The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) published a press release on 14 March 2019, updating their policy on calculating administrative fines. These guidelines are intended for the organisations to become aware of the updated structure of penalties.
The GDPR empowers each member state of the EU to impose administrative fines, the amount of which depends on every single case. Being a member state, The Dutch Data Protection Authority (AP) has the power to issue administrative fines for the violations of GPDR provisions.
Article 83 of the GDPR sets out the details for imposing fines on the non-compliant organisations. The maximum limit is 20 million euro or 4% of annual global turnover. This big sum of money can pretty much wipe out the entire profits of a company hence eliminating the chances of regulatory arbitrage.
The Dutch Data Protection Authority (AP), preparing to enforce the new rules, updated its penalties structure and published a press release on 14 March 2019. The newly updated policy provides insights on how the (AP) will use their administrative power.
OVERVIEW OF THE NEW GUIDELINES
Although the penalties described in GDPR are two-tiered, the AP divided the infringements into four categories. Each category has an upper and a lower limit, and a basic fine. The basic fine in each category will be 50% of the sum of the upper and lower limit i.e., an average of the minimum and maximum fine in that category.
The AP will take into account the following factors while deciding the amount of fine:
- The nature of the breach, how much risk is likely to be caused by the data breach?
- How many people are likely to be affected as a result of the personal data breach?
- The amount of data compromised
- The types of data involved (e.g., sensitive vs non-sensitive data, children’s data vs adults’ data, or financial or non-financial information)
- How long has it been the breach? Generally, the more time spent, the more harm is likely to occur
- Whether it was a result of lack of security, organisational negligence, or a cyber-attack, and whether the personal data is involved or not.
- Whether it was a result of negligence or someone deliberately breach into the data records
- Whether or not the data controller has taken any action to minimise the damage to the victims. If the data controller is careless despite knowing that a data breach has occurred, they are more likely to be penalised.
- Whether there has been a previous data breach or not. A history of data breaches perks up the ears of regulatory authorities, implying negligence on the part of the data controller or some deliberate action involved, e.g. moral hazard or some mole in the organisation.
- Whether or not the data controller or processor gained any benefit from the breach
- Whether the organisation had adhered to any approved code of conduct (Article 40) or certification mechanism (Article 42)
The maximum amount for the most severe violation of the GDPR (for example, not following the rules of processing sensitive data) is €1,000,000. However, this is not the final word. If this maximum amount of fine is inadequate in a particular scenario, the penalties can go even higher. If the infringements are repeating, the policy states that the Dutch DPA will increase the fines by 50%. However, the resulting amount will not exceed the threshold of €20,000,000.