Article 29 Working Party Guidelines on fines under the GDPR
The Article 29 Working Party (“WP29”) (a European advisory body on data protection and privacy) adopted guidelines for supervisory authorities on setting fines under the new General Data Protection Regulation (“GDPR”) regime. Fines are just one of the enforcement powers that supervisory authorities will have under the GDPR and may not be appropriate in each case. The guidelines summarise the common approach that is expected to be applied by all authorities in terms of (1) deciding whether to impose a fine for breaches of the GDPR and (2) what amount of fine to apply.
The GDPR provides for maximum fines for the most serious breaches of up to EUR 20 million or (in the case of an ‘undertaking’) 4% of total worldwide annual turnover, whichever is higher. ‘Undertaking’ is a legal term (understood, for these purposes, to mean an ‘economic unit’) which the WP29 considers could pick up a parent company and all involved subsidiaries. This may mean, although it is not clear, that fines could be calculated with regard to wider group turnover.
Like all corrective measures, fines are required to be “effective, proportionate and dissuasive”. The guidelines state that fines should “adequately respond to the nature, gravity and consequences of the breach, and the supervisory authority must assess all the facts of the case in a manner that is consistent and objectively justified”. Before determining whether to impose a fine and the level of the fine, supervisory authorities will need to take into account factors including how many data subjects are affected, whether they suffered any damage, whether it was intentional and any similar past infringements. The GDPR envisages that in the case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine, although not necessarily.