Penalties for violations of GDPR - facts and myths


The entry into force of the so-called The GDPR was accompanied by great emotions. The largest of them were born around enormous criminal sanctions that an entrepreneur could potentially receive for any breaches related to the protection of personal data. Is there really anything to fear? Are the inspections carried out by the Office for Personal Data Protection likely and can they actually result in a fine of several million euros for violations of the provisions of the GDPR?

At the beginning, it should be noted that in Poland, the only entity authorized to carry out inspections in the field of irregularities related to the protection of personal data is the Office for Personal Data Protection. It has a very centralized structure, which means that its headquarters are in one city - i.e. in Warsaw. At the same time, it is necessary to be aware that the number of entities processing personal data is extremely large, as almost every business activity is associated with it to a greater or lesser extent. For this reason and the limited human resources potential of the Personal Data Protection Office, the probability of controlling the so-called preventive measures is minor. It increases significantly in the event of a significant incident that may have a negative impact on the rights and freedoms of data subjects.

Examples of such situations are:

  • loss of a customer database due to third party actions (e.g. theft by an IT provider, employee theft, etc.);

  • accidental disclosure of the database (e.g. sending them to the wrong e-mail address, accidental placing of its fragments on the website, etc.);

  • loss of computer hardware as a result of a break-in at the company's headquarters;

  • significant database damage due to hardware failure (in a situation where we do not have a backup and we are unable to restore the database).

In such situations, we will usually deal with the so-called breach of the protection of personal data, which may result in physical harm, damage to property or non-property of natural persons, discrimination, theft or falsification of identity, financial loss, damage to the good name of the data subject or any other significant economic or social damage. Attention!
In such a situation, the entrepreneur must remember about the obligation to report the breach to the supervisory authority (the President of the Data Protection Office) within 72 hours, unless he is able to demonstrate that it is unlikely that the breach could result in a risk of violating the rights or freedoms of natural persons. In addition, in most such cases, the entrepreneur will also have to notify the persons whose data has been disclosed or lost.

What are the penalties for violating the GDPR?

The examples cited above are extreme situations that cause the most serious consequences not only for the data subject (i.e. data subjects), but also for the data controller, i.e. the entrepreneur. The Personal Data Protection Office will not impose a penalty for a specific event (e.g. accidental disclosure of data), but for a possible failure to comply with the provisions of the GDPR, which consequently led to the violation. The GDPR allows the supervisory authority to impose administrative fines in the amount of:

  • up to EUR 10,000,000 or up to 2% of the company's total annual worldwide turnover from the previous financial year (the higher amount applies) for e.g .:

    • irregularities in entrusting data processing;

    • improper keeping of the register of processing activities or its lack;

    • lack of cooperation with the supervisory authority (the supervisory authority takes the initiative of possible cooperation, if necessary);

    • inadequate protection of personal data (i.e. not taking into account the current state of technical knowledge, nature, scope, context and purposes of processing as well as the risk of violating the rights and freedoms of natural persons);

    • failure to report a breach of personal data protection or failure to notify data subjects about the breach;

  • up to EUR 20,000,000 or up to 4% of the company's total annual worldwide turnover from the previous financial year (the higher amount applies) for e.g .:

    • processing of personal data contrary to the principles of the GDPR (e.g. the principle of data minimization, accuracy, purpose limitation, etc.);

    • processing of personal data without a legal basis;

    • failure to comply with the terms of consent to the processing of personal data (e.g. the condition of voluntary consent);

    • failure to meet the conditions for the processing of special categories of personal data (e.g. data on health, religion, sexual orientation);

    • failure to fulfill the obligation to exercise the rights of the data subject (e.g. the information obligation, the right to access data, the right to rectification, etc.);

    • irregularities in the transfer of personal data to third countries or international organizations.

Could fines amount to several million euros?

According to the regulations cited above, fines can reach enormous amounts, because theoretically, each entrepreneur can be fined EUR 20,000,000, and a large enterprise with significant income can be fined much higher - up to several hundred million euros. However, two important things should be noted, i.e. firstly - administrative fines are not obligatory, which means that even despite finding irregularities, the supervisory authority is not obliged to impose it. Secondly, when determining the amount of the fine, the supervisory authority must take into account a number of factors that may affect its amount. These include, for example:

  • the nature, gravity and duration of the infringement;

  • intentional or unintentional nature of the breach;

  • actions taken by the administrator to minimize the damage;

  • the background of the controller (i.e. whether it is the first incident) and the degree of its cooperation with the supervisory authority.

