Administrative fines and penalties and right to compensation
Administrative fines and penalties
The effectiveness of any law is demonstrated also by fines and penalties and data protection legislation is no exception. Anybody can be fined if concerned in data processing activities carried out in a way which has caused, intentionally or due to negligence, an infringement of the GDPR.
The GDPR provides that the administrative fines shall be «effective, proportionate and dissuasive». When imposing an administrative fine or deciding on its amount, the supervisory authority shall take into due account the following conditions:
1. the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected, and the level of damage suffered
2. the intentional or negligent character of the infringement
3. any action taken by the controller or processor to mitigate the damage suffered by data subjects
4, the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented
5. any relevant previous infringements
6. the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
7. the categories of personal data affected
8. how the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement
9. where measures have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures
11. any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
If the infringement, intentionally or negligently, concerns the same or similar processing operations, the total amount of the administrative fine imposed shall not exceed the amount for the gravest infringement.
Infringements of the most important obligations of the GDPR are subject to administrative fines up to € 10 000 000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Infringements concerning the principles of the legal basis for processing, such as consent, rights of data subjects, transfers of personal data to third countries or international organisations or any other obligation pursuant to a Member State law are subject to administrative fines up to € 20 000 000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
It is important to highlight that when the GDPR establishes administrative fines in percentage of the total turnover, expressively refers to «undertakings»: this means that this criterium is not applicable to charities and not-for-profit organisations, unless they «are regularly engaged in an economic activity». Other criteria to determine the fine will be taken into account by the supervisory authority.
Apart from any administrative fines established by the GDPR, each Member State shall lay down the rules on other penalties to infringements of the GDPR, in particular for infringements which are not subject to administrative fines, on the condition that they are «effective, proportionate and dissuasive».
Right to compensation
It has to be highlighted that the GDPR makes provisions for the right to compensation for the damage caused to data subjects affected by a violation, also by determining the responsibility of each party concerned in the processing operations.
If affected by a material or non-material damage caused by a violation of the GDPR, the data subject has the right to receive compensation for the damage suffered from the controller or the processor: of course, the controller shall be held liable for the damage caused by processing infringing the GDPR and the processor for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. The controller or the processor is exempt from liability if it proves that it is not in any way responsible for the event which has given rise to the damage.
Where more than one controller or more than one processor or both a controller and a processor are involved in the same processing and are responsible for the damage, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject. If the compensation is fully paid by one of them, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage.
Court proceedings for exercising the right to receive compensation shall be brought before the competent courts.