The introduction of the General Data Protection Regulation was one of the most hotly anticipated developments the business and legal world has ever seen. One of the main reasons why businesses spend resources on becoming GDPR compliant is the huge fines that can be imposed by the national regulators, known as Data Protection Authorities (DPAs) for not respecting their obligations under the GDPR. Now that the GDPR has been in force for several months, it is interesting to review what has happened with enforcement in practice so far.
Equal powers for DPAs
Before the entry into force of the GDPR, all European countries had a Data Protection Authority (DPA), but there were few countries where the DPA was also able to fine companies that were not compliant with the data protection rules. This led to a huge difference in compliance levels from one country to another, because let’s be honest: the risk of getting fined is an important consideration in choosing whether and how heavily to invest in compliance projects. The GDPR has changed this by granting all EU DPAs the same level of investigatory and corrective powers.
One of the most far-reaching things a DPA can do since the GDPR, irrespective of the country in which it is located, is to impose administrative fines.
For a number of infringements, the fines can amount to EUR 10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover for the preceding financial year (whichever is higher), for example when:
- the company did not keep a record of processing activities;
- no processor agreement has been entered into; or
- no data protection officer has been assigned when the organisation should have appointed one.
However, the majority of infringements of the GDPR can be punished with a fine of up to EUR 20 million or, in the case of an undertaking, of up to 4% of the total worldwide annual turnover for the preceding financial year (whichever is higher). This will apply, for example, when:
- the organisation did not respect the basic principles or does not have a legal basis for processing;
- the data subjects' rights are not guaranteed; or
- transfers of personal data to a third country are not protected.
The GDPR states that these fines must be ‘effective, proportionate and dissuasive’. When assessing whether a fine should be imposed and when determining the amount, DPAs will have to take into account a range of mitigating and aggravating circumstances, such as the nature, the gravity and the duration of the infringement, the intentional or negligent character of the infringement, the nature of the personal data (whether or not it is sensitive), previous infringements by the company and so on.
By granting the DPAs the power to impose these heavy penalties, the European legislator aims to strengthen national ‘watchdogs’ to ensure compliance with the GDPR. The purpose of these heavy penalties is therefore clear: pushing GDPR compliance high up on the agenda of all organisations doing business in Europe, wherever they are headquartered.
Have DPAs already imposed fines?
More than a half a year since GDPR implementation, there has not been a deluge administrative fines all over Europe.
In Belgium, for instance, the DPA has taken the time to inform the public of the consequences of the GDPR by updating its website. It has confirmed that in the first half year of GDPR application, not a single fine has been issued, although it does note that some investigations are already ongoing.
In other countries, the DPA has already set an example by issuing a fine. The Austrian DPA imposed the first-known fine under the GDPR of EUR 4,800 for illegal video surveillance activities. Next came the Portuguese authority, which imposed a fine of EUR 400,000 on a hospital after a staff member illicitly accessed patient data. In France, the first fines were also issued under the GDPR: an employer who used a biometric system to monitor employees’ working time and failed to inform them got a fine of EUR 30,000. The most recent case was one of the regional German DPAs, which issued a fine of EUR 20,000 to a social media company which violated its data security obligations. In this case, the German regulator explained the relatively low fine by referring to the company’s exemplary cooperation with the authority after it discovered the hack and the huge investments the company made in strengthening its information security measures.
On the evidence to date, it seems that DPAs are not competing to issue the highest possible fines, but are striving to improve data protection and data security as much as possible.
Employer’s bottom line
Without a doubt, more fines are on the way. In the Ius Laboris Alliance, our specialised lawyers are ready to assist organisations not only in ensuring they are GDPR compliant to avoid fines, but also when they are confronted with investigations by, or discussions with, DPAs.