Author: Olivia Tambou

 

1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them

(b) the intentional or negligent character of the infringement

(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects

(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

(e) any relevant previous infringements by the controller or processor;

(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

(g) the categories of personal data affected by the infringement

(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement

(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject matter, compliance with those measures

(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

(b) the obligations of the certification body pursuant to Articles 42 and 43;

(c) the obligations of the monitoring body pursuant to Article 41(4).

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

(b) the data subjects’ rights pursuant to Articles 12 to 22;

(c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;

(d) any obligations pursuant to Member State law adopted under Chapter IX;

(e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
8. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.
9. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.

 

A.Preliminary remarks

Art. 83 GDPR offers the possibility for the imposition of effective, dissuasive fines. More concretely, it harmonises both the administrative fines of high amounts and the general conditions for imposing such fines by the SAs. It provides therefore to controllers or processors significantly greater certainty regarding the risk of a fine. Moreover, Art. 83 promises transparency in the imposition of administrative fines for personal data breaches in all Member States.

Art. 83 GDPR achieves many goals. First, it has an incentive-goal for stakeholders to take seriously into account GDPR-compliance. In this context, DPOs and other (e.g. legal) experts may monitor such a compliance and advise relevant firms (controllers or processors) to implement more stringent (e.g. organisational or technical) measures. Second, it can contribute to public awareness and assist data subjects in realising the importance of their rights. Publicity of the imposition of fines can furthermore have a significant pedagogical effect. Third, Art. 83 GDPR can have a deterring goal regarding (re)offending, since it deprives the actors of any profits generated by an infringement. It has to be underlined that the imposition of administrative fines applies without the prejudice to the right to compensation and the GDPR-liability scheme.[1] Administrative fines can also be combined with criminal penalties, provided for by domestic law, according to Art. 84 GDPR (→ mn. 9), in conjunction with recital 149.

Art. 83 GDPR can also increase the enforcement-role of the SAs; the latter can enjoy wide discretion in addressing the installation of an EU culture of data protection. Notably, the Art. 29 WP has provided for some guidelines to facilitate the imposition of equivalent sanctions by the SAs.[2]

Art. 83, with numerous connections with other GDPR-provisions, can be seen as the cornerstone of the new regime created by the GDPR and aimed to improve enforcement of the European data protection law.[3]

Art. 83 GDPR provides for a completely new harmonised framework on administrative fines. In the past, Member States were bound by a rather general duty to lay down the sanctions to be imposed under Art. 24 DPD. A contrario, the GDPR distinguishes administrative fines from other penalties, whose regulation remains at the discretion of Member States.[4]

Overall, Art. 83 provides for the exercise of this new harmonised power by the SAs regarding the imposition of administrative fines (C) with criteria for setting administrative fines (D). The graduation of administrative fines (E) has to be exercised with appropriate procedural safeguards (F). Finally, Art. 83 takes into due account national particularities (G).

 

 

 

 

[…]

 

 

 

 

[1]See Art. 82 GDPR.

[2]See Art. 29 WP, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, adopted in 3 October 2017.

[3]In this regard, see Kotschy, ‘Art 83’ in Kuner/Bygrave/Docksey, 1180, pp. 1187–1188.

[4]See Art. 84 GDPR.