WP29 Guidelines Review: How DPAs Will Apply Administrative Fines Under the GDPR
The GDPR grants extensive enforcement powers to the national data protection authorities (DPAs), including the ability to impose significant administrative fines for infringement of certain provisions (up to 20 million or 4 percent of the global turnover.)
Unsurprisingly, this topic has generated a lot of interest for organisations that have to incorporate data protection compliance into their business risk assessment. In early October, the Article 29 Working Party published new guidelines on the application of administrative fines. While the guidelines remain relatively general and somewhat predictable, they do contain some interesting comments and examples. The main takeaways can be summarised as follows:
Meaning of “Undertaking”
When organisations are at risk of being fined up to 4% of the turnover of their “undertaking,” understanding how this term should be interpreted becomes crucial, especially for large company groups. The WP29 has now confirmed that this term should be understood broadly. Following the previous EU case law, it states that an “undertaking” is an economic unity that includes all entities taking part in the same commercial/economic activities, regardless of the legal status of the entity. An undertaking may therefore include both a parent company and all involved subsidiaries.
Imposing an administrative fine is not automatic. The WP29 provides that where the infringement is minor, the DPAs may, but are not required to, replace the fine by a reprimand. An infringement will be considered minor if it does not pose any significant risk to the rights of individuals concerned, or does not affect the essence of the obligation breached.
Similarly, the WP29 also states that where the controller is a natural person, the DPAs may replace the fine by a reprimand if imposing a fine would constitute a disproportionate burden for that natural person.
Article 83 Criteria
The guidelines also provide additional details about the criteria listed in Article 83 GDPR and how DPAs should evaluate them when deciding on the fine, for instance:
- Number of Data Subjects: It can be illustrative of an isolated infringement or, conversely, symptomatic of a more systematic failure to implement the GDPR principles.
- Purpose Limitation: DPAs should analyse the purpose of the processing and carefully assess whether the purpose specification and compatibility principles have been complied with.
- Damage: Although DPAs are not competent to award a compensation for damages, the existence and the level of a damage should be taken into account.
- Duration: An infringement extended over a long period may be illustrative of the organisation’s wilful conduct, or inability to put in place adequate safeguards.
- Previous Infringement: Even if the previous infringement is of a different nature, it may still be indicative of a general level of insufficient knowledge or disregard for GDPR principles.
- Degree of Cooperation with the DPA: Where the organisation’s efforts and cooperation have had the effect of preventing or limiting the negative consequences of the infringement on individuals’ rights, this cooperation may be considered a mitigating factor. This could be, for instance, the organisation’s specific response to the DPA during the investigation phase which this had the result of significantly reducing the impact on individuals’ rights. No credit should, however, be given to organisations for simply complying with their GDPR obligations, such as allowing a DPA agent to access the premises, or timely notifying a data breach (on the contrary – failure to comply with these obligations may be considered an aggravating factor.) Generally speaking, where the infringer gains an economic advantage out of the infringement, DPAs should consider this a strong indication that a fine should be imposed.
Intentional vs. Negligent Infringement
While it is apparent that an intentional infringement will be more severely sanctioned than a mere negligence, being able to distinguish between the two may be difficult in practice. The guidelines list some scenarios likely to be considered intentional infringements, including when the unlawful processing is explicitly authorised by the top management hierarchy or in disregard for privacy policies.
Confirming the importance of the DPO within an organisation, the WP29 also provides that acting against the advice of the DPO may also be indicative of an intentional infringement.
Lack of resources is not an excuse for infringement. Although this does not come as a surprise, this affect SMEs more particularly, which often do not have extensive privacy compliance budgets.
Approved Codes of Conduct and Certifications
Before deciding to impose a fine, DPAs should also carefully consider the infringer’s adherence to approved codes of conduct or certifications. By adhering to an approved code of conduct or certification, the organisation may demonstrate that it has implemented adequate measures and procedures and is therefore not responsible for the incident.
On a different aspect, if the organisation violates the code of conduct, DPAs may consider that the corrective action taken by the monitoring body is sufficiently effective, proportionate, and dissuasive in its own.
Cooperation and Consistency Among DPAs
When deciding on a fine, DPAs should apply the cooperation mechanism and involve all concerned DPAs in the decision. In case of disagreement, the EDPB will resolve the dispute. The guidelines stress that the EDPB may not only resolve disputes regarding the existence or absence of infringement, but also on whether the proposed fine is sufficiently effective, proportionate, and dissuasive.
The WP29 may adopt further guidelines on this topic in future, including guidance regarding the calculation of the fines.
How OneTrust Helps
Powered by deep privacy research, our comprehensive and integrated platform includes readiness assessments, privacy impact assessments (PIA/DPIA), data mapping automation, website scanning and cookie compliance, subject rights and consent management, incident reporting, and vendor risk management. Our team of privacy experts continually track developments like these and update our products to align with global laws and regulations, industry programs and privacy frameworks.