Fine Determination. Cordery GDPR Navigator

Transcription

1 Fine Determinatin Crdery GDPR Navigatr This nte is part f the Crdery GDPR Navigatr.

2 Technical terms are used in this dcument which are explained in the glssary. Intrductin Under the Eurpean General Data Prtectin Regulatin ( GDPR ) supervisry authrities, better knwn as data prtectin regulatrs ( DPAs ) have significantly enhanced enfrcement pwers at their dispsal with regard t nn-cmpliance with the GDPR, including the ability t impse very high fines n bth data cntrllers and data prcessrs. In additin, data cntrllers and data prcessrs may als be liable t individuals fr damages/cmpensatin fr infringements f the GDPR. The GDPR applies t the Eurpean Ecnmic Area ( EEA ), i.e. the 28 Eurpean Unin ( EU ) Member States plus Iceland, Liechtenstein and Nrway, but rganisatins based utside the EEA culd als be subject t nn-cmpliance enfrcement by DPAs, including the impsitin f fines. It is expected that guidance at the EU level will be issued in the future abut fines - this might fllw EU plicy in the area f cmpetitin/anti-trust law, fr example cncerning aggravating and mitigating factrs. This briefing fcuses n the key aspects f fines, with sme mentin f liability t individuals. Regulatr pwers Under the GDPR, natinal DPAs remain the bdies respnsible fr mnitring and enfrcing cmpliance with data prtectin law in their particular EU Member State, albeit under the new s-called One-Stp- Shp supervisry and c-peratin mechanism. Each DPA has a range f crrective, authrisatin and advisry pwers in rder t ensure that rganisatins cmply with the GDPR, supprted by investigative pwers including the ability t undertake audits and dawn raids.

3 Regulatrs crrective pwers (which may themselves be subject t fines if cntravened) include the fllwing: Issuing reprimands t a data cntrller r prcessr where prcessing peratins have infringed the GDPR; Ordering a data cntrller r prcessr t cmply with a data subject's requests t exercise his r her rights pursuant t the GDPR; Ordering a data cntrller t cmmunicate a persnal data breach t a data subject; Impsing a temprary r definitive limitatin, including a ban n prcessing; Ordering the rectificatin r erasure f persnal data r restrictin f data prcessing pursuant t a data subject's rights and ntifying thse actins t recipients t whm the persnal data has been disclsed; Ordering the suspensin f data flws t a recipient in a third cuntry r t an internatinal rganisatin; and, Impsing an administrative fine. What is meant by a fine? The GDPR prvides new and significantly increased (capped) levels f fines that DPAs are permitted t impse against data cntrllers, and nw data prcessrs t, wh have breached certain prvisins f the GDPR. This is the first time that the ability t impse fines fr data prtectin infringements (and up t the same amunt) has been harmnised acrss the EU. In many jurisdictins this will represent a very significant increase frm the fines currently available. It may therefre take sme time fr sme DPAs t adjust t the idea f impsing higher fines especially since DPAs are likely t want t make sure that they fully investigate the first cases where they make use f their new pwers. Fines may be impsed instead f, r in additin t, measures that can be rdered by a DPA (under the abve-mentined crrective pwers). But, in a case f a minr infringement, r, if the fine likely t be impsed wuld cnstitute a disprprtinate burden n a natural persn, a reprimand may be issued instead f a fine. Althugh the GDPR states this nly with regard t a natural persn, it can be argued that in the apprpriate situatin this shuld als apply t an rganisatin - after all, impsing a fine is a discretinary pwer (see immediately belw).

