Fine

Determination

Cordery GDPR Navigator

This note is part of the Cordery GDPR Navigator.

Sponsored by Auth0 - auth0.com
Phone : +1 (888) 235-2699 / +1 (425) 312-6521 Email: sales@auth0.com
 Technical terms are used in this document which are explained in the
glossary.

Introduction
Under the European General Data Protection Regulation (“GDPR”) “supervisory authorities”, better
known as data protection regulators (“DPAs”) have significantly enhanced enforcement powers at their
disposal with regard to non-compliance with the GDPR, including the ability to impose very high fines on
both data controllers and data processors.

In addition, data controllers and data processors may also be liable to individuals for
damages/compensation for infringements of the GDPR.

The GDPR applies to the European Economic Area (“EEA”), i.e. the 28 European Union (“EU”) Member
States plus Iceland, Liechtenstein and Norway, but organisations based outside the EEA could also be
subject to non-compliance enforcement by DPAs, including the imposition of fines.

It is expected that guidance at the EU level will be issued in the future about fines - this might follow EU
policy in the area of competition/anti-trust law, for example concerning aggravating and mitigating
factors.

This briefing focuses on the key aspects of fines, with some mention of liability to individuals.

Regulator powers
Under the GDPR, national DPAs remain the bodies responsible for monitoring and enforcing compliance
with data protection law in their particular EU Member State, albeit under the new so-called “One-Stop-
Shop” supervisory and co-operation mechanism.

Each DPA has a range of corrective, authorisation and advisory powers in order to ensure that
organisations comply with the GDPR, supported by investigative powers including the ability to
undertake audits and dawn raids.


Sponsored by Auth0 - auth0.com
Phone : +1 (888) 235-2699 / +1 (425) 312-6521 Email: sales@auth0.com
Regulators’ corrective powers (which may themselves be subject to fines if contravened) include the
following:
• Issuing reprimands to a data controller or processor where processing operations have infringed
the GDPR;
• Ordering a data controller or processor to comply with a data subject's requests to exercise his
or her rights pursuant to the GDPR;
• Ordering a data controller to communicate a personal data breach to a data subject;
• Imposing a temporary or definitive limitation, including a ban on processing;
• Ordering the rectification or erasure of personal data or restriction of data processing pursuant
to a data subject's rights and notifying those actions to recipients to whom the personal data
has been disclosed;
• Ordering the suspension of data flows to a recipient in a third country or to an international
organisation; and,
• Imposing an administrative fine.

What is meant by a fine?
The GDPR provides new and significantly increased (capped) levels of fines that DPAs are permitted to
impose against data controllers, and now data processors too, who have breached certain provisions of
the GDPR.

This is the first time that the ability to impose fines for data protection infringements (and up to the
same amount) has been harmonised across the EU. In many jurisdictions this will represent a very
significant increase from the fines currently available. It may therefore take some time for some DPAs to
adjust to the idea of imposing higher fines – especially since DPAs are likely to want to make sure that
they fully investigate the first cases where they make use of their new powers.

Fines may be imposed instead of, or in addition to, measures that can be ordered by a DPA (under the
above-mentioned corrective powers). But, in a case of a minor infringement, or, if the fine likely to be
imposed would constitute a disproportionate burden on a natural person, a reprimand may be issued
instead of a fine. Although the GDPR states this only with regard to a natural person, it can be argued
that in the appropriate situation this should also apply to an organisation - after all, imposing a fine is a
discretionary power (see immediately below).

Sponsored by Auth0 - auth0.com
Phone : +1 (888) 235-2699 / +1 (425) 312-6521 Email: sales@auth0.com

Where an administrative fine is imposed on a person that is not an “undertaking” (see later below), a
DPA should take account of the general level of income in the EU Member State as well as the economic
situation of the person in considering the appropriate amount of the fine.

Also, if a controller or processor intentionally or negligently, for the same or linked processing
operations, infringes several provisions of the GDPR, the total amount of the administrative fine shall
not exceed the amount specified for the most serious infringement.

