Administrative Penalties incurring fines of up to €20m or 4% of GAT Posted by Hugh on 27 January 2016

The following list of offences may incur a penalty of up to €20m, or 4% of the organisation’s Global Annual Turnover for the previous financial year, whichever amount is greater.

• Failing to adhere to the seven DP Principles outlined in the Regulation
• Failing to comply with the requirement to meet at least one Lawful Processing Condition
• Failing to meet the criteria for consent, in that it must be specific, freely-given and clear
• Failing to meet the conditions which justify the processing of Sensitive Personal Data
• Failure to use transparent, clear language in communications with Data Subjects
• Failure to provide a Fair Processing Notice to data subjects when their data is being collected
• Failure to respect the individual rights of Data Subjects, including the right to rectification of their data, their right of access to a copy of their data, their ‘right to be forgotten’, and their right to have their personal data made portable to another Controller
• Denial of an individual’s right to object to processing of their personal data
• Transfers of personal data to countries outside the EU without adequate or appropriate protections
• Failure to restrict processing when lawfully requested to do so by a Data Subject
• Failure to adhere to a lawful Notice from the Supervisory Authority (DP Commissioner) in the jurisdiction in which the Data Controller is established.

The underlying message from this list confirms the EU Commission’s main concerns regarding the processing of personal data:
* Respect for the rights of the Data Subject, in particular with regard to their Sensitive data
* The safe transfer of personal data to destinations outside the EU, and
* Respect for the Office of the Supervisory Authority in the jurisdiction in which the Controller is established.

We will continue this series with advice to Controllers and Processors about the appropriate measures to taken in order to avoid committing these offences, and protecting their organisations, both from the financial penalties and the reputational damage that accompanies such an unwelcome event.