The compulsory deadline for organizations to ensure their compliance with GDPR is a well-declared 25th of May, less than a month left from this date. It has recently been argued by International Association of Privacy Professionals that 40 per cent of European and American organizations – non-EU organizations also that carry out data processing for EU citizens or that conduct established activities in the territorial scope of a EU member state – that are expected to achieve compliance until the deadline, admit that they are not going to be able to be in compliance in time of the set deadline but only after the deadline when it is enforced. Furthermore, generally it is estimated that only six of 28 EU member states have updated and fix their own national data protection laws in the scope and efficiency of GDPR.
Considering the findings of various surveys conducted by International Association of Privacy Professionals, it is likely that after 25th of May we may see several penalty notices around. The penalties and sanctions in case of non-compliance of GDPR are set under Article 83 and 88 with referrals to many other article about data processing, controlling, rights and duties. Fines imposed to organizations in case of non-compliance can impose a fine set at maximum financial cap of EUR 10 million, in some cases also EUR 20 million or up to 2 or 4 per cent of the worldwide annual turnover.
Non-compliance of the regulation leading to imposition of fines is empowered by Article 88 but capitalization of the fines differs according to particular kinds of infringements. In the first case of non-undertakings, the organization is fined up to EUR 10 million or 2% of the total worldwide annual turnover in preceding year for undertakings, whichever is higher. This article and fine imposition is covered by issues such as children consent, records of processing, non-cooperation with regulators, security and breach notification.
On the other hand, issues like children consent, data protection by design and by default, engagement of processors by controllers that are covered by fines up to EUR 10 millions (sometimes more) by Article 88 with referrals to Articles 8,11,25-39,42 and 43 only bear secondary cruciality in contrast to issues covered again by Article 88 but with referrals to Articles 5,6,79,12,22,44,49 and 58. The latter are covered by fines up to EUR 20 million or 4% of the total worldwide annual turnover in preceding year for undertakings, again whichever is higher. These infringements cover more vital issues indicated by the regulation such as lawfulness of processing, consent, data subject rights, international transfers, failure to comply with the DPA’s investigatory and corrective powers.
The fines to be imposed are determined by the Data Protection Authorities’ investigatory and corrective powers indicated by Article 58. As issues like data protection principles and lawfulness of processing and data subject rights are linked together in many senses, non-compliance or infringement of one of these issues will probably lead to the conviction that many other in linkage are also infringed, thus pointing to a serious breach and infringement of the regulation. Still, Article 83 presents an upside for such breaches: If there are various several breaches, total amount of the fine cannot exceed the amount specified for the most serious breach, meaning that each kind of breach will e designated a proportion of the amount of the fine that will be imposed.
Organizations can also be imposed fines higher than 10 million or 20 million fines, depending on the issue and article infringed upon and whether the organization is an undertaking or not. An undertaking that has been defined by European law as an entity engaged in commercial activity points out to companies. By that token, public authorities and unincorporated association are not undertakings. Still in cases of breaches and infringements, non-undertakings will be fined up to EUR 10 or EUR 20 million.
Taking the definition of the term undertaking into account, the issue may seem ambiguous if a company is part or a subsidiary of a group of companies, does it pay the fine based on the group worldwide annual turnover or just based on its individually worldwide annual turnover? An undertaking is determined and qualified by European law as a ‘single entity’. Therefore, even if an undertaking is a member of a group of companies, it will only pay fines up to the maximum percentage of its individual turnover.