The Article 29 Working Party (WP29) has adopted final guidelines on the application and setting of administrative fines under the GDPR. The guidance is intended for use by the supervisory authorities to ensure a consistent approach to the imposition of administrative fines which is central to a harmonised data protection regime.
Once an infringement has been established, the supervisory authority must identify the appropriate corrective measure to address the non-compliance, observing the following principles:
Guidance is also provided on the assessment criteria in Article 83(2) of the GDPR to determine whether a fine should be imposed and the amount of that fine. In determining the nature and gravity of the infringement, for example, the Supervisory authorities are asked to consider the number of data subjects, the purpose of the processing, the level of damage suffered and the duration.
The guidance also points out that, although Recital 148 introduces the notion of “minor infringements”, there is no obligation on the supervisory authority to always replace a fine by a reprimand in the case of a minor infringement. Instead it is 'a possibility that is at hand, following a concrete assessment of all the circumstances of the case.'This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.