The Article 29 Working Party (“WP29”) has published its guidelines on the application and setting of administrative fines for the purposes of General Data Protection Regulation 2016/679 (“GDPR”) (the “Guidelines”). The Guidelines provide an insight into how supervisory authorities will determine whether an administrative fine must be imposed under the GDPR.
The WP29 explains that administrative sanctions constitute an important enforcement tool under the GDPR and that it is critical for fines to be applied in an equivalent manner throughout the EU. Under the GDPR, the power to impose fines will remain with the supervisory authorities of each Member State and the supervisory authorities must observe the principles set out in the Guidelines.
Supervisory authorities will have a harmonised set of corrective powers. In addition to the power to impose administrative fines, authorities can:
- issue warnings or reprimands;
- impose temporary processing bans;
- order the suspension of international data flows; and
- order data controllers or processors to grant access to data subjects, correct or delete personal data.
The Guidelines indicate that supervisory authorities should determine the most appropriate corrective action for each specific situation, but should not shy away from imposing administrative fines. Accordingly, the WP29 maintains that the imposition of a fine should not be regarded as an instrument of last resort in the enforcement arsenal.
The Guidelines do not contain a detailed calculation method for determining the amount of the fine. This is likely to be set out in a subsequent set of guidelines.
The text of the Guidelines can be found here.