4 Where an administrative fine is impsed n a persn that is nt an undertaking (see later belw), a DPA shuld take accunt f the general level f incme in the EU Member State as well as the ecnmic situatin f the persn in cnsidering the apprpriate amunt f the fine. Als, if a cntrller r prcessr intentinally r negligently, fr the same r linked prcessing peratins, infringes several prvisins f the GDPR, the ttal amunt f the administrative fine shall nt exceed the amunt specified fr the mst serius infringement. Fines are nt mandatry - instead they are discretinary and s they are t be impsed n a case-bycase basis. Fines must als be effective, prprtinate and dissuasive s this t allws rm fr discretin t suit a given set f circumstances. But, althugh fines are discretinary, the s-called cnsistency mechanism may be used t prmte a cnsistent applicatin f administrative fines. In shrt, the cnsistency mechanism is an fficial regulatry means under the GDPR under which the DPAs will cperate with each ther, and where necessary with the Eurpean Cmmissin, thrugh specific prcedures t ensure that the GDPR is applied cnsistently. This prcess will therefre act as a kind f disciplinary measure. It might in practice mean that, fr example, there is a brad range f fines that will apply fr given infringements, allwing fr a degree f certainty and predictability we ll have t wait and see hw this wrks in practice as the fines system beds dwn. The GDPR als cntains a number f carve-uts allwing EU Member States t impse their wn rules. In the area f fines, Member States may determine whether and t what extent administrative fines may be impsed n public authrities established in their Member State. Fr the sake f clarity, n similar discretin exists fr the private sectr. In additin, EU Member States can adpt ther penalties applicable t infringements f the GDPR, in particular fr infringements which are nt subject t administrative fines under the GDPR, and must take all measures necessary t ensure that they are implemented these penalties must als be effective, prprtinate and dissuasive.

5 Finally, EU Member States can als adpt their wn rules n criminal penalties fr infringements f the GDPR, including fr infringements f natinal rules adpted pursuant t and within the limits f the GDPR. Thse criminal penalties may als allw fr the deprivatin f prfits btained thrugh infringements f the GDPR. Hwever, the impsitin f criminal penalties shuld nt lead t duble jepardy, i.e. being punished twice fr the same infringement. Can I appeal against a fine? Yes. Under the GDPR, withut prejudice t any ther administrative r nn-judicial remedy, each natural r legal persn has the right t an effective judicial remedy against a legally binding decisin f a DPA cncerning them, including fines. Legal prceedings against a DPA are t be brught befre the curts f the EU Member State where the DPA is established, i.e. appeals will be subject t natinal legal prcedural and substantive cnsideratins. Ultimately there is the pssibility f issues relating t the fining mechanism under GDPR being referred t the Eurpean Curt f Justice (ECJ). What levels f fines are there? There are tw categries f infringement which attract a different maximum fine. In each categry the maximum fine is expressed in Eurs, r, in the case f an undertaking as a percentage f wrldwide annual turnver (i.e. nt prfit) f the preceding year, whichever is higher. It is unclear at this stage whether wrldwide turnver relates nly t the relevant cntrller/prcessr r t its grup. Under the GDPR an undertaking is meant as an undertaking under Articles 101 and 102 f the Treaty f the Functining f the Eurpean Unin, which cncern cmpetitin/anti-trust law. What is essentially meant by this is that an undertaking is an entity that engages in ecnmic activity. Eurpean Cmmissin cmpetitin/anti-trust law practice and Eurpean Curt case-law give a wide interpretatin f this ntin s it will be difficult fr an entity t argue that it is nt an undertaking. The tw tiers f fines are as fllws:

6 A fine f up t 10,000,000, r in the case f an undertaking, up t 2% f the ttal wrldwide annual turnver (nt prfit) f the preceding financial year, whichever is higher, fr certain defined infringements f the GDPR (see belw); and, A fine f up t 20,000,000, r in the case f an undertaking, up t 4% f the ttal wrldwide annual turnver (nt prfit) f the preceding financial year, whichever is higher, fr certain defined infringements f the GDPR (see belw). What can I be fined fr? The GDPR infringements which can be subject t fines cncern the fllwing: Under the 10,000,000 maximum/2% undertaking ttal wrldwide annual turnver categry, three brad areas exist as fllws: An extensive range f bligatins n bth data cntrllers and data prcessrs in relatin t matters including the fllwing: Obtaining cnsent t the prcessing f children's data; Prcessing which desn t require identificatin; Implementing technical and rganisatinal measures t ensure data prtectin by design and by default; Jint cntrllers arrangements t agree their respective cmpliance bligatins; Cntrllers r prcessrs nt established in the EU designating representatives in the EU; Cntrllers engaging prcessrs; Prcessrs sub-cntracting nly with the prir cnsent f a cntrller t prcess data nly n a cntrller s instructin; Maintaining recrds f prcessing activities; Cntrllers and prcessrs c-perating with DPAs; Security f prcessing - implementing technical and rganisatinal measures; Breach ntificatin and cmmunicatin; Data prtectin impact assessment, and, prir cnsultatin with a regulatr; Designatin, psitin and tasks f data prtectin fficers; Obligatins f cntrllers and prcessrs cncerning data prtectin certificatin and certificatin bdies;

