The GDPR provides for hefty administrative fines, as reiterate over and over in most media communications and articles. The fact is, there are a lot of factors to be considered before any administrative fines would approach those amounts.
The upper end of the fines are cited in the GDPR as, "Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. [Article 83, paragraph 6]
The GDPR stipulates that if administrative fines are imposed, they shall be, "in each individual case be effective, proportionate and dissuasive." [Article 83, paragraph 6]
Proportionate and Dissuasive fines are based on the following, "When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given" (Article 83, paragraph 2) to things like;
"the nature, gravity and duration of the infringement.." [Article 83, paragraph 2a]
"the number of data subjects affected.." [Article 83, paragraph 2a]
"the level of damage suffered by them.." [Article 83, paragraph 2a]
"technical and organizational measures implemented.." [Article 83, paragraph 2d]
"previous infringements.." [Article 83, paragraph 2e]
"degree of cooperation.." [Article 83, paragraph 2f]
"adherence to approved codes of conduct.." [Article 83, paragraph 2j]
"financial benefits gained, or losses avoided, directly or indirectly, from the infringement..." [Article 83, paragraph 2k]
Before any administrative fines would reach the extremes, the GDPR stipulates that they shall be, "in each individual case be effective, proportionate and dissuasive." [Article 83, paragraph 6]
Or 20,000,000 EUR...whichever is greater.
ReplyDelete