# 6 Administrative Fines under the GDPR

Following our previous publications regarding the GDPR, we shall now look into the most sensitive GDPR-related topic, namely fines and penalties.

We shall discuss the limits for these administrative fines, the criteria applicable to determining the amount thereof, as well as the specificities in work when determining fine amounts in case of undertakings and how group corporate structures shall be affected by the specificities in question.

The Regulation provides for two limits of administrative fines depending on the type of infringement:

  • Infringements of any of the obligations of the controller/processor (stipulated in Article 8, 11, 25-39, 42 and 43 of the GDPR) are subject to administrative fines up to 10 000 000 EUR, or up to 20 % of the total worldwide annual turnover of the preceding year of an undertaking.
  • Infringements of the principles of processing inherent in the Regulation, the data subjects’ rights, the transfers of personal data to a recipient in a third country, any obligations pursuant to Member State law and pertinent to special processing situations, as well as non-compliance with an order or a temporary definitive limitation by the supervisory authority are subject to administrative fines up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year of an undertaking.

The aforementioned amounts are the upper limits of administrative penalties to be imposed. Depending on the specific infringement and the ratio between due care and care actually exercised, the amounts of administrative fines may vary greatly. Different circumstances weigh in when assessing amounts. For instance, in case of infringement of several provisions of the Regulation for the same or linked processing operations, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement. In case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.

This raises the question of the criteria for setting the amounts of fines. The Regulation allows for a number of interpretations, but the Article 29 Working Party considers that assessment must depend on the degree of interference and remedy needed for any wrongful conduct or on whether any such interference or remedy is dissuasive or punitive in nature.

So far as the general rules and conditions for imposing administrative fines are concerned, those are detailed in Article 83 of the Regulation. A key element is the requirement to impose effective and proportionate fines. Such fines may be settled based on a number of circumstances such as:

  • The nature and duration of infringement;
  • The purpose of the processing concerned as well as data categories affected thereby. Certain special data categories, such as the ones revealing racial or ethnic origin, political opinions and religion are subject to higher protection[1];
  • The circumstances surrounding the infringement, namely if it is of intentional or negligent character;
  • The degree of responsibility of the controller/processor when establishing the infringement and upon termination thereof. Notification to the supervisory body and cooperation with the supervisory body in order to mitigate the infringement constitute mitigating factors;
  • Any other mitigating or aggravating factors also matter, such as previous infringements, financial benefits from the infringement, etc.

The amounts of fines imposed to undertakings may be significant. It is, therefore, reasonable to specify what is meant by “undertaking” in the Regulation. Here the legislator refers to Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU).

Although not explicitly defined therein, the term is given a broader interpretation in the case law of the Court of Justice of the EU, and according to it, for the purposes of Articles 101 and 102, the term “undertaking” is to be understood as an economic unit that may consist of a parent unit and any subsidiaries thereof. Any structures where one company exerts control over another company, whereby both companies are economically and organizationally related, shall constitute one undertaking. Such an interpretation of “undertaking” is likely to result in significant increase in the amounts of fines based on the total worldwide annual turnover of the entire corporate group, not the turnover of the specific business entity to have committed the infringement.

In conclusion, we would like to specify that the amounts of administrative fines discussed above and stipulated in the Regulation, are the upper limits of fines and sanctions that may be imposed in case of graver infringements. The Regulation reads that any case of infringement has to be subjected to extensive evaluation with due consideration of any mitigating or aggravating factors.[2] We would like to reiterate that due to the broad interpretation of the term “undertaking”, the annual turnover of the entire group of companies may be considered when determining the amount of the fine, thus significantly increasing thereof. That is why compliance with the requirements of the Regulation is of paramount importance.

THE TEAM OF DIMITROV, PETROV & CO.

[1] Articles 9 and 10 of the Regulation provide definitions of these special categories.

[2] Guidelines of the Article 29 Working Party on the application and setting of administrative fines for the purposes of the Regulation 2016/679.

# 5 The Transparency Principle under the GDPR

Following our previous publications regarding the key points introduced by the GDPR, now we will focus on one of the new principles of data protection – transparency.

