The GDPR sets out a new investigation and enforcement scheme for supervisory authorities that contains both enumerated and discretionary powers. Supervisory authorities will now possess broad investigative and enforcement powers, including the ability to issue penalties to data controllers and processors for non-compliance. Depending on the type of violation, these penalties can be severe. The amount of such penalties in any individual case will be determined by what the relevant supervisory authority believes to be “effective, proportionate, and dissuasive.”
Investigative and Corrective Powers
Under Article 58 of the GDPR, supervisory authorities have broad investigative powers to ensure compliance. These powers include the ability to carry out on-site data protection audits, obtain access from controllers and processors access to all personal data and all information necessary to carry out their investigative tasks, and review any certifications issued by an accredited data protection certification provider.
Article 58 also vests supervisory authorities with a long list of corrective powers, which include the ability to issue warnings or reprimands to controllers or processors, order controllers or processors to comply with a data subject’s request to exercise her or her rights under the GDPR, impose temporary or definitive bans on data processing, withdraw certifications issued by an accredited data protection certification provider, and impose administrative penalties under Article 83.
One of the more widely discussed provisions of the GDPR involves the power of supervisory authorities to issue “administrative fines” for non-compliance. In determining whether an administrative fine is appropriate, the supervisory authority must first determine whether a fine would be “effective, proportionate, and dissuasive” in each particular case. In addition, the supervisory authority must take into account certain factors, including the following:
- the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
- the intentional or negligent character of the infringement;
- the controller or processor’s attempts to mitigate the damage suffered by data subjects;
- the controller or processor’s prior infringement history;
- the controller or processor’s degree of cooperation with the supervisory authority, and;
- any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
Article 83 sets forth the procedure for implementing administrative fines and divides applicable violations into two types that carry differing penalties.
On the lower end of the scale, certain infringements are subject to administrative fines up to 10,000,000 Euros, or in the case of an undertaking, up to 2% of the total worldwide turnover of the preceding year, whichever is the higher. Infringements covered by the lower category include failure to designate a data protection officer, failure to keep adequate records of data processing activities, failure to conduct data protection impact assessments, and infringements by monitoring and certification bodies.
More serious infringements are subject to fines of up to 20,000,000 Euros, or in the case of an undertaking, up to 4% of the total worldwide turnover of the preceding year, whichever is the higher. These infringements include violations of the basic principles for data processing including obtaining consent, data subjects’ rights, or direct disobedience of a supervisory authority’s order or definitive limitation on the processing or suspension of data flows.
If a supervisory authority decides to issue administrative fines in either category, the ramifications to affected organizations could be enormous. Worldwide annual turnover, or revenue, for certain global companies can reach into the billions of dollars. Even a 2% cut of that revenue represents a tremendous penalty for GDPR non-compliance. In addition, the GDPR defines “undertaking” in this context as an undertaking in accordance with European competition law, which would include all entities that would be liable for the particular infringement. Therefore, the scope of an administrative fine could run across multiple legal entities within the same corporate structure, such as a parent and a subsidiary if the supervisory authority found that both entities participated in the infringement or the parent exerted control or particular influence over the subsidiary.
With the imposition of Articles 58 and 83, the Commission clearly intended to implement a more robust enforcement and penalty structure than what existed under the Directive. It is still unclear however how supervisory authorities will balance the additional powers given to them, in particular with respect to Article 83. While supervisory authorities may impose fines only if they would be “effective, proportionate, and dissuasive” in each particular case, Article 83 expressly states that as a general rule, administrative fines are to be issued in addition to, or instead of, any corrective measures applicable under Article 58. Therefore, the GDPR appears to encourage the imposition of fines if the supervisory authority determines an infringement has occurred. Supervisory authorities must also grapple with the level of such fines, as the enumerated amounts for lower and higher penalties represent the maximum amounts that can be issued in a particular case.
Regardless, organizations that are subject to the GDPR must ensure compliance with the GDPR itself as well as any orders issued by a supervisory authority implementing the GDPR’s regulations. Implementing data protection measures and cooperating with supervisory authorities are direct factors that such authorities will consider in determining whether a corrective measure or penalty should be applied.