European Data Protection Board sets guidelines for quantifying fines under GDPR and Data Protection Directive - 05/08/2023
The European Data Protection Board (EDPB) has adopted a set of guidelines with the goal of creating new criteria for determining penalties associated with violations of the General Data Protection Regulation (GDPR) and the Data Protection Directive within the criminal domain of the European Union and the European Economic Area. These guidelines aim to enhance harmonization and consistency in applying fines, while considering the seriousness and nature of the violations.
According to the document published by the EDPB, the quantification of administrative fines will be carried out considering several factors. These include the categorization of violations according to the GDPR, the seriousness of the violation and the turnover of the company involved in the violation. In addition, aspects such as the nature and duration of the infringement, the number of people affected and the damage caused will be considered.
You may be interested in: Compliance with pseudonymization according to the GDPR
Article 83 of the GDPR classifies infringements into two categories: those subject to penalties under paragraph 4 and those subject to penalties under paragraphs 5 and 6. Fines for the first category can amount to up to EUR 10 million or 2% of the company's annual turnover, while for the second category, the maximum fine can reach EUR 20 million or 4% of the annual turnover. The final sanction is determined by selecting the higher amount between the two options.
The fine calculation process considers the nature, gravity and duration of the infringement, as well as the nature and extent of the data processing that caused it. The number of people affected and the type of damage suffered are also taken into account. In addition, it assesses whether the violation was intentional or negligent, as well as the categories of personal data affected.
You may be interested in: How to Comply With the GDPR When Processing Anonymized Data
The EDPB's document establishes three levels of severity: low, medium and high. The initial fines for each level range from 0 to 100% of the applicable legal maximum. These initial fines are adjusted according to the annual turnover of the offending company, ensuring that they are proportional and dissuasive.
The introduction of these guidelines seeks to establish a more consistent and fairer framework for quantifying penalties for data protection violations in the EU and EEA. The EDPB hopes that this approach will help promote the adequate protection of privacy and individuals' rights, while encouraging companies to comply with their data protection responsibilities.
In this context, having tools that facilitate compliance with data protection regulations is crucial. Pangeanic, a leader in language technology, distinguishes itself by providing its impactful anonymization solution, Masker, to assist companies aiming to comply with the GDPR and other data protection regulations. Masker enables organizations to anonymize sensitive data efficiently and reliably, ensuring individuals' privacy and reducing the risk of penalties for non-compliance.
By providing a state-of-the-art technological solution, Pangeanic aligns with the EDPB's efforts to promote the protection of privacy and individuals' rights, while helping companies comply with increasingly stringent data protection requirements. With Masker, organizations can mitigate the risks associated with handling and storing sensitive data, demonstrating their commitment to information privacy and regulatory compliance.