7 Obligatins f a data prtectin certificatin bdy in respect f certificatin f data prcessing; and, Obligatins f a mnitring bdy cncerning infringement by a cntrller r prcessr f a data prtectin certificatin cde; Under the 20,000,000 maximum/4% undertaking ttal wrldwide annual turnver categry, five brad areas exist as fllws: The basic principles fr prcessing f persnal data, and, special categries f data, and, cnditins fr cnsent; Data subjects' rights, including: Subject access requests; The right t rectificatin f data; The right t erasure/right t be frgtten; The right t restrictin f prcessing; The right t data prtability; The right t bject t prfiling; Transfers f persnal data t third cuntries r internatinal rganisatins, including transfers n the basis f an adequacy decisin, standard mdel clauses, and, binding crprate rules; Obligatins under EU Member State law, including as regards data prcessing and freedm f expressin and infrmatin, prcessing and public access t fficial dcuments, and prcessing in the cntext f emplyment; and, Nn-cmpliance with an rder r a temprary r definitive limitatin n prcessing r the suspensin f data flws by a DPA pursuant t its crrective pwers r failure t prvide access in vilatin f a DPA's investigative pwers. As a stand-alne item under the GDPR, administrative fines up t 20,000,000, r in the case f an undertaking, up t 4% f the ttal wrldwide annual turnver (nt prfit) f the preceding financial year, whichever is higher may als be impsed fr nn-cmpliance with a crrective rder (see abve) impsed by a DPA. What aggravating and mitigating factrs are taken int cnsideratin when a fine is impsed?

8 When determining the level f fine, a DPA needs t take int cnsideratin a number f factrs which include: The nature, gravity and duratin f an infringement, taking int accunt the nature, scpe r purpse f the prcessing cncerned as well as the number f data subjects affected and the level f damage suffered by them; The intentinal r negligent character f an infringement; Any actin taken by a cntrller r prcessr t mitigate the damage suffered by data subjects; The degree f respnsibility f a cntrller r prcessr taking int accunt technical and rganisatinal measures implemented by them with regard t data prtectin by design and by default, and, security f prcessing; Any relevant previus infringements by a cntrller r prcessr; The degree f c-peratin with a DPA in rder t remedy an infringement and mitigate the pssible adverse effects f the infringement; The categries f persnal data affected by an infringement; The manner in which the infringement became knwn t the DPA, in particular whether, and if s t what extent, the cntrller r prcessr ntified the infringement; What cmpliance was taken where there was a previus infringement f the same type by a cntrller r prcessr and enfrcement against that; Adherence t apprved data prtectin cdes f cnduct pursuant t r apprved data prtectin certificatin mechanisms; and, Any ther aggravating r mitigating factr applicable t the circumstances f the case, such as financial benefits gained, r lsses avided, directly r indirectly, frm the infringement. What abut due prcess? The exercise by a DPA f its fining pwers is subject t apprpriate prcedural safeguards in accrdance with EU law and EU Member State law, including effective judicial remedies and due prcess. What if an EU Member State desn t have a system fr administrative fines? Where the legal system f an EU Member State desn t prvide fr administrative fines, the fining pwers set ut under the GDPR may be applied in a way that the fine is initiated by a DPA and then impsed by an EU Member State curt, while ensuring that thse legal remedies are effective and have

