On 25 May 2018, the transitional period for implementing the European General Data Protection Regulation (DSGVO for short) expired. Practically every company - regardless of size - had to have installed a suitable compliance structure by then. This includes in particular the introduction of a data protection policy, the creation of a comprehensive processing directory and the agreement of contracts for commissioned data processing. In addition, a risk assessment must be carried out and so-called TOMs (technical and organisational measures) implemented. In the event of a data protection breach, high fines may be imposed.
Time and again we are asked by our clients what fines they can expect and whether they will actually be imposed. In the past, fines were rarely imposed or only for serious violations.
Unfortunately, we are not yet able to provide our clients with a concrete assessment of which fines can be expected for which infringement. There is simply no catalogue of fines and no precedents yet. In this respect, we can only fall back on our experience and on the information that is traded among the "experts". However, the leaked information gives reason for concern for those companies that have still not started with an implementation:
Amount of the fines
Under the "old" BDSG, fines of up to 300,000 euros could be imposed per individual case. The GDPR raises these limits significantly and thus already shows the relevance of data protection in Europe since May 2018. Fines of up to 20 million euros or up to 4 percent of the annual turnover (of the entire group) can now be imposed.
According to Art. 84 GDPR, sanctions must be effective, proportionate and dissuasive. The addition of the criterion of dissuasive means that a fine must be noticeable for a company. It is therefore to be expected that even in the case of minor infringements and also in the case of small businesses, the lower limit of a fine is likely to be over 5,000 euros, even in the case of minor infringements.
Frequency of reviews
Regular audits are to be expected. Art. 24 GDPR standardises a concrete obligation to prove that a data protection structure has been installed in the company. The supervisory authorities can already verify this by simply requesting documents.
Obligation to pay fines
According to Art. 83 of the GDPR, a data protection breach must be punished in the future. The corresponding standard changes from an optional to a mandatory provision. In this respect, the authority no longer has any discretion as to whether a fine is actually imposed.
Blackening by third parties
Finally, it is likely that reporting (or denouncing) data protection violations will become a popular way to "get oneoveron" a competitor. Violations can be reported easily and anonymously and will automatically trigger a review of the company concerned.
Summary
With the final introduction of the GDPR, the vexed topic of data protection can no longer be neglected by companies. The amount of the threatened fines and the concrete obligation to be able to prove certain measures on demand represent a high entrepreneurial risk.
If you need help with the implementation, please do not hesitate to contact us.
