Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fines, Sanctions and Compensation The teeth in the GDPR & Data Protection Act 2018 by Simon McGarr, CIPP/E Data Compliance Europe.

Published byShona Ross Modified over 5 years ago

Similar presentations

Presentation on theme: "Fines, Sanctions and Compensation The teeth in the GDPR & Data Protection Act 2018 by Simon McGarr, CIPP/E Data Compliance Europe."— Presentation transcript:

1 Fines, Sanctions and Compensation The teeth in the GDPR & Data Protection Act by Simon McGarr, CIPP/E Data Compliance Europe

2 DPC Sanctions: Fines & More
The headline change in every presentation on the GDPR in 2018 was the new level of fines available to Data Protection Agencies. For the private sector, these fines were particularly noteworthy. But they aren’t the only new source of risk created by the GDPR and the new Irish Data Protection Act. 1

3 All the DPC powers Part 1 (Art 58)
(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation; (b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation; (c) to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation;  (d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation in a specified manner and within a specified period; (e) to order the controller to communicate a personal data breach to the data subject; Talk about (d) here and the potential costs it can trigger- there is one example from pre-gdpr where following the compliance order cost millions.

4 All the DPC powers Part 2 (Art 58)
(f) to impose a temporary or definitive limitation including a ban on processing;  (g) to order the rectification or erasure of personal data or restriction of processing and the notification of such actions to recipients to whom the personal data have been disclosed (h) to regulate certification bodies (i) to impose an administrative fine in addition to, or instead of measures referred to in this paragraph (j) to order the suspension of data flows to a recipient in a third country or to an international organisation. Talk about the fines €20m or 4% of global turnover or €10m or 2% of global turnover

5 Fines: Two Levels Breach of basic rights (Art 83.5)
UP TO: 4% of global turnover or €20million, whichever is the larger. Breach of Process requirements (Art 83.4) UP TO: 2% of global turnover or €10 million, whichever is the larger. Public sector fines are capped at €1 million. 2% fines are for ‘process failures’ Article 83 (4) Failing in Integrating data protection ‘by design and by default’ Records of processing activities Cooperation with the supervising authority Security of processing data Notification of a personal data breach to the supervisory authority Communication of a personal data breach to the data subject Data Protection Impact Assessment Prior consultation Designation, position or tasks of the Data Protection Officer Certification Art 83.5 The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data Rights of the data subject Transfer of personal data to a recipient in a third country or an international organisation When deciding whether to impose a fine or the amount to be paid as a fine, the following will be taken into consideration for each individual case: The nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them The intentional or negligent character of the infringement Any action taken by the controller or processor to mitigate the damage suffered by data subjects The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them Any relevant previous infringements by the controller or processor The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement The categories of personal data affected by the infringement The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement Where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures Adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42 Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

6 Enforcement Orders Costs of complying with an Enforcement Order may exceed a fine, if systems have been poorly designed. 2% fines are for ‘process failures’ Article 83 (4) Failing in Integrating data protection ‘by design and by default’ Records of processing activities Cooperation with the supervising authority Security of processing data Notification of a personal data breach to the supervisory authority Communication of a personal data breach to the data subject Data Protection Impact Assessment Prior consultation Designation, position or tasks of the Data Protection Officer Certification Art 83.5 The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data Rights of the data subject Transfer of personal data to a recipient in a third country or an international organisation When deciding whether to impose a fine or the amount to be paid as a fine, the following will be taken into consideration for each individual case: The nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them The intentional or negligent character of the infringement Any action taken by the controller or processor to mitigate the damage suffered by data subjects The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them Any relevant previous infringements by the controller or processor The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement The categories of personal data affected by the infringement The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement Where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures Adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42 Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

7 Compensation Rights As well as fines, companies who breach individuals’ personal data now face the risk of litigation seeking compensation for those claims. The new GDPR overturns a limitation created by the Irish High Court under the old regime (Collins v FBD). Claimants will no longer have to prove that they both had suffered a breach of their rights and that breach caused them a loss. They may now claim for a breach of rights, alone. 2 Talk about Tort, building sites etc.

8 What’s the Quantum? No compensation cases yet in UK or Ireland under the new laws for breach alone. Old regime: One UK case (Vidal-Hall v Google) One Irish Case (Collins v FBD) UK Courts awarded £10,000 Irish Court awarded €15,000

9 Mass Actions: Article 80? The GDPR introduced lots of new rights and responsibilities in EU member states. But Article 80 may be the most far-reaching change. For the first time (some) EU NGOs will be able to make complaints to Data Regulators and take litigation on behalf of wronged individuals. They will also be empowered to collect compensation for them. 3

10 Article 80.1 , GDPR “The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.”

11 Irish Law gave it full effect
After much debate, the Irish Government passed a law giving full powers to a mandated NGO to act for individuals. It’s not exactly a class-action in the US style. But it is, for the first time, a Mass Action. 4

12 Section 117(7) & (8) Data Protection Act 2018
(7) A data protection action may be brought on behalf of a data subject by a not-for-profit body, organisation or association to which Article 80(1) applies that has been mandated by the data subject to do so. (8) The court hearing a data protection action brought by a not-for-profit body, organisation or association under subsection (7) shall have the power to grant to the data subject on whose behalf the action is being brought one or more of the following reliefs: (a) relief by way of injunction or declaration; or         (b) compensation for damage suffered by the plaintiff as a result of the infringement of the relevant enactment.”

13 Compliance is cheaper than the alternative

14 Any Questions? You can find me at hello@datacomplianceeurope.eu

Download ppt "Fines, Sanctions and Compensation The teeth in the GDPR & Data Protection Act 2018 by Simon McGarr, CIPP/E Data Compliance Europe."

Similar presentations

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Per Anders Eriksson

Per Anders Eriksson
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Public law governs:  relationships between individuals and the state/government; and  the structure, administration and operation of the state/government.

Public law governs:  relationships between individuals and the state/government; and  the structure, administration and operation of the state/government.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
Technology and Brand Law Implementing The New EU Data Protection Regulations.

Technology and Brand Law Implementing The New EU Data Protection Regulations.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
Freedom of information and protection of personal data Hungarian experiences 5TH MEETING OF DATA PROTECTION AUTHORITIES 28 OCTOBER 2008.

Freedom of information and protection of personal data Hungarian experiences 5TH MEETING OF DATA PROTECTION AUTHORITIES 28 OCTOBER 2008.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
General Data Protection Regulations: The Key Changes

General Data Protection Regulations: The Key Changes
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
Actions for damages under the Data Protection Directive and the GDPR

Actions for damages under the Data Protection Directive and the GDPR
Brussels Privacy Symposium on Identifiability

Brussels Privacy Symposium on Identifiability
Seamus Carroll Civil Law Reform Division

Seamus Carroll Civil Law Reform Division

Similar presentations

Ads by Google