The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation.
To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which starting from already well-known privacy concepts, give a brief first guide to the new regulation.
What fines are provided for by the GDPR?
The GDPR sets out specific rules both in terms of civil liability and administrative responsibility. Therefore, rules are laid down both for cases when a data subject suffers damage during the processing of his/her personal data (e.g. the illegal circulation of personal data concerning health) and in order to determine the consequences of the non-fulfillment by the controller of the obligations provided for by the GDPR. This means that a data controller may be called to answer to both a data subject who believes he/she has suffered damage due to unlawful processing, and to the supervisory authority, which may impose an administrative fine in case of non-compliance with the provisions of the GDPR.
Are penalties provided for?
The GDPR does not directly regulate the issue of criminal responsibility. However, it does give Member States the faculty to set down their own rules for introducing criminal penalties into national law. However, this delegation of power has very serious limits. In accordance with recital n. 149, the legislator may only introduce criminal penalties for infringements not punished by administrative fines provided that the criminal penalty does not constitute a repetition of the punishment in contrast with the principle of ne bis in idem, (literally, not twice for the same thing) established by the European Court of Justice.
What is the maximum administrative fine?
The GDPR imposes stiff maximum fines for infringements regarding the protection of personal data. Administrative fines could be up to 10 million Euros or up to 2% of the worldwide annual revenue for the preceding financial year, whichever is higher, for example, if a data breach is not notified to the supervisory authority, or if a Data Protection Officer is not designated. Fines could be as high as 20 million Euros or, up to 4% of the worldwide annual revenue for the preceding financial year, whichever is higher, in cases of the most serious data breaches. For example, the higher tier of fine is envisaged for non-compliance with an order imposed by a supervisory authority or for the unlawful transfer of personal data to a recipient in a non-European country.
What are the criteria for imposing administrative fines?
Although the maximum amounts for administrative fines are very high, it should be added that the fine imposed in practice must in any case be proportionate to the breach detected.
In other words, when applying administrative fines, the supervisory authority will necessarily have to take into account certain indicators. For example, the gravity, nature and duration of the infringement, the intentional character of the infringement and other factors such as any financial benefits gained as a result of the infringement should also be considered. Any measures taken by the controller or processor to mitigate the damage suffered by data subjects, any previous infringements committed by the data controller (or processor) and also the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate its possible negative effects, must also be taken into account.
What is envisaged regarding civil liability?
Any person who has suffered damage caused by an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage incurred. However, the processor is not always responsible for the damage, but only if he/she is non-compliant with the obligations laid out in the GDPR specifically directed to processors or where he/she has acted contrary to lawful instructions of the controller.
Where more than one controller or processor or both a controller and a processor (joint controllers) are responsible for damage, each one will be liable for the entirety of the damage. However if one joint controller has paid full compensation, he/she is at a later time entitled to claim back from the other joint controllers the parts of the compensation corresponding to their part of responsibility.
What remedies are available to the data subject?
Every data subject who considers that the processing of his/her personal data infringes the Regulation has the right to lodge a complaint with a supervisory authority. In more precise terms, the data subject may lodge his/her complaint either with the supervisory authority in the Member State of his/her habitual residence or place of work, or with the supervisory authority of the place where the alleged infringement has occurred.
So, for example, a data subject who resides in Italy may lodge a complaint with the Italian supervisory authority or may lodge a complaint with the supervisory authority in the country in which he/she has suffered the infringement. The provision issued by the supervisory authority may be subject to appeal. All the parties involved in the decision may file an appeal against the supervisory authority’s decision with the judicial authorities of the Member State in which the supervisory authority, which issues the provision, is established.
Moreover, a data subject who considers that a controller or a processor has infringed his/her rights, has the right to bring an action before the courts of the Member State where he/she has his/her habitual residence, or place of work, or before the judicial authority where the controller or processor has an establishment, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
In what way can the data subject take action?
The data subject may act for the protection of his/her rights independently or he/she may choose to mandate a not-for-profit body, organisation or association to lodge a complaint on his/her behalf with a supervisory authority, exercise his/her right to a judicial remedy or, where provided for, exercise his/her right to receive compensation.
The not-for-profit body, organisation or association must have statutory objectives which are in the public interest and be active in the field of the protection of personal data.