NEWSFLASH – New Data Protection Obligations (n°10)
Following the adoption of the new EU General Data Protection Regulation (GDPR) on 27 April 2016, most organisations began to re-examine their internal processes and procedures in order to ensure compliance with the new requirements before its entry into force in May 2018.
To assist you in this task, we have identified 10 hot topics which should be handled in priority. We propose to present each of these points of attention separately in a newsflash to be published every two weeks, where we will provide you with practical hints to prepare efficiently.
In this last issue of our series of 10 newsflashes, we chose to focus on the enforcement regime introduced by the GDPR.
| Check List
The GDPR will introduce significantly increased administrative fines up to EUR 20,000,000 or, in the case of an undertaking, 4% of the total worldwide annual turnover, whichever is the highest.
Whereas administrative fines deriving from current EU data protection rules are not deterrent, the GDPR exposes businesses to a very high financial liability and provides supervisory authorities with greater enforcement powers to encourage compliance.
Consequently, businesses will need to make substantial changes to their current practices and processes in terms of privacy, which will take them time to implement.
As we mentioned in previous issues, the general data protection concepts largely remain the same. However, while data controllers will continue to bear primary responsibility for ensuring that processing activities are compliant with EU data protection law, data processors will now be facing specific obligations, as well as liability arising thereof. In addition, the GDPR will extend the reach of the EU data protection framework which becomes applicable to both data controllers and data processors that are not established in the EU but process personal data of data subjects residing in the EU (where the processing activities relate to the offering of goods or services to or monitoring of behavior of EU data subjects).
Enforcement powers of supervisory authorities
Supervisory authorities will maintain prerogatives for monitoring and enforcing compliance with applicable data protection rules. This being said, they will be endowed with greater enforcing powers. Such powers will include authorisation and advisory powers, investigative powers and corrective powers (including the power to impose administrative fines).
Authorisation and advisory powers include the possibility for supervisory authorities to:
- advise the controller in the course of a consultation procedure;
- issue opinions to other national authorities, institutions and bodies, as well as to the public on any issue related to the protection of personal data;
- accredit certification bodies;
- adopt standard data protection clauses;
- approve binding corporate rules for transfers.
Investigative powers of each supervisory authority include the possibility to carry out investigations (in the form of data protection audits), to notify an infringement, and to obtain access to information as well as to the premises of the controller and/or the processor, including to the data processing equipment.
Corrective powers of each supervisory authority include, notably, the following prerogatives:
- issue warnings to controllers/processors that intended processing operations are likely to infringe the GDPR and reprimands where processing operations have infringed the GDPR;
- order controllers/processors to comply with data subjects’ requests, to bring processing operations into compliance and/or to communicate personal data breaches to data subjects;
- impose a temporary or definitive limitation on processing (including a ban as the case may be);
- impose administrative fines.
The CNPD plans to double its workforce in the coming months in order to be able to act on its new prerogatives.
Individual claims of data subjects. With the GDPR, both data controllers and processors will be liable towards individuals for infringements of their data protection rights. In case of an alleged infringement in this respect, data subjects have the following rights:
- the right to lodge a complaint with supervisory authorities where their data have been processed in a way that does not comply with the GDPR;
- the right to an effective judicial remedy against a relevant controller or processor; and
- the right to obtain compensation from a relevant controller or processor for material or immaterial damage resulting from infringement of the GDPR.
Administrative fines and penalties
The GDPR sets up upper limits and criteria for determining fines, which will be implemented by local supervisory authorities, depending on the circumstances of each individual case.
Conditions for imposing administrative fines. When deciding whether to impose an administrative fine and deciding on its amount, supervisory authorities must take into account the circumstances of each individual case, having regard to a variety of factors and circumstances listed in article 83 2. of the GDPR. Such fines shall in each case be effective, proportionate and dissuasive.
We have summarized below the main rules for determining the scope of administrative fines to be imposed. The following elements should notably be taken into consideration: the nature, gravity and duration of the infringement; the intentional or negligent character of the infringement; actions taken to mitigate damage suffered by data subjects; the degree of responsibility of the controller or processor and the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the adverse effects.
The competent supervisory authority will of course take into account any other aggravating or mitigating factors, such as financial benefits gained or losses avoided from the infringement.
Level of administrative fines. The main contribution of the GDPR in terms of sanctions, is (i) the ability for supervisory authorities to impose high administrative fines and (ii) the harmonisation of their amount across European jurisdictions.
Article 83 4. and 5. provides for the maximum fines which may be imposed against data controllers and data processors, depending on the nature of the breach.
There are two levels of fines:
Administrative fines of level 1: up to EUR 10,000,000 or 2% of total worldwide annual turnover (for undertakings), whichever is higher.
Administrative fines of level 2: up to EUR 20,000,000 or 4% of total worldwide annual turnover (for undertakings), whichever is higher. Level 2 fines are applicable to what are considered to be major infringements.
The question arising from this is what encompasses the “worldwide annual turnover”? Is it the relevant turnover of the entity in breach or its entire corporate group? Recital 150 of the GDPR sets out that where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with EU competition law provisions. In such context, an undertaking should then be considered as referring to the entities that are held liable for the infringement. A parent company may then be held liable for the actions of a subsidiary (even if the parent company did not actively participate in the infringement), in case this parent company exercises decisive influence over the subsidiary. The company liable may also be the company within the group which have received a delegation of liability for data protection issues.
To help you have a better overall view, we have drawn up a table listing the various infringements, as provided for throughout the GDPR, and matched them with the corresponding level of fine under article 83 of the GDPR (i.e. level 1 or 2).
It shall be noted that should a controller or processor violate several provisions of the GDPR in relation to the same or linked processing operations, the total amount of the fine may not exceed the amount set out for the most serious violation.
Please bear in mind that being able to demonstrate compliance is almost as important as being compliant, so it is crucial to implement appropriate structures, processes and policies to be able to demonstrate that your organisation is GDPR proof.
The high sanctions provided by the GDPR have attracted the interest of the media and corporations businesses. The increased fines will certainly have an impact on business approach towards data processing questions. To that extent, the objective of the GDPR is met.
Indeed, it is clear to data protection experts and more generally to people whose work involves the processing of personal data, that the GDPR has been designed to raise awareness on data protection issues and incentivise better compliance with EU data protection rules. This will (and already has to some extent) create a specific compliance market, with new functions (DPO), new compliance tools to support such functions, as well as certification mechanisms.
What’s next? The GDPR will take effect on 25 May 2018, which leaves companies with less than a year to ensure that business practices are compliant. Companies will have to know their obligations and understand the changes introduced by the GDPR, to identify where they are in terms of compliance and what they need to do and to design and implement solutions and processes.
From a risk management perspective, companies should firstly focus their compliance efforts on those requirements that attract the highest fines (level 2 fines). Do not forget to adapt insurance coverage to the level of administrative fines.
MNKS can assist you with each of those steps and help your organisation get GDPR proof.
We can assist you getting GDPR proof, you may consult our compliance package online.
Please contact the members of our Technologies & IP team should you need any assistance in relation to the GDPR.