Fines are not mandatory - instead they are discretionary and so they are to be imposed on a case-by-
case basis. Fines must also be “effective, proportionate and dissuasive” so this too allows room for
discretion to suit a given set of circumstances.

But, although fines are discretionary, the so-called “consistency mechanism” may be used to promote a
consistent application of administrative fines. In short, the “consistency mechanism” is an official
regulatory means under the GDPR under which the DPAs will cooperate with each other, and where
necessary with the European Commission, through specific procedures to ensure that the GDPR is
applied consistently. This process will therefore act as a kind of disciplinary measure. It might in practice
mean that, for example, there is a broad range of fines that will apply for given infringements, allowing
for a degree of certainty and predictability – we’ll have to wait and see how this works in practice as the
fines system beds down.

The GDPR also contains a number of carve-outs allowing EU Member States to impose their own rules.
In the area of fines, Member States may determine whether and to what extent administrative fines
may be imposed on public authorities established in their Member State. For the sake of clarity, no
similar discretion exists for the private sector.

In addition, EU Member States can adopt other penalties applicable to infringements of the GDPR, in
particular for infringements which are not subject to administrative fines under the GDPR, and must
take all measures necessary to ensure that they are implemented – these penalties must also be
“effective, proportionate and dissuasive”.


Sponsored by Auth0 - auth0.com
Phone : +1 (888) 235-2699 / +1 (425) 312-6521 Email: sales@auth0.com
Finally, EU Member States can also adopt their own rules on criminal penalties for infringements of the
GDPR, including for infringements of national rules adopted pursuant to and within the limits of the
GDPR. Those criminal penalties may also allow for the “deprivation of profits” obtained through
infringements of the GDPR. However, the imposition of criminal penalties should not lead to double
jeopardy, i.e. being punished twice for the same infringement.

Can I appeal against a fine?
Yes. Under the GDPR, without prejudice to any other administrative or non-judicial remedy, each natural
or legal person has the right to an effective judicial remedy against a legally binding decision of a DPA
concerning them, including fines.

Legal proceedings against a DPA are to be brought before the courts of the EU Member State where the
DPA is established, i.e. appeals will be subject to national legal procedural and substantive
considerations.

Ultimately there is the possibility of issues relating to the fining mechanism under GDPR being referred
to the European Court of Justice (ECJ).

What levels of fines are there?

There are two categories of infringement which attract a different maximum fine. In each category the
maximum fine is expressed in Euros, or, in the case of an “undertaking” as a percentage of worldwide
annual turnover (i.e. not profit) of the preceding year, whichever is higher. It is unclear at this stage
whether worldwide turnover relates only to the relevant controller/processor or to its group.

Under the GDPR an “undertaking” is meant as an “undertaking” under Articles 101 and 102 of the
“Treaty of the Functioning of the European Union”, which concern competition/anti-trust law. What is
essentially meant by this is that an “undertaking” is an entity that engages in economic activity.
European Commission competition/anti-trust law practice and European Court case-law give a wide
interpretation of this notion so it will be difficult for an entity to argue that it is not an “undertaking”.

The two tiers of fines are as follows:

Sponsored by Auth0 - auth0.com
Phone : +1 (888) 235-2699 / +1 (425) 312-6521 Email: sales@auth0.com
 • A fine of up to €10,000,000, or in the case of an “undertaking”, up to 2% of the total worldwide
annual turnover (not profit) of the preceding financial year, whichever is higher, for certain
defined infringements of the GDPR (see below); and,
• A fine of up to €20,000,000, or in the case of an “undertaking”, up to 4% of the total worldwide
annual turnover (not profit) of the preceding financial year, whichever is higher, for certain
defined infringements of the GDPR (see below).

