Chapter 8 of the GDPR also provides for the fine and penalties liable to be imposed upon the data controller or processor. Apart from fine, article 83 also provides for general conditions under which an administrative fine can be imposed upon the data controller or processor. Firstly, it states that supervisor authority must ensure that the administrative fines are effective, proportionate and dissuasive in each individual case.
While deciding the administrative fine and deciding on the amount of the administrative fine in each individual case due regards must be given to the followings-
- The nature, gravity and duration of the ifnrignemnet must be taken into consideration, the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
- The intentional or negligent character of the infringement;
- Any action taken by the controller/processor in order to mitigate the damage suffered by the data subjects;
- The degree of the responsibility of the controller /processor considering the technical and organisational measures implemented by them;
- Any relevant previous infringements by the controller/processor;
- The categories of personal data affected by the infringement;
- The manner as per which the infringement became known to the supervisory authority particularly, whether, the controller or processor notified the infringement;
- Adherence to approved codes of conduct or approved certificate mechanism; and
- Any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly from the infringement.
- The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement.
Picture Credit- https://www.vistainfosec.com