In this Blog, we created a quick view which GDPR activities are aligned to the 2%/€10,000,000 administrative fine category, and which are aligned to the 4%/€20,000,000 category.
51 Ways to Get into Trouble with GDPR
(and it can cost you millions!)
24 April 2019
Unless you were just rescued from being a castaway on a deserted island for the past two years, you are aware of the headline grabbing news about how the European Union has implemented the General Data Protection Regulation (GDPR) effective 25 May 2018.
Of the 99 articles in the GDPR, more than half are tied to requirements that, if infringed, can lead to administrative fines in the millions.
The EU data protection authorities have been swift to use their new consultative, investigative, and corrective powers. They have the power to issue fines up to the higher of 10 million Euros or 2 % of an organisation’s total worldwide annual turnover of the preceding financial year, and 20 million Euros or 4 %, respectively. Beside the ‘effective, proportionate, and dissuasive’ administrative fines, EU data protection authorities can exercise injunctive powers over data controllers and data processors.
While one should work diligently to avoid the GDPR fines, non-compliance can also wreak havoc on organisations if a data protection authority orders them to stop processing personal data (temporarily or permanently). Google is none too happy about the efforts and costs involved in fighting the French data protection authority’s €50,000,000 fine1.
Organisations should also brace themselves for EU-based individuals represented by EU non-governmental organisations (e.g., ‘None of Your Business’) filing claims on the individuals’ behalf for infringements of the GDPR, regardless of materiality.
There are at least 51 ways to run afoul of the GDPR
To stay out of trouble, one tricky area for data controllers to master is when to rely on legitimate interest as their legal basis for processing personal data. Art. 6(1) defines the six legal bases to consider before determining that legitimate interests applies.
(a) consent that is freely given by data subject and can be revoked any time
(b) contract performance or preparation to enter into contract at data subject’s request
(c) legal compliance of controller
(d) vital interests of natural persons
(e) public interest tasks vested in controller
(f) ‘Legitimate Interests’ pursued by a controller or by a third party
Besides selecting the appropriate legal basis before collecting personal data, organisations need to apply all GDPR principles described in Art. 5, starting with:
“Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.”
Processing qualifies as ‘lawful, fair and transparent’ if the processing honours purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality.
Identifying the correct legal basis for processing personal data is but one of many steps that organisations must take to satisfy the GDPR.
Members of the Data Protection Network can download their latest legitimate interest assessments guide2containing scenarios and sample questionnaires to ensure the controller’s interests are balanced and do not override the fundamental rights and freedoms of the individuals. There is no cost to sign up for a DPN membership. The UK Information Commissioner’s Office recently published tips for legitimate interest on its website3.
This table is designed to give a bird’s eye view of the 51 GDPR requirements that, if infringed, may result in undesirable effects on data controllers and data processors.
|GDPR Administrative Fines €10 000 000 or 2% of global annual turnover|
|GDPR Art.||Article subject to fine / Activity|
|1||83(4)(a)||Art. 8 / Conditions applicable to child’s consent in relation to information society services|
|2||83(4)(a)||Art. 11 / Processing which does not require identification|
|3||83(4)(a)||Art. 25 / Data protection by design and default|
|4||83(4)(a)||Art. 26 / Joint controllers|
|5||83(4)(a)||Art. 27 / Representatives of controllers or processors not established in the Union|
|6||83(4)(a)||Art. 28 / Processor|
|7||83(4)(a)||Art. 29 / Processing under the authority of the controller or processor|
|8||83(4)(a)||Art. 30 / Records of processing activities|
|9||83(4)(a)||Art. 31 / Cooperation with supervisory authority|
|10||83(4)(a)||Art.32 / Security of processing|
|11||83(4)(a)||Art. 33 / Notification of a personal data breach to the supervisory authority|
|12||83(4)(a)||Art.34 / Communication of a personal data breach to the data subject|
|13||83(4)(a)||Art. 35 / Data protection impact assessment|
|14||83(4)(a)||Art. 36 / Prior consultation|
|15||83(4)(a)||Art. 37 / Designation of the data protection officer (DPO)|
|16||83(4)(a)||Art. 38 / Position of the data protection officer (DPO)|
|17||83(4)(a)||Art. 39 / Tasks of the data protection officer|
|18||83(4)(b)||Art. 42 / Certification|
|19||83(4)(b)||Art. 43 / Certification bodies|
|20||83(4)(c)||Art. 41(4) / Certification body|
|GDPR Administrative Fines €20 000 000 or 4% of global annual turnover|
|GDPR Art.||Article subject to fine / Activity|
|1||83(5)(a)||Art. 5 / Principles relating to processing personal data|
|2||83(5)(a)||Art. 6 / Lawfulness of processing|
|3||83(5)(a)||Art. 7 / Conditions for consent|
|4||83(5)(a)||Art. 9 / Processing of special categories of personal data|
|5||83(5)(b)||Art. 12 / transparent information, communication, and modalities for the exercise of the rights of the data subject|
|6||83(5)(b)||Art. 13 / Information to be provided where personal data are collected from the data subject|
|7||83(5)(b)||Art. 14 / Information to be provided where personal data have not been obtained from the data subject|
|8||83(5)(b)||Art. 15 / Right of access by the data subject|
|9||83(5)(b)||Art. 16 / Right to rectification|
|10||83(5)(b)||Art. 17 / Right to erasure (‘right to be forgotten’)|
|11||83(5)(b)||Art. 18 / Right to restriction of processing|
|12||83(5)(b)||Art. 19 / Notification obligation regarding rectification or erasure of personal data or restriction of processing|
|13||83(5)(b)||Art. 20 / Right to data portability|
|14||83(5)(b)||Art. 21 / Right to object|
|15||83(5)(b)||Art. 22 / Automated individual decision-making, including profiling|
|16||83(5)(c)||Art. 44 / General principles for transfers|
|17||83(5)(c)||Art. 45 / Transfers on the basis of an adequacy decision|
|18||83(5)(c)||Art. 46 / Transfers subject to appropriate safeguards|
|19||83(5)(c)||Art. 47 / Binding corporate rules (BCR)|
|20||83(5)(c)||Art. 48 / Transfers or disclosures not authorised by Union law|
|21||83(5)(c)||Art. 49 / Derogations for specific situations|
|22||83(5)(d)||Ch. IX / Infringing any obligation pursuant to Member State law adopted under Ch. IX|
|23||83(5)(d)||Art. 85 / Processing and freedom of expression and information|
|24||83(5)(d)||Art. 86 / Processing and public access to official documents|
|25||83(5)(d)||Art. 87 / Processing of national identification number|
|26||83(5)(d)||Art. 88 / Processing in the context of employment|
|27||83(5)(d)||Art. 89 / Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes|
|28||83(5)(d)||Art. 90 / Obligations of secrecy|
|29||83(5)(d)||Art. 91 / Existing data protection rules of churches and religious associations|
|30||83(5)(e)||Art. 58(1) / Failure to provide access in violation of 58(1)|
|31||83(5)(e); 83(6)||Art. 58(2) / Non-compliance with an order or temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to 58(2)|
Note:Consult the official text for full description of GDPR requirements4
2DPN guidance at https://www.dpnetwork.org.uk/dpn-legitimate-interests-guidance
3 UK ICO’s guide at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/
© 2019 Karima Saini, CIPP/E & CIPP/US, CIPM & FIP
The information provided and the opinions expressed represent the views of the author and do not constitute legal advice nor can be construed as offering comprehensive guidance of the various EU member state data protection legislations, regulations or other statutory measures referred to herein.