What can I be fined for?
The GDPR infringements which can be subject to fines concern the following:
• Under the €10,000,000 maximum/2% undertaking total worldwide annual turnover category,
three broad areas exist as follows:
o An extensive range of obligations on both data controllers and data processors in
relation to matters including the following:
§ Obtaining consent to the processing of children's data;
§ Processing which doesn’t require identification;
§ Implementing technical and organisational measures to ensure data protection
by design and by default;
§ Joint controllers’ arrangements to agree their respective compliance
obligations;
§ Controllers or processors not established in the EU designating representatives
in the EU;
§ Controllers engaging processors;
§ Processors sub-contracting only with the prior consent of a controller to process
data only on a controller’s instruction;
§ Maintaining records of processing activities;
§ Controllers and processors co-operating with DPAs;
§ Security of processing - implementing technical and organisational measures;
§ Breach notification and communication;
§ Data protection impact assessment, and, prior consultation with a regulator;
§ Designation, position and tasks of data protection officers;
§ Obligations of controllers and processors concerning data protection
certification and certification bodies;

Sponsored by Auth0 - auth0.com
Phone : +1 (888) 235-2699 / +1 (425) 312-6521 Email: sales@auth0.com
 o Obligations of a data protection certification body in respect of certification of data
processing; and,
o Obligations of a monitoring body concerning infringement by a controller or processor
of a data protection certification code;

• Under the €20,000,000 maximum/4% undertaking total worldwide annual turnover category,
five broad areas exist as follows:
o The basic principles for processing of personal data, and, special categories of data, and,
conditions for consent;
o Data subjects' rights, including:
§ Subject access requests;
§ The right to rectification of data;
§ The right to erasure/right to be forgotten;
§ The right to restriction of processing;
§ The right to data portability;
§ The right to object to profiling;
o Transfers of personal data to third countries or international organisations, including
transfers on the basis of an adequacy decision, standard model clauses, and, binding
corporate rules;
o Obligations under EU Member State law, including as regards data processing and
freedom of expression and information, processing and public access to official
documents, and processing in the context of employment; and,
o Non-compliance with an order or a temporary or definitive limitation on processing or
the suspension of data flows by a DPA pursuant to its corrective powers or failure to
provide access in violation of a DPA's investigative powers.

As a stand-alone item under the GDPR, administrative fines up to €20,000,000, or in the case of an
“undertaking”, up to 4% of the total worldwide annual turnover (not profit) of the preceding financial
year, whichever is higher may also be imposed for non-compliance with a corrective order (see above)
imposed by a DPA.

What aggravating and mitigating factors are taken into consideration when a fine is imposed?

Sponsored by Auth0 - auth0.com
Phone : +1 (888) 235-2699 / +1 (425) 312-6521 Email: sales@auth0.com
When determining the level of fine, a DPA needs to take into consideration a number of factors which
include:
• The nature, gravity and duration of an infringement, taking into account the nature, scope or
purpose of the processing concerned as well as the number of data subjects affected and the
level of damage suffered by them;
• The intentional or negligent character of an infringement;
• Any action taken by a controller or processor to mitigate the damage suffered by data subjects;
• The degree of responsibility of a controller or processor taking into account technical and
organisational measures implemented by them with regard to data protection by design and by
default, and, security of processing;
• Any relevant previous infringements by a controller or processor;
• The degree of co-operation with a DPA in order to remedy an infringement and mitigate the
possible adverse effects of the infringement;
• The categories of personal data affected by an infringement;
• The manner in which the infringement became known to the DPA, in particular whether, and if
so to what extent, the controller or processor notified the infringement;
• What compliance was taken where there was a previous infringement of the same type by a
controller or processor and enforcement against that;
• Adherence to approved data protection codes of conduct pursuant to or approved data
protection certification mechanisms; and,
• Any other aggravating or mitigating factor applicable to the circumstances of the case, such as
financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

What about due process?
The exercise by a DPA of its fining powers is subject to appropriate procedural safeguards in accordance
with EU law and EU Member State law, including effective judicial remedies and due process.

What if an EU Member State doesn’t have a system for administrative fines?
Where the legal system of an EU Member State doesn’t provide for administrative fines, the fining
powers set out under the GDPR may be applied in a way that the fine is initiated by a DPA and then
imposed by an EU Member State court, while ensuring that those legal remedies are effective and have

Sponsored by Auth0 - auth0.com
Phone : +1 (888) 235-2699 / +1 (425) 312-6521 Email: sales@auth0.com
an equivalent effect to the administrative fines imposed by DPAs. These fines must also be “effective,
proportionate and dissuasive”.

