GDPR, Part V: Understanding the Fines and Penalties Provisions
By: Jay F. Kramer and David B. Sherman
Non-compliance with the forthcoming General Data Protection Regulation (GDPR) can mean significant fines and administrative penalties for non-compliant data controllers and processors. The GDPR will go into effect on May 25, 2018, when the former Data Protection Directive 95/46/EC is repealed. While the former directive was binding on all EU member states, it left to the national authorities of each state the choice of “forms or methods” to achieve compliance with its intended results. By contrast, the entire GDPR, including all of its enforcement provisions are binding immediately, and do not require any additional implementing measures. Entities which process the data of EU citizens must therefore understand their responsibilities under the GDPR and must be prepared to immediately comply with its provisions or risk significant administrative fines and penalties. This article (the fifth in our seven-part series on the GDPR) will discuss the GDPR’s protocols for establishment of supervisory authorities and the factors such authorities will evaluate in the assessment of administrative fines and penalties for non-compliant entities.
“Supervisory Authorities” under the GDPR, and how they exercise their authority
Under Article 53 of the GDPR, each member state shall establish a “supervisory authority” which has “the qualifications, experience and skills, in particular in the area of the protection of personal data.” Within a particular member state, each controller or processor will be subject to the authority of a single “lead supervisory authority.” The lead supervisory authority is determined by where the controller or processor has its “main establishment,” or the place of “its central administration in the Union” (in other words, its headquarters, in most cases).
In cases in which a controller or processor operates in multiple jurisdictions, the lead supervisory authority will coordinate as needed with other “concerned” supervisory authorities on matters of compliance and enforcement. Whether through a “lead” or “non-lead” authority, the GDPR provides mechanisms for disputes to be resolved, decisions to be made, and for all parties to the matter to be notified.
Articles 57 and 58 further detail the “tasks” and “powers” charged to each supervisory authority, including the responsibility to, among others:
- monitor and enforce the application of the regulation;
- handle complaints lodged by a data subject, or by a body, organization or association; and
- conduct investigations on the application of the regulation, including on the basis of information received from another supervisory authority or other public authority.
Significantly, each supervisory authority shall also have the power to:
- order the controller and the processor or its representative to provide any information it requires for the performance of its tasks;
- carry out investigations in the form of data protection audits; and
- use all of the following “corrective powers,” including:
- issuing warnings to a controller or processor;
- issuing reprimands for infringements and orders to comply with data subjects’ requests;
- imposing temporary or definitive limitations, including a ban on processing; and
- imposing administrative fines pursuant to Article 83.
Potential administrative fines under Article 83
Considerations in the determination of fines
Article 83 of the GDPR authorizes each supervisory authority to impose administrative fines that are “effective, proportionate and dissuasive” with respect to infringements of the regulation. In the determination of an appropriate administrative fine, Article 83 mandates that supervisory authorities give “due regard” to the following:
(a) the nature, gravity, and duration of the infringement, including the number of data subjects affected;
(b) the intentional or negligent character of the infringement;
(c) actions taken by the controller or processor to mitigate the damage;
(d) technical and organizational data protection measures previously in place;
(e) any prior relevant infringements by the particular controller or processor;
(f) the degree of cooperation with the supervisory authority to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) whether the controller or processor notified the supervisory authority of the infringement, or whether is was learned about otherwise;
(i) whether a history of related compliance issues exists;
(j) whether the controller or processor adhered to approved codes of conduct or approved certification mechanisms; and
(k) any other aggravating or mitigating factors applicable, including financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
After consideration of the foregoing, the fines resulting from infringements of the regulation will fall into two tiers; a higher fine threshold and a lower fine threshold, depending on the facts and circumstances of each case.
Lower tier violations
Pursuant to Article 83, infringements of certain provisions of the regulation shall subject controllers and processors to:
These provisions include the failure of a controller or processor to:
- Obtain a child’s consent according to the applicable conditions in relation to information society services (Article 8);
- Notify the supervisory authority of a personal data breach (Article 33);
- Notify the data subject of a personal data breach (Article 34); and
- Designate a data protection officer (and the data protection officer has related obligations to their position) (Articles 37-39).
