Blog » 5+5 THINGS AFFECTING HOW MUCH YOU PAY FOR A GDPR BREACH
5+5 THINGS AFFECTING HOW MUCH YOU PAY FOR A GDPR BREACH
12 February 2018
Data protection authorities can impose administrative fines up to 20 Million Euro based on the EU GDPR. But what affects the actual amount that you have to pay in case of infringement? And how can you minimize the risk of an astronomic penalty? We gathered some hints in our latest article.
The Article 29 Working Party recently published guidelines on penalties under GDPR.
First, it must be noted that the guidelines stress that penalties are only one of 10 (ten) corrective measures, that can be applied by data protection authorities.
For this reason, the 5+5 criteria below are not only considered when calculating the amount of the penalty, but also in cases, when the data protection authority assesses, whether penalty or other corrective measure should be applied.
We can put these assessment criteria in two groups: in the first there are those which are connected to the breach itself, while in the second one we find those which relate to the wrongdoer data controller or data processor.
First at foremost, the type of infringement is a starting point when assessing sanctions and fines.
In case of a minor, administrative non-compliance with GDPR, the penalty cannot exceed 2% of annual turnover or EUR 10 Million of your company, while more serious infringements, like the breach of basic principles of data processing, or infringing natural persons rights will lead to the higher thresholds, which is 4% or annual turnover or EUR 20 Million.
The number of data subjects affected by the data breach is important, because it is not the same when there is one isolated case, or when the infringement concerns more hundred, let alone, more thousand private individuals.
It is also important, whether any damage was caused or likely to be caused by the data breach (e.g. bank account details, or health information was leaked), and if yes, what is the extent of the damage.
The duration of the breach must be also taken into account, because a one-time breach will be judged differently than a continuous breach, lasting for more months or even years.
The type of personal data affected by the breach, because the infringement concerning sensitive personal data (eg. health-related data) is always more serious than a data breach relating to other not qualified data.
It goes without saying that intentional data breaches must be judged more seriously than negligent ones. It can be a telling fact, when the top management of the company explicitly or implicitly allowed the data breach, or disregarded the advice of data protection officer. This is the case, if the data breach served the purpose of gaining business benefits (e.g. achieving a market position, etc.).
The organizational, technical and security measures executed by the data controller can influence the degree of responsibility, the consideration of these must be judged on the basis of industry standards and on “best practices”.
The cooperation with the authority by the data controller, and the notification of data breach from its own motion are circumstances that can decrease the amount of the penalty.
The fact that the data controller has done measures mitigating the consequences of the data breach (.e.g the notification of data subjects, etc.) must be considered as mitigating circumstance.
Last, but not least, the eventual earlier data breaches committed by the data controller, or non-compliance with or disrespect of earlier corrective measures imposed by the authority will be considered as aggravating circumstances when calculating the amount of fines.
As you can see, at least half of the 10 assessment criteria depend only on you, on your actions taken (or not taken) before and after an eventual breach of the GDPR.
The good news is that you can dramatically minimize the risk of an astronomic penalty with a careful preparation, and with an honest, cooperative and proactive crisis management, on the basis of policies adopted during your GDPR compliance.
So, it is high time to start your GDPR compliance project!
LAWFUL DISMISSAL IN HUNGARY - PART II. TERMIANTION BASED ON BEHAVIOUR
Although, considering the current labour market in Hungary, employers are trying to keep the employees at the company, there may be situations where the employment relation cannot be maintained due to behaviour or attitude. In our previous article we explained that a dismissal by the employer is far from a simple move, as the legitimate justification must meet a number of criteria. In the present article, we examine the grounds for termination based on the behaviour of the employee.Read more »
CAN YOU FIRE YOUR EMPLOYEE BECAUSE OF A BLOGPOST IN HUNGARY ? – STRASBOURG RULED
How to balance between the employer’s business interests and the employee’s right to freedom of expression? Can the employer restrict the employee’s freedom of expression and terminate his employment because of a blogpost? The European Court of Human Rights (ECHR) addressed these questions in his fresh judgement brought in the case of a Hungarian applicant. In this short article we summarize the facts of the case and the findings of the Court.Read more »
LAWFUL TERMINATION OF EMPLOYMENT IN HUNGARY – PART ONE: HOW TO JUSTIFY A DISMISSAL?
From salary to vacation leave, an employment relationship can have many sensitive parts. However, labour disputes mostly arise around the termination of the employment by the employer and specifically in connection with the justification of dismissal. Since the fault of the justification will result in unlawful termination, leading to important pecuniary consequences, in our forthcoming article series, we summarise the rules governing employment terminations and the related case-law of the Hungarian courts. In the first part we present the general rules for justifying employee termination.Read more »