Can I be subject to enforcement action if I am outside the EU?
The GDPR significantly extends the territorial reach of EU data protection law as the GDPR applies to the
processing of personal data of data subjects who are in the EU by a data controller or processor not
established in the EU, where the processing activities are related to:
• The offering of goods or services, irrespective of whether a payment of the data subject is
required, to those data subjects in the EU; or,
• The monitoring of their behaviour as far as their behaviour takes place within the EU.

The GDPR applies to the processing of personal data by a controller not established in the EU, but in a
place where EU Member State law applies by virtue of public international law.

Processing that is caught by this extended territorial reach therefore entitles DPAs in the relevant
jurisdictions to take enforcement action, and, where applicable, issue fines as described above.

Can I be liable to individuals for data protection infringements?
Under the GDPR any person who has suffered “material or non-material damage” as a result of an
infringement of the GDPR has the right to receive “full and effective” “compensation” from a data
controller or processor for the damage suffered.

The concept of “damage” is to be broadly interpreted in light of ECJ case-law “in a manner which fully
reflects the objectives of GDPR”. But this is without prejudice to any claims for damage deriving from
infringement of other rules in EU law or EU Member State law. Processing that infringes the GDPR also
includes processing that infringes delegated and implementing acts adopted in accordance with the
GDPR and EU Member State law specifying the GDPR rules.

Any controller involved in processing will be liable for the damage caused by processing which infringes
the GDPR.

Sponsored by Auth0 - auth0.com
Phone : +1 (888) 235-2699 / +1 (425) 312-6521 Email: sales@auth0.com
A processor will be liable for damage caused by processing but only where they have not complied with
the GDPR obligations specifically directed to processors, or, where they have acted outside or contrary
to the lawful instructions of a controller. But a controller or processor will not be liable here if they can
prove that they are not in any way responsible for the event giving rise to the damage.

Where, either, more than one controller or processor, or, both a controller and a processor, are involved
in the same processing and where they are responsible for any damage caused by processing, as set out
in the three paragraphs immediately above, each controller or processor will be held liable for the entire
damage in order to ensure that a data subject receives “effective compensation”. Where a controller or
processor has, in accordance with this, paid full compensation for the damage suffered, that controller
or processor will be entitled to claim back from the other controllers or processors involved in the same
processing the part of the compensation corresponding to their part of responsibility for the damage.

Court proceedings for exercising the right to receive compensation are to be brought before EU Member
State courts. For proceedings against a controller or processor, a plaintiff should have the choice to
bring an action before the courts of the EU Member States where the controller or processor has an
establishment or where the data subject resides, unless the controller is a public authority of an EU
Member State acting in the exercise of its public powers.

Where legal proceedings concerning the same subject matter as regards processing of the same
controller or processor are pending in a court in another EU Member State, the court in a Member State
court other than the court first seized may suspend its proceedings.

Data subjects can appoint a “not-for-profit body, organisation or association” in order to exercise their
right for an effective judicial remedy or to exercise the right to receive compensation.

It should be noted that there are currently cases under the existing regime on compensation including
litigation involving Max Schrems which is heading to the ECJ on a referral from the Austrian courts. In
addition a representative action in the England & Wales - Google -v- Vidal-Hall case have now reached a
settlement agreement. There is more on the Vidal-Hall case here
http://www.corderycompliance.com/vidal-hall-data-protection-class-action-appeal-settled/. This case
concerned the issue of financial compensation for distress caused by data protection infringements

Sponsored by Auth0 - auth0.com
Phone : +1 (888) 235-2699 / +1 (425) 312-6521 Email: sales@auth0.com
without there being monetary loss. Although the Vidal-Hall case concerned the UK’s Data Protection Act
1998 it may have repercussions for the UK in the GDPR regime.


