Administrative fines and penalties are covered in Article 83 and Article 84 GDPR, which lay down administrative fines of up to EUR 20 million or up to 4% of the total worldwide annual turnover of the preceding financial year.
These stipulations apply, in principle, to companies based in the EU as well as to companies that collect, process and use personal data about people living in the EU and whose activities are focused on the EU. In this context, the responsibilities for a company’s management team are of particular interest. As opposed to the current (and future) Austrian Data Protection Act, the GDPR does not contain provisions concerning the responsibility of natural persons in the event of privacy breaches. The literature, however, interprets individual stipulations of the GDPR as protective legislation. As a result, the presentation of evidence is facilitated for data subjects and the liability risks for data controllers and their organs (e.g. managing directors) have increased.
The Austrian legislation on managing directors’ liability holds that they must conduct the affairs of the company with the standard care and diligence of a prudent business manager. This means that in the event of breaches of duties with regard to data privacy for which the company has to pay damages or fines, managing directors can be held liable to pay compensation. With the increasing use of information and communication technologies in the business world, heeding data privacy regulations have come to be seen as an integral task of a company’s management. Against this backdrop, a managing director cannot point to a lack of knowledge or skills because he or she would have had to decline the management position or to commission an external advisor (such as a data protection officer). In general, managing directors are only liable to the company and not to natural persons. A breach of a data protection law, however, may very well result in direct liability.
What hurts the most: fines and other sanctions
The GDPR will enter into force very soon. Breaches of its stipulations will then be fined: in an extreme case, a company might have to pay a penalty of up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever one is higher. Such fines could also be imposed on your company in the event of a serious breach. It is thus essential to take the necessary steps to implement a sound compliance system as soon as possible.
Why fines? The sanctions stipulated in the GDPR are intended to deter companies from breaching data privacy regulations and to heighten the awareness that such infringements simultaneously violate the European fundamental rights. For this reason, the European legislator sought to impose fines that are effective, proportionate and dissuasive.
Are the authorities likely to impose the maximum sentence? It is very difficult to answer this question, especially since the Austrian Data Protection Authority has not commented on the parameters governing the amount of the fine. Yet the GDPR has defined a number of criteria (which are, however, not final!) that the authorities can consult when deciding on the amount of the fine.
What are those criteria? They include the nature, gravity and duration and the intentional or negligent character of the infringement. Authorities can also consider any relevant previous infringements and the manner in which the infringement became known to the supervisory authority (think: voluntary disclosure) as aggravating or mitigating factors. A further significant criterion for setting the fine can be the financial standing of the company.
What are other potential penalties? The Austrian Data Protection Authority can make use of the powers stipulated in the GDPR and issue an order to terminate the infringement. To this end, it can, e.g., issue a warning or order the company to adapt its data processing operations to comply with the GDPR. The Austrian Data Protection Authority can also prohibit any further data processing.
Are these rules final? No, they are not, because the GDPR gives national legislators the option to introduce further penalties. The new Austrian Data Protection Act, which also enters into force on 25 May 2018, stipulates administrative fines of up to EUR 50,000 for natural persons (e.g., managing directors) and a direct liability for managing directors with respect to those cases in which no penalty has been imposed on the company itself by the GDPR.
How are breaches of compliance with regard to data privacy revealed? On 25 May 2018, the function of the Data Protection Authority will significantly shift in Austria. The Austrian Data Protection Authority will no longer engage in approving international data transfers. Instead, it is expected that the Data Protection Authority will proactively carry out inspections. A dissatisfied employee complaining to the Austrian Data Protection Authority can also kick off an investigation. The same applies to (potential) customers. With increasing size and popularity, companies can also be targeted by the press: investigative journalists might probe data protection practices to find a story.
What can you do?
Do not underestimate the importance of data protection to your company: creating awareness for this topic early on is an important basis upon which to implement a compliance system. Also, do not overestimate yourself: data privacy is a complex matter and the points to be considered increase with the size of the company. For this reason, your company is well advised to seek expert advice on data protection and carry out compliance audits on a regular basis.