Transparency is a long-established feature of EU law which is all about engendering trust in the processes which affect citizens by enabling them to understand and, if necessary, to challenge those processes[i]. Transparency is intrinsically linked to fairness and the new principle of accountability under the GDPR. The principles of fair and transparent processing require that the data subject should be informed about the existence of the processing operation and its purposes.

Transparency allows data subjects to keep data controllers and processors accountable and to exercise control over their personal data. Transparency requirements apply regardless of the legal ground for processing and throughout the entire life cycle of processing. Transparency as a principle applies to the following three stages of the cycle of processing:

1) Before the processing – when providing information to data subjects in relation to the collection of their data and how these data will be processed;

2) Throughout the whole processing period – in the manners in which data controllers communicate with data subjects in relation to their rights under the GDPR;

3) In specific cases during the processing – e.g. in case of data breaches or substantial changes to the processing.

What is the meaning of transparency? The principle of transparency in general requires that any information and communication relating to the processing of personal data should be easily accessible and intelligible, and clear and plain language should be used. That principle concerns especially information on the controller’s identity and the purposes of processing that is provided to data subjects, as well as further information ensuring fair and transparent processing in respect of data subjects and their right to obtain confirmation of their personal data processing.

Natural persons should be made aware of the risks, rules, safeguards and rights in relation to the processing of personal data, and how to exercise their rights in relation to such processing.

Article 12 of the GDPR provides the requirements to the information provided to data subject in relation to the processing:

  • it must be concise, transparent, intelligible and easily accessible;
  • clear and plain language must be used;
  • the requirement for clear and plain language is of particular importance when providing information to children – children merit special protection as they may be less aware of the risks and their rights in relation to the processing of personal data, so the information addressed to a child must be in such a clear and plain language that the child could easily understand it;
  • It must be provided in writing or by other means, including where appropriate, by electronic means;
  • Where requested by the data subject, the information may be provided orally (including by automated means like audio recording) – GDPR specifically requires that information may be provided orally on request provided that the identity of the data subject is proven by other means. This precondition applies only in relation to information provided under Art. 15 – 22 and Art. 34 of the GDPR. General information under Art. 13 and Art. 14 of the GDPR may be provided without the controller requiring the data subject’s identity to be proven[ii];
  • It must be provided free of charge – controllers cannot charge data subjects for the provision of information. Exception may exist where requests from a data subject are manifestly unfounded or excessive (for example repetitive) – in these cases the controller can either charge a reasonable fee or refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

The categories of information that must be provided are listed in Art. 13 and Art. 14 of the GDPR – these are basically details of the data controller, purposes, legal basis, processing time, information on the rights of the data subject, information on whether the provision of personal data is a legal or contractual requirement, and the consequences of a failure to provide data. A new requirement introduced by the GDPR is to provide information on the legal basis for the processing purposes – controllers should be able to relate each specific processing purpose to a specific legal basis. This actually means that controllers should be aware of the reasons for the processing of personal data and can properly identify the legal basis which is applicable to a particular purpose.

Besides the content, the form and manner in which information under Art. 13 and 14 of the GDPR should be provided are also important.  The information in relation to the processing of personal data should be provided to the data subject at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case, but not later than 1 month. With a view to these requirements, controllers should develop mechanisms to inform data subjects within the specified time limit whenever they collect and store information that is not received from the data subjects themselves, but is obtained from the Internet, a public register, etc.

Information about the processing should be provided separately from any other information – in practice, separate documents should be prepared (declarations, notices, privacy policies, and etc.). The Art. 29 Working Party, an EU data protection advisory body, advises on using layered privacy statements and push/pull notices[iii]. Information which must be provided to data subjects can also be provided in combination to standardized icons allowing the controller to give a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

In conclusion, we should summarize that the principle of transparency requires providing information to data subjects with regard to every personal data processing, which guarantees their right to be aware of the process and challenge it if needed. Exceptions to this requirement are very limited – where the data subject already has the information or where providing the information proves impossible or would involve a disproportionate effort.

