Fines resulting from GDPR

As the GDPR enters into force, entrepreneurs should expect intensified inspections by the supervisory authority inspectors. They will verify to what extent the new regulations have been implemented and there will be extensive fines for cases of violation. What exactly are they exposed to for violating the requirements set by the GDPR?

Currently, pursuant to national regulations, entrepreneurs face criminal, administrative and civil liability for infringement of the provisions on personal data protection.

As of 25 May, when GDPR enters into force, very high fines – even up to several million euros – will also be introduced. They are to be effective, proportionate and dissuasive. In each case, several factors will be taken into consideration, including:

• the nature, incumbrance and duration of the infringement, while taking into account the nature, scope or purpose of the processing in question, the number of affected data subjects and the extent of the damage suffered;
• intentional or unintentional nature of the infringement;
• actions taken by the administrator or the processing entity in order to minimize the damage to data subjects;
• degree of responsibility of the administrator or the processing entity, taking into account the technical and organizational measures implemented by them;
• any previous infringements by the administrator or the processing entity;
• the degree of cooperation with the supervisory authority to remove the infringement and mitigate its possible negative effects;
• the category of personal data affected by the infringement.

Fines resulting from GDPR

The following entities are among those subject to a fine up to 10 million Euro and in the case of an enterprises – up to 2% of its annual global turnover generated in the previous financial year (whichever is greater):

• the administrator and the processing entity in the case of infringement of among others obligations to obtain a child’s consent for processing of personal data, violation of personal data protection principles in the design phase;
• the certification body in the event of a breach of certification rules

Administrative fine up to 20 million Euro, and in the case of an enterprise – up to 4% of the annual global turnover generated in the previous financial, whichever is greater, can be imposed for infringement of the following provisions:

• infringement of the basic processing principles, including conditions of consent;
• violation of the data subjects' rights e.g. the right to data transfer, the right to be forgotten, the right to information or the right of access; transfer of personal data to a recipient in a third country or an international organization;
• infringement of any obligations resulting from Member State’s law;
• failure to comply with an order or temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority.

As one can see, the upper limit of the fines is set very high. It does not seem, however, that the penalties, especially those imposed at the beginning GDPR applicability, reach the upper limits.

According to the statistics provided by the Inspector General for Personal Data Protection (PL: GIODO), 192 inspections were carried out in 2016, and 199 inspections in 2017. According to the GIODO report, only 1% of reviewed IT systems failed to comply with the obligation to have personal data processing documentation. The study of IT systems in the years 2013-2016 with respect to technical and organizational requirements proved that almost all requirements were fulfilled with 100% effectiveness.

*Author: Katarzyna Blachowicz, Attorney-at-Law, Junior Partner at GWW