General Data Protection Regulation (GDPR) is a regulation in the EU law on data protection and privacy for all individuals within the European Economic Area (EEA). GDPR helps protect people’s data by ensuring user privacy and honoring their rights. GDPR imposes specific rules on any organization that serves the people in the EEA, failing to follow them will result in fines. The following is the summation of important GDPR rules:
- Without acquiring the fully accepted and freely given consent of the user, the personal information of the user should not be accessed, collected, or used in any manner.
- Users must have access to their personal information shared and be able to edit, delete and review it.
- The data shared by the user must be recorded in a safe place, and proper protection and security must be given to it.
- The privacy policies must be easily accessible and presented in simple and clear language to the users.
To know more about GDPR and what constitutes it, recommend reading the article on Ultimate Guide to GDPR.
Many organizations have fallen victim to the strict reprimands of the GDPR for violating the rules, which has led to some eye-watering fines. This article explains the conditions for GDPR fines and the factors that determine their levels of severity.
Conditions for imposing GDPR fines
Article 83 of the Regulation lays down several conditions for imposing administrative fines and deciding the severity level of it for violating the GDPR, such as:
- the nature, gravity, and duration of the violation;
- whether the violation was intentional or happened by negligence;
- the action taken by the organization to mitigate the damage suffered by users;
- technical and organizational measures implemented to tackle the situation;
- any relevant previous violations by the organization;
- the degree of cooperation with the supervisory authority to remedy the violation and mitigate its possible effects;
- the categories of personal data affected by the violation;
- whether, and to what extent, the organization notified the violation to the authority or if they came to know about it by other means;
- whether the supervisory authority has taken measures [Article 58(2)] against the organization regarding the same violation;
- the organization’s adherence to approved codes of conduct or certification mechanisms; and
- other factors, such as financial benefits gained, or losses avoided, directly or indirectly, from the violation.
Severity Levels of GDPR Fines
There are two levels of GDPR fines: for severe violations as well as the less severe violation.
The lower level violation could result in a fine of up to €10 million, or 2% of the annual global turnover of the organization – whichever is higher. This type of fine is applicable for the following violation:
- Collecting any information from a child, who is under the age of 16 years, without any parental consent.
- Storing, collecting, or processing additional information to identify a user even if the purpose of processing personal data no longer requires identification.
- Failing to follow the basic privacy by design protocols.
- Sharing the data of the user with other joint controllers without the user’s consent.
- Hiding the usage of third-party involvement in privacy policies.
- Not keeping records of personal information taken from the users.
- Failing to inform the supervisory authority of any data breach within 72 hours of becoming aware of it.
- Not performing a data protection impact assessment and putting the users at risk of data misuse.
- Not appointing a data protection officer to guide by all the rules and keep track that everyone follows it.
A severe violation could result in a fine of up to €20 million, or 4% annual global turnover – whichever is higher. This type of fine is applicable in the following cases:
- Processing personal data provided by the user in an illegitimate, fraudulent, or corrupt way.
- Processing of personal information without informing or obtaining the user’s consent, except by law.
- Sharing of any sensitive personal data of the user without any consent of the user.
- Not informing the user that they can opt out of the cookies and the procedures of an opt-out method.
- Refusing the users a copy of the information held about them.
- Refusing to give the user’s access to the information they shared or not giving them the privilege to request to edit, update, delete, transfer, or review it.
- Transferring personal data of users through international borders without any proper protocols.
- Not complying with any order authorized by a GDPR superior authority.
Not all cases lead to fines. The supervisory authority has the power to decide what course of action needs to be taken against the organization. Depending on the violation, they may take the following measures, with or without fine:
- issuing warning
- temporary or permanent ban on processing activities
- data deletion
- restriction on data transfers to the third country
An organization can avoid the hefty GDPR fines and strict penalties if they abide by the GDPR standards (especially the principles and honor the rights of users) from the beginning of their processing activities. It is one of the GDPR myths that it is all about fines and the primary purpose is to punish organizations. This is not true at all. The Regulation aims to protect the data and give people more power and control over it. All these rigorous measures are appropriate to safeguard their rights and freedom and interests. The fines and penalties are designed to be fair and appropriate to one and all.
Moreover, it is crucial to realize that getting struck with such fines or penalties may severely impact the reputation of an organization and the trust people have in it.
|Disclaimer: This article does not represent any legal advice. The purpose of this article is to share general information with the readers. Therefore, for any legal assistance, consult a lawyer or professional specialized in GDPR.|