In addition, there are obligations of certification and monitoring bodies (for monitoring of approved codes of conduct) to take appropriate action to enforce code violations, which if not performed, can subject controllers or processors to the fines detailed above.
Higher tier violations
Article 83 also lists the infringements of what are considered to be more serious provisions of the GDPR which shall subject controllers and processors to:
“administrative fines up to 20,000,000 euros, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
These provisions include the failure of a controller or processor to comply with:
- the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7, and 9;
- the data subjects' rights pursuant to Articles 12 to 22 (the “Rights of the Data Subject”);
- the appropriate conditions for the transfer of personal data to a recipient in a third country or an international organization pursuant to Articles 44 to 49;
- any obligations pursuant to member state law adopted under Chapter IX; or
- non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
As with all potential fines under the GDPR, the supervisory authority is permitted to consider any aggravating or mitigating factor applicable to the circumstances of the case. These factors are likely to include financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
Other Remedies Under the GDPR: The Right to Judicial Relief
In addition to providing for the assessment of administrative fines, the GDPR also authorizes data subjects to seek judicial relief against a supervisory authority, controller, or processor to obtain compensation for any damages. Judicial actions are without prejudice to any other administrative or non-judicial remedy under Articles 78, 79, and 82. In other words, the ability to bring an individual action for damages and compensation is independent from any action taken by a supervisory authority to impose administrative fines.
Article 82 provides that “any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” Generally, any controller involved in processing shall be liable for the damage caused “by processing which infringes the Regulation.” Similarly, processors themselves are liable either for damages resulting from non-compliance with its obligations under the regulation, or “where it has acted outside or contrary to lawful instructions of the controller.” In other words, a failure to carefully adhere to instructions from a data controller could subject a data processor to significant liability under the GDPR. As has been seen in many other contexts, this highlights the critical need for entities to focus on risk associated with poor third-party vendor management.
It is significant to note that under the regulation, both controllers and processors are exempt from liability if, pursuant to Article 82, they can prove that they are “not in any way responsible for the event giving rise to the damage.” Supervisory authorities are likely to look to the Article 83 factors listed above in determining whether or not a controller or processor is “responsible” for the event giving rise to the damage.
The potential for significant fines and penalties against data controllers and processors is likely to motivate many companies to act aggressively to develop GDPR-compliant policies and procedures by May 25, 2018. While compliance with all provisions of the regulation is required for controllers and processors of EU citizens’ data, particular attention should be given to the considerations listed in Article 83 that can trigger either of the tiers of significant administrative fines. Other infringements, while no less important, may only trigger “corrective” warnings, reprimands, or other temporary processing limitations from relevant supervisory authorities.
 For more information on identifying the lead supervisory authority for a controller or processor, see the EU’s Article 29 Working Party’s official guidance on the topic at http://ec.europa.eu/newsroom/document.cfm?doc_id=44102 and a list of current authorities at http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.
 Although we refer to this category of fines as the “lower tier” of potential fines under the GDPR, it is significant to note that at the time of this writing, the maximum 10 million euro fine enumerated in the regulation is the equivalent of approximately $11,923,500.
 The meaning of “undertaking” is outlined in Recital 150 of the GDPR, which states that where administrative fines are imposed on an undertaking, an ‘undertaking’ should be understood in accordance with Articles 101 and 102 Treaty on the Functioning of the European Union (TFEU). Under these articles, an ‘undertaking’ has been found to reference the control one company may exert over another company. Where one company exerts actual control over another company, they can be deemed to have formed a single economic entity and therefore a single “undertaking.” This would mean the collective revenues of the entities could be used for assessing administrative fines.
 The term “annual turnover” is not defined in the GDPR, so it is not entirely clear how this figure might be determined in the calculation of an administrative fine. It is noteworthy, however, that the term “turnover” is generally used in the U.K. and other parts of the EU to refer to the total net sales generated by a business.
 An “information society service” is, as defined per Directive (EU) 2015/1535, “any service normally provided for remuneration…by electronic means and at the individual request of a recipient of services,” where the service is provided without the parties being simultaneously present.