Summary of GDPR financial penalties

When determining a penalty, the authority takes into account, in particular, factors such as:

• •the nature, gravity and duration of the infringement,
• •the number of data subjects affected, categories of personal data,
• •the extent of the damage,
• •whether the infringement was intentional or unintentional, the degree to which the controller or processor contributed to the infringement (including in the context of the technical and organisational measures applied).

Before imposing a penalty, the President of the UODO conducts proceedings during which these factors are assessed.

Yes, indirectly the size of your company may affect the amount of a penalty for a RODO infringement, since the maximum fine is linked to turnover. The maximum fine can be up to 20 million euros or up to 4% of the total annual worldwide turnover for the previous year, depending on which amount is higher.

The most common reasons for imposing financial penalties include:

• •inadequate safeguards (26%),
• •failure to report a breach (19%),
• •lack of cooperation with the UODO (15%),
• •lack of a data processing agreement (11%),
• •lack of a legal basis for processing (10%),
• •lack of accountability (10%),
• •other (10%).

Yes, there are many methods and proven practices that reduce the risk of imposing a financial penalty under RODO. It is recommended to plan and undertake such actions in a comprehensive and complementary manner so that the risk of a penalty is as low as possible:

• •Implementation and application of RODO – the organisation as a whole should pursue the objective of ensuring compliance with RODO.
• •Audits – should be conducted cyclically to ensure appropriate quality of monitoring compliance with RODO.
• •Risk Analysis - should be performed and periodically verified to proactively identify potential weaknesses in systems and processes related to the processing of personal data.
• •Security measures - appropriate technical and organisational security measures should be chosen with regard to the identified risk.
• •Staff training – regular employee training is necessary even when the best security measures are implemented.
• •Policies and procedures – should be clear and comprehensible to ensure their actual application.
• •Cooperation with the supervisory authority – openness to cooperate with the President of the Office for Personal Data Protection can significantly reduce the risk or the amount of a penalty.
• •Incident response - if a breach occurs, the response should be immediate. Only prompt action enables efficient elimination of the sources of the breach and, if necessary, fulfilment of obligations: reporting the incident to the supervisory authority and notifying the data subjects.
• •Appointment of the Data Protection Officer (DPO) – appointing a Data Protection Officer (DPO) can assist in monitoring compliance and facilitate contact with the supervisory authority.
• •Documented action – documentation of actions taken will facilitate demonstrating compliance with RODO in the event of explanatory proceedings or inspections.
• •Proper relations with subcontractors – concluded contracts should meet RODO requirements and ensure that subcontractors will also act in accordance with RODO.

The possibility of avoiding a financial penalty for a RODO breach depends on many factors and is assessed individually by the supervisory authority. A prompt response and remediation of the breach are certainly actions that may lead the supervisory authority to take a more favourable view. In some cases this may help to avoid a financial penalty or at least to reduce it.

However, it is important to understand that in some cases simply remedying the breach will not be sufficient, especially if the breach was serious, lasted for a long time, affected a large number of people or was the result of a lack of appropriate procedures and controls.

RODO is a European Union regulation, which means that it is directly applicable in all Member States without the need to transpose it into national law. Therefore the rules on penalties for RODO breaches are the same across all Member States.

The manner in which these penalties are applied in individual Member States may vary slightly, because supervisory authorities in each country have some discretion in assessing each case and deciding on the level of penalty. This means that in practice penalties may differ between countries depending on the interpretation and approach of the supervisory authorities. There may also be differences in enforcement practices between countries.

In addition to imposing a financial penalty, supervisory authorities have a range of other measures at their disposal that they can apply when a RODO breach is identified. These include:

• •Issuing warnings and reprimands: In the case of minor breaches, the supervisory authority may issue a reprimand, recommending improvements to procedures or practices related to data processing.
• •Orders: The supervisory authority may issue an order requiring specific actions to be taken, e.g. to cease data processing or to adapt, modify or terminate particular data-processing activities.
• •Restriction of processing: The supervisory authority may impose temporary or permanent restrictions on processing, including applying a ban on processing.
• •Suspension of data transfers: In the case of international data transfers, the supervisory authority may overturn a decision that enabled the transfer or suspend transfers to a specified recipient in a third country (or international organisation).
• •Notification of data subjects: In some cases the supervisory authority may require the controller to inform the data subjects of the incident.

As a rule, a financial penalty for a RODO breach in a particular case and period is imposed once.

In the case of repeated breaches of RODO provisions, the supervisory authority may apply financial penalties of increasing amounts, up to the maximum amount provided for in RODO. In this sense, financial penalties for RODO breaches can be imposed multiple times, for successive breaches, e.g. in the form of a continuing state of non‑compliance with RODO.

The decision of the President of the Personal Data Protection Office may be challenged by a complaint to the Voivodeship Administrative Court. A complaint to the WSA is lodged through the President of the Personal Data Protection Office, and therefore in the first instance the complaint is addressed to the President of UODO, who may uphold the complaint and issue a new decision, or refuse to uphold it and forward the complaint to the WSA.

The complaint must be lodged within 30 days of receipt of the decision. The complaint should meet the requirements of a pleading in court proceedings and should additionally indicate the contested decision and the authority that issued it, and specify the breach of law or legal interest (art. 57 § 1 p.p.s.a.).