Due to the necessity to take into account the above circumstances, in the vast majority of cases relating to minor breaches, fines will be imposed as a last resort. And their height will certainly not oscillate in the upper limit. Attention!
Situations in which consulting or training companies threaten small entrepreneurs with absolute fines in the amount of EUR 20,000,000 can be treated as an attempt to force the entrepreneur to use the services of such dishonest companies.

High financial penalties have been introduced into the legal system primarily to counteract unfair practices of personal data processing by large corporations operating in the ICT industry and providing the so-called information society services. This does not mean, of course, that this tool cannot be used in relation to small or medium-sized enterprises. However, in order for this to happen, there must be significant circumstances that increase his responsibility.

Example 1.

Businessmen were stolen computers with a large customer base containing a wide range of information. They were stored in a closed room with full access control (access code for employees with the required authorization and training). In addition, the room met high security standards (locks and doors meeting high security standards), and security measures were defined on the basis of cyclically conducted risk analysis and security audits. The entrepreneur, in accordance with the provisions of the GDPR, reported the breach to the supervisory authority.

In such a situation, the entrepreneur can count on a very light penalty or no penalty at all.

Example 2.

Businessmen were stolen computers with a large customer base containing a wide range of information. They were stored and used in a reception room which was temporarily left unattended. The entrepreneur ignored the recommendations of the prior UODO inspection, did not conduct risk analysis and security audits. He did not apply security measures adequate to the risk, and he did not report the breach to the supervisory authority.

In this situation, the financial penalty may be very severe (taking into account the financial potential of the entrepreneur).

Start a free 30-day trial period with no strings attached!

If not fines, then what?

Until now, the main tools used by the supervisory authority were the so-called remedial powers (prior to the entry into force of the GDPR, the supervisory authority did not have the power to impose fines). In the current legal order (i.e. after the entry into force of the GDPR), remedial powers also play an important role. They mainly take the form of orders and prohibitions and may be imposed as spontaneous penalties or alongside a possible financial penalty. Belong to them:

  • issuing warnings regarding the possibility of violating the provisions of the GDPR through planned processing operations;

  • issuing reminders in the event of violation of the provisions of the GDPR by processing operations;

  • ordering the fulfillment of the data subject's request;

  • ordering the adaptation of processing operations to the provisions of the GDPR;

  • ordering notification of the data subject about a breach of data protection;

  • introducing temporary or total limitation of processing, including the prohibition of processing;

  • ordering the rectification or deletion of personal data or limitation of their processing;

  • withdrawal of certification or ordering the certifying entity to withdraw certification, if its requirements are not met or are no longer met;

  • to order the suspension of data flows to a recipient in a third country or to an international organization. Attention!
    Apart from the above-mentioned cases, the processing of personal data, which cannot be processed at all or is not authorized to process them, may be considered a crime punishable by imprisonment of up to 3 years (this applies, for example, to the sale of an illegally obtained database).

Summary, or how to protect yourself from penalties?

The best way to avoid penalties is not to give the Office for Personal Data Protection a reason to carry out an inspection. Regardless of the size of the enterprise, two basic principles should be followed, i.e .:

  • applying security adequate to the level of threats, so as to prevent incidents that must be reported to the President of the Personal Data Protection Office in accordance with the law;

  • caring for the reliable implementation of the rights of data subjects and documenting this process (in the first two months after the entry into force of the GDPR, 1300 complaints were received by the Personal Data Protection Office - each complaint must be examined, and those considered justified may be the reason for carrying out an inspection).

Further rules for small and medium-sized businesses that should be followed in order to sleep well, which are not time-consuming and very costly are:

  • keeping a register of processing activities or a register of categories of processing activities;

  • ensuring that only authorized and trained employees are allowed to process personal data;

  • entrusting personal data only on the basis of precisely constructed contracts, compliance with which can be verified;

  • ensuring that each process related to data protection is reliably documented (in accordance with the principle of accountability).

If we are dealing with a large company that processes personal data on a large scale or with a small company, but operating with large data sets, the best solution will be to appoint a competent data protection officer or use the services of companies specializing in data protection.