9 an equivalent effect t the administrative fines impsed by DPAs. These fines must als be effective, prprtinate and dissuasive. Can I be subject t enfrcement actin if I am utside the EU? The GDPR significantly extends the territrial reach f EU data prtectin law as the GDPR applies t the prcessing f persnal data f data subjects wh are in the EU by a data cntrller r prcessr nt established in the EU, where the prcessing activities are related t: The ffering f gds r services, irrespective f whether a payment f the data subject is required, t thse data subjects in the EU; r, The mnitring f their behaviur as far as their behaviur takes place within the EU. The GDPR applies t the prcessing f persnal data by a cntrller nt established in the EU, but in a place where EU Member State law applies by virtue f public internatinal law. Prcessing that is caught by this extended territrial reach therefre entitles DPAs in the relevant jurisdictins t take enfrcement actin, and, where applicable, issue fines as described abve. Can I be liable t individuals fr data prtectin infringements? Under the GDPR any persn wh has suffered material r nn-material damage as a result f an infringement f the GDPR has the right t receive full and effective cmpensatin frm a data cntrller r prcessr fr the damage suffered. The cncept f damage is t be bradly interpreted in light f ECJ case-law in a manner which fully reflects the bjectives f GDPR. But this is withut prejudice t any claims fr damage deriving frm infringement f ther rules in EU law r EU Member State law. Prcessing that infringes the GDPR als includes prcessing that infringes delegated and implementing acts adpted in accrdance with the GDPR and EU Member State law specifying the GDPR rules. Any cntrller invlved in prcessing will be liable fr the damage caused by prcessing which infringes the GDPR.

10 A prcessr will be liable fr damage caused by prcessing but nly where they have nt cmplied with the GDPR bligatins specifically directed t prcessrs, r, where they have acted utside r cntrary t the lawful instructins f a cntrller. But a cntrller r prcessr will nt be liable here if they can prve that they are nt in any way respnsible fr the event giving rise t the damage. Where, either, mre than ne cntrller r prcessr, r, bth a cntrller and a prcessr, are invlved in the same prcessing and where they are respnsible fr any damage caused by prcessing, as set ut in the three paragraphs immediately abve, each cntrller r prcessr will be held liable fr the entire damage in rder t ensure that a data subject receives effective cmpensatin. Where a cntrller r prcessr has, in accrdance with this, paid full cmpensatin fr the damage suffered, that cntrller r prcessr will be entitled t claim back frm the ther cntrllers r prcessrs invlved in the same prcessing the part f the cmpensatin crrespnding t their part f respnsibility fr the damage. Curt prceedings fr exercising the right t receive cmpensatin are t be brught befre EU Member State curts. Fr prceedings against a cntrller r prcessr, a plaintiff shuld have the chice t bring an actin befre the curts f the EU Member States where the cntrller r prcessr has an establishment r where the data subject resides, unless the cntrller is a public authrity f an EU Member State acting in the exercise f its public pwers. Where legal prceedings cncerning the same subject matter as regards prcessing f the same cntrller r prcessr are pending in a curt in anther EU Member State, the curt in a Member State curt ther than the curt first seized may suspend its prceedings. Data subjects can appint a nt-fr-prfit bdy, rganisatin r assciatin in rder t exercise their right fr an effective judicial remedy r t exercise the right t receive cmpensatin. It shuld be nted that there are currently cases under the existing regime n cmpensatin including litigatin invlving Max Schrems which is heading t the ECJ n a referral frm the Austrian curts. In additin a representative actin in the England & Wales - Ggle -v- Vidal-Hall case have nw reached a settlement agreement. There is mre n the Vidal-Hall case here This case cncerned the issue f financial cmpensatin fr distress caused by data prtectin infringements

