Update: The Dutch Data Protection Authority has now (14/3/2019) officially published the standardized fines policy for infractions (failure to comply with regulation) and data-breaches. You can find the official press-release here. Unfortunately it is in Dutch only, hence the rough translation/summary for your consideration.
The GDPR imposes stiff fines on data controllers and processors for non-compliance. Fines are administered by individual member state supervisory authorities:
- Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for administrative infringements.
- Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements concerning
- The basic principles for processing, including conditions for consent
- The data subjects’ rights
- Any obligations pursuant to Member State law
- The transfer of personal data to a recipient in a third country or an international organisation
- Any non-compliance with an order by a supervisory authority
- Other fines: The active enforcement of closure of operations / cease and desist
- Multiple fines for the same incident/fact are possible (plus in different countries)
In the case of the Dutch Data Protection Authority; infractions with a max legal fine of € 10.000.000 respective € 20.000.000 or, 2% respective 4% of the worldwide annual revenue of the prior financial year, whichever is higher, are categorized in 4 categories. Each category has a base fine which can be adjusted pending severity and financial solvability of the company committing the infraction.
| Category | Fine - Bandwidth | Base Fine | |
|---|---|---|---|
| 1 | Between | € 0 and € 200.000 | € 100.000 |
| 2 | Between | € 120.000 and € 500.000 | € 310.000 |
| 3 | Between | € 300.000 and € 750.000 | € 525.000 |
| 4 | Between | € 450.000 and € 1.000.000 | € 725.000 |
The Data Protection Authority determines the amount of the fine by the amount of the base fine. The base fine is increased or decreased depending on the extent to which factors (further down) give cause for.
Higher fines and penalty ceilings
Going outside the bandwidth and increased penalty ceilings can occur when the category determined for the violation is not appropriate in the specific case and allows the Data Protection Authority to determine the amount of the penalty fine, the fine bandwidth of the next higher category or the fine bandwidth respectively of the next lower category.
In addition to the provisions, the Data Protection Authority uses the principle of increasing the fine by 50% in the event of a repeat offense, unless this is in view of the circumstances of the specific case would be unreasonable. The Data Protection Authority can go beyond the limits of the applied fine bandwidth, considering the statutory maximum fine.
If the highest amount (ceiling) of the applicable fine does not allow for appropriate punishment, the Data Protection Authority can impose a higher fine up to a maximum € 10.000.000 respective € 20.000.000 or, 2% respective 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
Factors for fine adjustments
Without prejudice, the Authority will consider the following factors:
- the nature, seriousness and duration of the infringement, considering the nature, extent or purpose of the processing in question as well as the number of affected data subjects and the size of the data damage suffered by them;
- the intentional or negligent nature of the infringement;
- the measures taken by the controller or processor to ensure that the limit the damage suffered to those affected;
- the extent to which the controller or processor is responsible in view of the technical and organizational measures that it has implemented in accordance with the Articles 25 and 32 of the GDPR;
- previous relevant breaches by the controller or processor;
- the extent to which there has been cooperation with the supervisory authority to prevent the infringement and to mitigate its possible negative consequences;
- the categories of personal data to which the infringement relates;
- the way the supervisory authority has become aware of the infringement, whether, and if so to what extent, the controller or processor has reported the infringement;
- compliance with the requirements of Article 58, paragraph 2, of the GDPR mentioned measures, insofar as they were previously regarding the controller or the processor in question has been taken on the same matter;
- alignment with approved codes of conduct in accordance with Article 40 of the GDPR or of approved certification mechanisms in accordance with article 42 of the GDPR; and
- any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains made, or avoided losses, that may or may not come directly from the infringement.