Duly documenting how the principle of transparency is guaranteed becomes even more important in the context of the new principle of accountability according to which controllers carry the burden and must at all times be able to demonstrate compliance with the GDPR requirements. Therefore, it is advisable for all companies to develop mechanisms to ensure the compliance with the transparency requirement – the development of appropriate tools (privacy policies, communications, declarations) as well as procedures for informing the subjects (e.g. in case of breaches of the data security).

TEAM OF DIMITROV, PETROV & CO.

[i] Guidelines on transparency under Regulation 679/2016 of Article 29 Data protection working party (project), p. 5

[ii] Guidelines on transparency under Regulation 679/2016 of Article 29 Data protection working party (project), p. 11

[iii] Guidelines on transparency under Regulation 679/2016 of Article 29 Data protection working party (project), p. 17-18.

# 4 Consent as one of the six legitimate grounds for data processing

Dear clients and partners,

Again with GDPR in mind, we will examine consent as one of the six legitimate grounds for data processing.

By paying a lot of attention to the Regulation, partially due to the high fines it introduces, the media has provided a wide coverage of GDPR issues and key terms, including ‘consent’.

What do we know about consent so far? It is well-known that in order to be valid, consent should be:

  • freely given – the data subject should have a genuine and free choice and be able to refuse or withdraw consent without detriment;
  • specific – consent should refer to clear purpose and specified term for processing as well as to defined persons who will have access to the data;
  • informed – the data subject should be informed at least of the identity of the controller and the purposes of the processing;
  • unambiguous – it is necessary that consent is provided through a clear affirmative action – a statement or an act clearly showing that the data subject agrees to the processing.

Having briefly outlined these main features of consent validity, this publication will focus on further key aspects of the use of consent as а legal ground for processing, which are not as familiar, but which require some particular attention.

The meaning of consent as a ground for processing should not be taken too far, nor should its use be considered a panacea. There are a few reasons for that.

First, consent is only one of the six grounds for processing and its application is limited in case any of the other five legal grounds applies. For instance, consent should not apply when processing is required for the purposes of a contract. In such cases, using consent as grounds for processing is neither required, nor desirable. Remember – consent may be withdrawn! What would happen to contractual relations then…

Second, according to the understanding of the Working Party under Art. 29 (WP29), a processing activity for a specific purpose cannot be based on multiple lawful grounds. In this sense, when we process data on the grounds of consent, we cannot combine or “strengthen” consent with another legal basis, just in case the data subject withdraws their consent. Besides, if we have already started processing data on the grounds of consent, we cannot change those grounds later on. The reason is again the fact that consent may be withdrawn – a hypothesis that is non-existent with regards to the rest of the legal bases for processing.

Third, consent as a ground for processing depends on the context in which it is given. GDPR pays a special attention to the imbalance in the relations between the personal data controller and the data subject. Labour relations are just one of the many examples of such an imbalance. There is hardly a company not facing the issue of ensuring compliance of labour relations with the Regulation’s requirements. How much can we rely on consent in this context?

According to WP29, consent cannot be used as a legitimate ground here. The reason is in the imbalance between the parties and the impossibility for the employee, who constitutes a data subject, to make a free choice under fear or discomfort of potential adverse effects, which contradicts one of the main requirements for the validity of consent – the free choice.

The same example can be given with respect to the relations in which the controller is a public authority. In this case again it cannot be assumed that the data subject makes a realistic choice on whether to give their consent or not, insofar as the other party is in fact the stronger one. Such relations are marked by an obvious inequality in the context of which consent would not be valid.

Any type of influence or pressure on data subjects is considered to be an obstacle to making a free choice that deprives consent of validity and processing – of lawfulness. The controller should be able to prove at any time that consent is obtained without any threat of potential adverse effects in case of refusal.

Fourth, consent should be given separately for each and every purpose of processing. Even if the purpose recurs in certain periods of time, it is recommendable to renew the consent and inform the data subject of the processing again. It should not be assumed that once consent for processing for a particular purpose is given, it will be sufficient for subsequent data processing for other purposes.

