Adiministrative penalties up to €10m under the GDPR Posted by Hugh on 18 January 2016


It is worth noting at the outset that some of these offences were only introduced under the new Regulation, while some date back to the 1995 EU Directive, also known as “the current legislation”).

The list is as follows (in no order of priority):
• Failure by the Controller to demonstrate adequately that they have parental consent before processing the personal data of a child (under 16 years old);
• Excessive processing of personal data without a legitimate justification for doing so
• Failure by the Controller to demonstrate that they have implemented Privacy by Design processing
• Where a Joint Controller is involved in processing the data, a failure by the Joint Controller to meet the appropriate obligations set out under the Regulation
• Where the Data Controller is based outside the EU, failure to nominate a representative in each jurisdiction in which the Controller operates (that’s right, the Regulation applies to organisations even though they are NOT based within the EU!)

• Failure by a Data Processor to properly engage the services of sub-contractors (for example, by failing to ensure that adequate contracts are in place)
• Failure by a Data Processor to keep within the processing parameters determined by the Data Controller
• Failure by the Controller or Processor to maintain a log of their data processing activities
• Failure by the Controller or Processor to co-operate with e Supervisory Authority in the performance of its tasks
• Failure to implement adequate technological or organisational structures to protect the security of the personal data
• Failure to notify the Supervisory Authority of a DP breach
• Failure, where required, to notify the Data Subjects of a DP breach
• Failure, where appropriate, to be able to demonstrate that a Privacy Impact Assessment was conducted
• Failure to designate a Data Protection Officer, where criteria require
• Failure to involve the Data Protection Officer appropriately in data processing activities and project planning
• Failure to ensure that the DPO is sufficiently supported in the performance of their role
• Where the Controller or Processor qualify for certification with a recognised body, failure to meet the obligations of that certification

• Where the Controller or Processor must operate within the terms of a Code of Conduct, failure to do so
• Failure of a monitoring body to adhere to its obligations in maintaining compliance with the associated Code of Conduct.

The enforcement and levying of these fines, and the mechanism for determining the size of the fine, has yet to be agreed, and is likely to be determined by the rule of law in each Member State.

In some jurisdictions, the Supervisory Authority will be able to impost the penalty directly.

In others, such as Denmark, Estonia and the Republic of Ireland, the Supervisory Authority will need to refer each substantial breach of the Regulation to the courts for adjudication.

However, the criteria by which the penalty are determined have been set out in the Regulation. But that will wait for another day. Perhaps once we have had a chance to view the list of offences which will merit penalties of UP TO €20m or 4% of Global Annual Turnover, whichever is the greater!

Watch this space!