How can I best prepare to deal with fines and liability issues?
To best prepare for dealing with fines and liability issues consider the following checklist:
• Although the full application of the GDPR will be in May 2018 do not delay preparation for
compliance, including as regards fines and liability - there is a lot to do so start now and make
sure your organisation understands this clearly including at the top;
• In order to comply with, or face the very real possibility of fines (or other sanctions as described
above) or compensation claims described above, start minimising or eradicating risk in the
business now at all levels by awareness-raising in an informed and considered way about:
o The increase in fining level that could be incurred in the EU for data protection
infringements, and highlight the fact this is tied to worldwide turnover; and,
o The extended scope (“material or non-material damage”) for individuals to make claims
against the business for data protection infringements;
• Monitor any guidance at EU and DPA levels provided on the interpretation of the GDPR and
fines and liability, including the implementation of any national carve outs notably as concerning
criminal penalties;
• Following fine developments across EU Member States, especially where the business is present
- it will take some time for some DPAs to adjust to the new regime, including the idea of
imposing higher fines, so follow and or try and spot trends;
• In case the business looks like it might be subject to a fine:
o Clearly examine what the alleged infringement is - the articles of the GDPR are not
necessarily clear on what all of the elements are that constitute an infringement;
o Because fines are not mandatory but discretionary and are imposed on a case-by-case
basis, seek to persuade a DPA of reasons to apply its discretion and not impose a fine;
o Because fines must be “effective, proportionate and dissuasive”, which also allows a
DPA room for discretion, raise those issues with a DPA as appropriate, especially as
regards the proportionality of a fine;
o Address all aggravating and mitigating factors with a DPA - this is absolutely crucial;

Sponsored by Auth0 - auth0.com
Phone : +1 (888) 235-2699 / +1 (425) 312-6521 Email: sales@auth0.com
 o In line with the “consistency mechanism” consider whether a fine is consistent with
what is being imposed in other EU Member States;
• If the business is subject to a fine consider lodging an appeal;
• Data processors and controllers should start engaging in detailed negotiations of data
processing agreements (more time will likely be needed than currently - assess the risks and
opportunities). Start drafting and considering your negotiating position and especially consider
liability (and exclusion), for example, each side may seek indemnity coverage from the other in
relation to claims or fines received by them pursuant to the actions or omissions of the other -
strengthen your position and avoid unpleasant surprises;
• Data processors will seek to ensure that: the scope of a controller’s instructions are clear;
consent has been properly obtained from data subjects; and, that limitation of liability and
indemnity measures exist to protect their position - this will be new territory for processors;
• Run a GDPR gap analysis in order to identify areas of non-compliance, real or perceived, and
accordingly prioritise steps to address these, in particular concerning high-risk data processing
activities;
• Update your risk registers;
• Check what insurance arrangements you have in place and review these accordingly, especially
concerning any new risks;
• Plan to deal with civil liability claims;
• Key issues to consider include what position to take with regard to liability and relevant contract
terms with controllers or processors; understanding the risks and opportunities this involves,
and considering insurance cover as appropriate; and
• At the same time as doing the above, don’t forget your existing obligations under the current
data protection regime and continue to comply with them.

Relevant sections of the GDPR
If you want to follow all of the detail in GDPR the main articles are mentioned below. Other articles such
as those cross-referenced in the articles below are not mentioned:
Recitals:
• Fines - 148, 149, 150, 151, & 152
• Liability - 142, 143, 144, 145, 146 & 147

Sponsored by Auth0 - auth0.com
Phone : +1 (888) 235-2699 / +1 (425) 312-6521 Email: sales@auth0.com
Articles:
• Fines - 83 & 84
• Liability - 78, 79, 80, 81 & 82



Need to know more?

There is more information about this and other data protection topics in Cordery's GDPR Navigator
subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and
regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.






















Sponsored by Auth0 - auth0.com
Phone : +1 (888) 235-2699 / +1 (425) 312-6521 Email: sales@auth0.com
This paper is for information purposes only and the information in this paper does not constitute legal advice. The
law changes regularly and this paper sets out the position in June 2017. If you need legal advice on a specific
matter, you should consult with a qualified lawyer. To the fullest extent permitted by law, neither Auth0 nor Cordery
make any representations, warranties, guarantees or undertakings related to the information provided in this paper.

Sponsored by Auth0 - auth0.com
Phone : +1 (888) 235-2699 / +1 (425) 312-6521 Email: sales@auth0.com