On May 25, 2018, the transition period for the implementation of the European General Data Protection Regulation (GDPR) expired. Practically every company – regardless of its size – had to have installed a suitable compliance structure by then. This particularly includes the introduction of a data protection policy, the creation of a comprehensive record of processing activities, and the conclusion of data processing agreements. Furthermore, a risk assessment must be carried out, and so-called TOMs (technical and organizational measures) must be implemented. Significant fines are threatened in the event of a data protection breach.
Our clients frequently inquire about the specific fines that can be expected and whether these are actually imposed. In the past, fines were rarely imposed or only for severe breaches.
Unfortunately, we cannot yet provide our clients with a concrete assessment of which fines are to be expected for which violation. There is simply no official fine catalog, nor are there any precedents yet. In this respect, we can only draw upon our experience and the information circulated among "experts." However, the leaked information gives cause for concern for those companies that have not yet begun implementation:
Amount of Fines
Under the "old" BDSG (Federal Data Protection Act), fines of up to €300,000 per individual case could be imposed. The GDPR significantly increases these limits, thereby already demonstrating the relevance of data protection in Europe since May 2018. Fines of up to €20 million or up to 4 percent of the annual turnover (of the entire group) can now be imposed.
Pursuant to Art. 84 GDPR, sanctions must be effective, proportionate, and deterrent. The inclusion of the deterrent criterion means that a fine must be noticeable for a company. It is therefore to be expected that, even for minor infringements and for small businesses, the lower limit of a fine is likely to exceed €5,000, even for minor breaches.
Frequency of Audits
Regular audits are to be expected. Art. 24 GDPR stipulates a specific obligation to demonstrate that a data protection structure has been implemented within the company. Supervisory authorities can verify this simply by requesting documents.
Mandatory Fines
Pursuant to Art. 83 GDPR, data protection violations must be sanctioned in the future. The relevant provision transitions from a discretionary to a mandatory requirement. Consequently, authorities no longer have discretion regarding the imposition of fines.
Denunciation by Third Parties
Furthermore, it is anticipated that the reporting (or denunciation) of data protection violations will become a popular tactic to “undermine” a competitor. Violations can be reported easily and anonymously, automatically triggering an investigation of the affected company.
Summary
With the definitive implementation of the GDPR, companies can no longer afford to neglect the critical issue of data protection. The magnitude of the threatened fines and the explicit obligation to demonstrate specific measures upon request represent a significant business risk.
Should you require support with implementation, please do not hesitate to contact us.
