Under the Data Protection Directive, fines were determined by local legislation only. The GDPR on the other hand has stablished common grounds for the application of fines by local DPAs as well as thresholds for the fine amounts according to the severity of the violations as well as the framework within which DPAs should apply the fines. This article aims to present the developments of the application of sanctions by the Spanish Data Protection Authority – which has been one of the most actives in Europe when it comes to sanctioning – and to analyze the compatibility of some concrete sanctions with the control parameters of Arts. 83 (1) and 84 (1) GDPR, effectiveness, proportionality and dissuasiveness.
The President of the Polish Personal Data Protection Office (PUODO) has issued eight decisions imposing administrative fines so far. The fine amounts vary from 460,00 EUR to 660.000,00 euro. Seven of the decisions concern private sector and one is addressed to the mayor of a small town (public sector). This paper analyses which of the mitigating and aggravating factors set forth in Article 83 of the GDPR are most commonly taken into account by the Polish supervisory authority when determining the severity of fines. The purpose of the paper is also to determine whether the attitude of the data controller during the inspection can have any impact on the imposition and the amount of a fine.
In order to facilitate a uniform interpretation of the GDPR and provide a transparent calculation methodolody for fines the German Conference of the Independent Federal and State Data Protection Aufhorities (DSK) has published the so called „Fines Catalogue” in October 2019. This catalogue provides a complex calculation method for fines, which takes the size and the aggregate global annual turnover of the company and based on those determines a „daily rate” that is then being assiged to a multiplier based on the severity of the offence. The paper analyzes whether this calculation method meets the requirements of Art. 83, in particular whether it adheres to the principle of proportionality. It mainly questions whether basing the calculation on the companies turnover creates fair results for undertakings with low profir margins and whether it allows for the individual circumstances of each case, as laid out in Art. 83, to be sufficiently taken into account.
The French Data Protection Authority (CNIL) issued on 21 January 2019 the landmark decision against Google LLC for breaches of the GDPR on grounds of lack of transparency, insufficient information and lack of legal basis. Being the first decision issued by CNIL under the GDPR with the largest fine (€50 million) issued by that time, the case was also the first to address the question of application of the One Stop Shop mechanism. This article elaborates how in the absence of a main establishment, Google LLC could not benefit from the mechanism on appointing a lead DPA to act on behalf of other DPAs and argues that CNIL´s investigation and decision respected the EU procedures on cooperation and consistency.