11 withut there being mnetary lss. Althugh the Vidal-Hall case cncerned the UK s Data Prtectin Act 1998 it may have repercussins fr the UK in the GDPR regime. Hw can I best prepare t deal with fines and liability issues? T best prepare fr dealing with fines and liability issues cnsider the fllwing checklist: Althugh the full applicatin f the GDPR will be in May 2018 d nt delay preparatin fr cmpliance, including as regards fines and liability - there is a lt t d s start nw and make sure yur rganisatin understands this clearly including at the tp; In rder t cmply with, r face the very real pssibility f fines (r ther sanctins as described abve) r cmpensatin claims described abve, start minimising r eradicating risk in the business nw at all levels by awareness-raising in an infrmed and cnsidered way abut: The increase in fining level that culd be incurred in the EU fr data prtectin infringements, and highlight the fact this is tied t wrldwide turnver; and, The extended scpe ( material r nn-material damage ) fr individuals t make claims against the business fr data prtectin infringements; Mnitr any guidance at EU and DPA levels prvided n the interpretatin f the GDPR and fines and liability, including the implementatin f any natinal carve uts ntably as cncerning criminal penalties; Fllwing fine develpments acrss EU Member States, especially where the business is present - it will take sme time fr sme DPAs t adjust t the new regime, including the idea f impsing higher fines, s fllw and r try and spt trends; In case the business lks like it might be subject t a fine: Clearly examine what the alleged infringement is - the articles f the GDPR are nt necessarily clear n what all f the elements are that cnstitute an infringement; Because fines are nt mandatry but discretinary and are impsed n a case-by-case basis, seek t persuade a DPA f reasns t apply its discretin and nt impse a fine; Because fines must be effective, prprtinate and dissuasive, which als allws a DPA rm fr discretin, raise thse issues with a DPA as apprpriate, especially as regards the prprtinality f a fine; Address all aggravating and mitigating factrs with a DPA - this is abslutely crucial;

12 In line with the cnsistency mechanism cnsider whether a fine is cnsistent with what is being impsed in ther EU Member States; If the business is subject t a fine cnsider ldging an appeal; Data prcessrs and cntrllers shuld start engaging in detailed negtiatins f data prcessing agreements (mre time will likely be needed than currently - assess the risks and pprtunities). Start drafting and cnsidering yur negtiating psitin and especially cnsider liability (and exclusin), fr example, each side may seek indemnity cverage frm the ther in relatin t claims r fines received by them pursuant t the actins r missins f the ther - strengthen yur psitin and avid unpleasant surprises; Data prcessrs will seek t ensure that: the scpe f a cntrller s instructins are clear; cnsent has been prperly btained frm data subjects; and, that limitatin f liability and indemnity measures exist t prtect their psitin - this will be new territry fr prcessrs; Run a GDPR gap analysis in rder t identify areas f nn-cmpliance, real r perceived, and accrdingly priritise steps t address these, in particular cncerning high-risk data prcessing activities; Update yur risk registers; Check what insurance arrangements yu have in place and review these accrdingly, especially cncerning any new risks; Plan t deal with civil liability claims; Key issues t cnsider include what psitin t take with regard t liability and relevant cntract terms with cntrllers r prcessrs; understanding the risks and pprtunities this invlves, and cnsidering insurance cver as apprpriate; and At the same time as ding the abve, dn t frget yur existing bligatins under the current data prtectin regime and cntinue t cmply with them. Relevant sectins f the GDPR If yu want t fllw all f the detail in GDPR the main articles are mentined belw. Other articles such as thse crss-referenced in the articles belw are nt mentined: Recitals: Fines - 148, 149, 150, 151, & 152 Liability - 142, 143, 144, 145, 146 & 147

13 Articles: Fines - 83 & 84 Liability - 78, 79, 80, 81 & 82 Need t knw mre? There is mre infrmatin abut this and ther data prtectin tpics in Crdery's GDPR Navigatr subscriptin service. GDPR Navigatr includes shrt films, straightfrward guidance, checklists and regular cnference calls t help yu cmply. Mre details are at

14 This paper is fr infrmatin purpses nly and the infrmatin in this paper des nt cnstitute legal advice. The law changes regularly and this paper sets ut the psitin in June If yu need legal advice n a specific matter, yu shuld cnsult with a qualified lawyer. T the fullest extent permitted by law, neither Auth0 nr Crdery make any representatins, warranties, guarantees r undertakings related t the infrmatin prvided in this paper.