Finally, if you imagine that obtaining consent involves some sophisticated terminology and complex language, you can relax. The information provided for the purpose of obtaining data subject consent should be simple and easy to understand by the average citizen. In this sense, exquisite legal style is in no way useful according to the GDPR.

In conclusion, we will highlight a key aspect of consent that will prove to be particularly beneficial to the online business environment – there is no legislative requirement for consent to be obtained in writing. Various techniques, particularly those related to IT solutions, would allow for consent to be accepted as explicit and therefore valid. The European legislator has provided data controllers with the opportunity to obtain consent through various manners and means, including by ticking a checkbox upon visiting a website, adjusting online service settings, etc.

THE TEAM OF DIMITROV, PETROV & CO.

# 3 Dimitrov, Petrov & Co. contributes to the new Data Privacy Advisor service of Thomson Reuters

As a response to the global dynamics in regulations concerning data privacy, the international mass media corporation Thomson Reuters launched a new online service – Data Privacy Advisor. It aims to combine best-in-class content related to data privacy. In addition to providing timely feeds on news and trends in the field and returning answers to data privacy research questions, the service contains ample information on data privacy rules applicable in different countries.

The materials published in the Bulgarian section were prepared by Desislava Krusteva, head of the Privacy Data Protection Practice at Dimitrov, Petrov & Co., CIPP/E, and Gavrail Poterov, also on the team of the law firm. The collaboration of the law firm with Thomson Reuters on this project is on an ongoing basis. The experts at Dimitrov, Petrov & Co. are seeing to the updates in the Bulgaria-related information on the Data Privacy Advisor.

Data Privacy Advisor presentation and service preview are available here: Data Privacy Advisor Overview

# 2 How to Avoid a €20m or a 4% from your annual turnover sanction. Meritas Guide to the Steps Companies Should Take to Comply with GDPR

In the light of the new Regulation (EU) 2016/679 (GDPR) concerning personal data protection that shall apply as of May 25, 2018, MERITAS – a leading global network has prepared a short informative video to illustrate recommended steps to companies in order to ensure GDPR compliance.

The preparation process is divided into three major stages:

  • Discovery/audit of the personal data processing practices applied in the organization;
  • Gap analysis;
  • Development and implementation of internal policies and procedures that correspond to GDPR requirements.

As a global legal network, MERITAS has a cross-border Data Protection Group that brings together leading experts in the field from the member law firms across EU. Their collaboration allows them to resolve their clients’ domestic and international data protection issues.

Dimitrov, Petrov & Co. is the exclusive member of MERITAS for Bulgaria since 2005 and is also actively preparing its customers for ensuring compliance with the GDPR requirements.

Introduction

Dear clients and partners,

From May 25, 2018, the new European regulation on personal data protection – Regulation 2016/679 (GDPR) shall apply. GDPR introduces stricter requirements for the business regarding personal data protection as well as unprecedented sanctions. The amount of the sanctions provided can reach up to EUR 20 million or 4 % of the total worldwide annual turnover of the undertaking of the preceding financial year, whichever is higher.

What are personal data? Are we processing such?
Do the new GDPR rules affect us?
Is our business ready to face that challenge?
What is the best way to protect ourselves from sanctions? How can we minimize the risks to our business?
Should we change the business processes?

Each one of you has reasonably been asking themselves at least part of these questions and perhaps a lot more. Being your trusted partner, the Dimitrov, Petrov & Co.’s team will help you familiarize yourself with the essence of the new requirements by preparing a series of explanatory publications on key concepts regarding GDPR.

We are glad to present to you our first GDPR publication focusing on the data protection officer (DPO). Let us take the first steps towards GDPR together!

The team of Dimitrov, Petrov & Co.

# 1 Data Protection Officer

The Data Protection Officer (DPO) is a new figure introduced by the GDPR in order to assist organisations in managing personal data protection. DPO is supposed to be the “person in charge’ regarding all personal data protection issues within the undertaking – from providing clarifications and advice to employees and management body, through control of data processing activities, to functioning as the contact point for both the supervisory authorities and the data subjects whose personal data are being processed.

