case of an enterprise). The breakdown into two groups reflects the importance of breached obligations where the higher rate group has obligations whose breach is expected to increase the level of interference with the right to protection of personal data that GDPR ensures. The lower rate includes, for example, a breach of the provisions on records of processing or privacy impact assessments, while higher rates include, for example, breaches of the principles governing the law and the lawfulness of processing, the conditions for consent to the processing of personal data, the conditions for processing specific categories of personal data and the rights of the data subject.

Article 83 already includes a brief condition for the calculation of the fine: that regard shall be given mostly to the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, any action taken by the controller or processor to mitigate the damage, the degree of responsibility of the controller or processor, any relevant previous infringements, the degree of cooperation with the supervisory authority or the categories of personal data affected by the infringement. That provides a fair overview on how should the potential fine be calculated.

However, in the viewpoint of Article 29 Working Party, this distinction is not clear enough and therefore the Working Party in October 2017 adopted the respective Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679[6] (furthermore as “Guidelines“), being the first and most relevant document for the interpretation of Article 83 of the GDPR and its interplay with Articles 58, 70 and their recitals. The goal is that these Guidelines shall be used by the supervisory authorities to ensure better application and enforcement of the GDPR. Although the Guidelines are not exhaustive and cannot provide the reader with the differences between administrative, civil or criminal law sanctions in various countries in general, they can serve as a template for a common consistent approach among member states.

That is stressed in the first section of Guidelines explaining the main Principles, such as that the level of protection should be equivalent in all Member States (in cross-border cases consistency shall be achieved primarily through the one-stop shop cooperation mechanism) and all imposed measures shall be effective, proportionate and dissuasive in both national cases and in cases involving cross-border processing of personal data. The Guidelines then continue with the important concept of assessing each case individually, which shall mean, that choosing the appropriate measures must include consideration of all of the corrective measures, which would include consideration of the imposition of the appropriate administrative fine, either accompanying a corrective measure under Article 58(2) of GDPR or on its own.

Key part of the Guidelines is dedicated to the various assessment criteria arising from the Article 83 (2) GDPR, which are listed under letters a) – k) and some of them have already been mentioned above in this text. It provides the reader with a further description of what is deemed long duration, intentional/negligent character, various mitigating actions, steps of responsibility of data controllers and processors and many others. In conclusion it is safe to say, that using the Guidelines across the European Union, the degree of coherence would be significantly higher, positively contributing to the legal certainty of all parties and further increasing the quality of contemporary data protection laws in the European Union.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), which could be found online on http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

[2] http://ec.europa.eu/newsroom/document.cfm?doc_id=44099

[3] http://ec.europa.eu/newsroom/document.cfm?doc_id=44100

[4] http://ec.europa.eu/newsroom/document.cfm?doc_id=44102

[5] http://ec.europa.eu/newsroom/just/document.cfm?doc_id=47963

[6] http://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889