The Regulation 679/2016 foresees which breaches should be sanctioned and the maximum applicable costs.
In order to evaluate the appropriate costs, it is necessary to take into account several parameters but the measures taken by the controller have a relevant importance.
In establishing the administrative sanction, the technical and organizational measures adopted by the controller are also taken into account, in addition to the respect of privacy by –design and privacy by-default, of the nature of the caused prejudice, of the possible guilt or fraud of the controller.
Therefore, it is obvious that a good privacy organization is essential even to reduce the risk to have imposed penalties and to reduce also their quantification.
The maximum applicable measure is indeed very high:
a) a maximum 10.000.000 Euros or, for companies, up to 2% of the annual worldwide turnover if it is higher (art. 83.4) for example in case of breaches of one of the following obligations:
- measures of by-design or by-default protection;
- appointment of a representative of the controller or of processors not established in the Union;
- agreement between joint controllers for responsibilities;
- consent of minors concerning services of the information society;
- maintaining of the records of processing;
- adoption of adequate security measures;
- notification of data breaches;
- Appointment of the DPO.
b) a maximum 20.000.000 Euros or, for companies, up to 4% of the annual worldwide turnover if it is higher (art. 83.6, 83.6) for example in case of the following breaches:
- general principles for data processing;
- breach of the lawfulness condition, for the consent or the withdrawal;
- branches of laws for the processing of particular, sensitive or judicial data;
- failure to respect the rights of the data subject;
- failure to respect the principles for the extra-EU data transfer;
- breaches of national rules in the employment, historical archives, scientific research contexts.
Administrative fines imposed by supervisory Authorities are submitted to the judicial remedy and to a due process (art. 78).
Fines will apply to the controller, but they could concern also the processor, the DPO or other subjects involved in the processing.