While under the current regime, the undertakings have been given the opportunity, at their discretion, to appoint the so called „Data Protection Official”, under GDPR for first time the designation of a “person in charge” of personal data protection becomes mandatory for the organizations (personal data controllers and processors). GDPR requires the designation of DPO in three specific cases:

  • where the processing is carried out by a public authority or body (except for courts acting in their judicial capacity);
  • where the core activities of the controller or the processor consist of:
    • processing operations, which require regular and systematic monitoring of data subjects on a large scale. A “large-scale” would be considered for instance, the processing of patient data in the regular course of business by a hospital; the processing of travel data of individuals using a city’s public transport system; the processing of customer data in the regular course of business by an insurance company or a bank; processing of personal data for behavioural advertising by a search engine; processing of data (content, traffic, location) by telephone or internet service providers, etc. On the other hand, “Regular and systematic” would be monitoring which involves operating a telecommunications network; providing telecommunications services; email retargeting; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking; loyalty programs; behavioural advertising; closed circuit television, etc.¹;
    • processing on a large scale of special categories of data under GDPR (e.g. personal data revealing racial or ethnic origin, data concerning health or data concerning a natural person’s sex life or sexual orientation; genetic data, biometric data such as fingerprints, facial shapes, iris, retina, etc.) or data relating to criminal convictions/ offences.

Besides in the cases listed above, Member States may set additional requirements for the designation of a DPO. According to information available on the website of the Bulgarian Commission for Personal Data Protection, DPO needs to be designated also in the cases where the organization processes personal data of more than 10 000 individuals². Even when the designation of DPO is not mandatory, GDPR allows organizations to voluntarily appoint DPO – such an appointment may be a successful marketing and reputational tool, as well as an efficient way of fulfilling some burdensome obligations. If an undertaking, even not having such an obligation, appoints DPO, it needs to comply with all the GDPR’s rules regarding this position, including ensuring independence.

DPO should possess an in-depth expertise on data protection law and practice. A single DPO is allowed to be designated by a group of undertakings (provided that the said DPO is easily accessible from each undertaking) or by a several public authorities/ bodies, taking account of their organisational structure and size. According to GDPR, DPO may be a staff member of the organisation or to be external fulfilling the tasks on the basis of a service contract. It is a matter of judgement for each organisation to decide what is the best way to designate DPO taking into account the specifics of its operation. Given that DPO is a staff member, he or she cannot combine other functions which would be in conflict with his or her duties and responsibilities as DPO. For example, senior management positions such as chief executive, head of Human Resources, chief financial or head of IT department cannot act as DPO, as they will have to control themselves. Any DPO must be “independent” – he/she shall be responsible to the highest management only and cannot be dismissed or sanctioned for reasons related to the performance of his/ her tasks (e.g. for consulting the controller to conduct impact assessment, because DPO considers a particular data processing operation to be particularly risky).

The rules and requirements regarding DPO need to be taken seriously as their infringement may result in fines up to EUR 10 million, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. If properly used, the DPO figure may turn into a powerful tool for achieving and maintaining compliance with the new rules.

¹ Refer to Guidelines on Data Protection Officers (‘DPOs’) by the Data Protection Working Party under Art. 29, available at the following Internet address: http://ec.europa.eu/newsroom/document.cfm?doc_id=44100

² Refer to See Ten practical steps to implement the General Data Protection Regulation by the CPDP available at the following Internet address: https://www.cpdp.bg/?p=element&aid=1109

The team of Dimitrov, Petrov & Co.

The present material is elaborated by the team of Dimitrov, Petrov & Co. Law Firm and is addressed to clients and partners of the firm as well as other readers interested in the law field and in the field of personal data protection.

The information and the opinions in this material are not a comprehensive and detailed analysis of the considered legal issues.

The presented analyses and other information materials are not legal advice or consultation, and shall not be apprehended as sufficient for dealing with specific legal issues, cases, etc. All materials in the present e-blog are under the protection of the Copyright and Neighboring Rights Act. Any kind of change, publishing, distribution, etc. without prior explicit consent of Dimitrov, Petrov & Co. is forbidden.