From 25 May 2018 the GDPR will introduce a comprehensive reform of the data protection regulations all across Europe. The administrative fines are the central elements of the new enforcement regime, being a powerful tool in the hands of the supervisory authorities. The Article 29 Data Protection Working Party (“Working Party”) has adopted guidelines on the application and setting of administrative fines for the purposes of the GDPR (“Guidelines”) in the end of 2017.
Pursuant to the Guidelines, when imposing an administrative fine, the supervisory authorities must observe several principles. First of all, the authorities are required to ensure the consistent application and enforcement of the GDPR throughout the EU, therefore, ‘equivalent sanctions’ are applied for infringements in all Member States. Secondly, the administrative fines must be “effective, proportionate and dissuasive”. In addition, the competent authority must assess all the facts of the individual case. Finally, in order to ensure harmonized approach to administrative fines, the supervisory authorities are obliged to exchange information and cooperate with each other on a regular basis.
In the Guidelines, the Working Party also interpreted the criteria – laid down by Section 83 (2) of the GDPR – which must be followed when assessing whether a fine should be imposed and in what amount. The supervisory authorities are required to take into account in particular the following factors: (a) the nature, gravity and duration of the infringement, (b) the intentional or negligent character of the infringement, (c) any action taken by the controller/processor to mitigate the damage suffered by the data subjects, (d) the degree of the responsibility of the controller/processor, (e) any relevant previous infringements by the controller/processor, (f) the degree of the cooperation with the supervisory authority, (g) categories of the personal data affected by the infringement.
In case of an infringement, the authorities must restore the compliance by using the corrective measures available to them under the GDPR. According to the Working Party, the Guidelines will help the authorities in reaching a decision on whether to impose an administrative fine in addition to or instead of other measures.