Table A: Infractions with a maximum statutory fine of € 10 million euro's or 2% of total turnover previous financial year
| Article | Description (& Recitals) | Category |
|---|---|---|
| 8 | Conditions applicable to child's consent in relation to information society services (38) | 2 |
| 11 | Processing which does not require identification (57, 64) | 1 |
| 25 | Data protection by design and by default (78) | 2 |
| 26 | Joint controllers (79) | 1 |
| 27.3 | Representatives of controllers or processors not established in the Union (80) | 3 |
| 27.3 | Representatives of controllers or processors not established in the Union (80) | 2 |
| 28.9 | Processor (81) | 2 |
| 28.9 | Processor (81) | 1 |
| 29 | Processing under the authority of the controller or processor | 2 |
| 30 | Records of processing activities (13, 39, 82) | 2 |
| 30 | Records of processing activities (13, 39, 82) | 1 |
| 31 | Cooperation with the supervisory authority | 3 |
| 32 | Security of processing (83, 74, 75, 76, 77) | 2 |
| 33.3 | Notification of a personal data breach to the supervisory authority (75, 85, 87, 88) | 3 |
| 33.3 | Notification of a personal data breach to the supervisory authority (75, 85, 87, 88) | 2 |
| 34.2 | Communication of a personal data breach to the data subject (75, 86, 87, 88) | 3 |
| 34.2 | Communication of a personal data breach to the data subject (75, 86, 87, 88) | 2 |
| 35.9 | Data protection impact assessment (75, 84, 89, 90, 91, 92, 93) | 2 |
| 35.9 | Data protection impact assessment (75, 84, 89, 90, 91, 92, 93) | 1 |
| 36 | Prior consultation (94, 95, 96) | 2 |
| 37.7 | Designation of the data protection officer (97) | 2 |
| 37.7 | Designation of the data protection officer (97) | 1 |
| 38.2,6 | Position of the data protection officer (97) | 2 |
| 38.2,6 | Position of the data protection officer (97) | 1 |
| 39 | Tasks of the data protection officer (97) | 2 |
| 41.4 | Monitoring of approved codes of conduct | 1 |
| 42.3,6 | Certification (100) | 2 |
| 42.3 | Certification (100) | 1 |
| 42.6 | Certification (100) | 3 |
| 43 | Certification bodies | 1 |
Table B: Infractions with a maximum statutory fine of € 20 million euro's or 4% of total turnover previous financial year
| Article | Description (& Recitals) | Category |
|---|---|---|
| 5.1a | Principles relating to processing of personal data (39) | 3 |
| 5.1a, 2 | Principles relating to processing of personal data (39) | 1,2,3 or 4 |
| 6 | Lawfulness of processing (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 155) | 3 |
| 7 | Conditions for consent (32, 33, 42, 43) | 3 |
| 9 | Processing of special categories of personal data (51, 52, 53, 54, 55, 56) | 4 |
| 12.3-5 | Transparent information, communication and modalities for the exercise of the rights of the data subject (58, 59) | 3 |
| 12.3-5 | Transparent information, communication and modalities for the exercise of the rights of the data subject (58, 59) | 2 |
| 13 | Information to be provided where personal data are collected from the data subject (60, 61, 62) | 3 |
| 14 | Information to be provided where personal data have not been obtained from the data subject | 3 |
| 15 | Right of access by the data subject (63, 64) | 3 |
| 16 | Right to rectification (65) | 3 |
| 17 | Right to erasure ('right to be forgotten') (65, 66) | 3 |
| 18.3 | Right to restriction of processing (67) | 3 |
| 18.3 | Right to restriction of processing (67) | 2 |
| 19 | Notification obligation regarding rectification or erasure of personal data or restriction of processing | 2 |
| 20 | Right to data portability (68) | 3 |
| 21.4 | Right to object (69, 70) | 3 |
| 21.4 | Right to object (69, 70) | 2 |
| 22 | Automated individual decision-making, including profiling (71, 72) | 4 |
| 44 | General principle for transfers (101, 102) | 3 |
| 45 | Transfers on the basis of an adequacy decision (103, 104, 105, 106, 107) | 3 |
| 46 | Transfers subject to appropriate safeguards (108, 109) | 3 |
| 47 | Binding corporate rules (110) | 3 |
| 48 | Transfers or disclosures not authorised by Union law | 3 |
| 49 | Derogations for specific situations (111, 112, 113, 114, 115, 116) | 3 |
| Ch. IX | All responsibilities mentioned in Chapter IX by member states - applicable law | 1,2,3 or 4 |
| 87 | Processing of the national identification number | 4 |
| 87 | Processing of the national identification number | 3 |
| 89 | Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (156, 157, 158, 159, 160, 161, 162, 163) | 3 |
| 58 | Not complying with order of suspension of data flows or process-limitation | 4 |