WP29 published criteria for appropriate administrative fines in GDPR’s breach

As announced (see here), on October 3, 2017, the Article 29 Working Party(WP29) published its Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (GDPR).

Once a GDPR infringement is established, the competent supervisory authority (Article 5 1 GDPR)  must identify the most appropriate corrective measure(s) to address the breach.

To achieve a consistent approach through the EU, the Guidelines provide principles and criteria that the supervisory authorities should consider when imposing fines in case of infringement. Their assessment will allow the supervisory authority to identify the most effective, proportionate and dissuasive corrective measure to respond to the breach.

Principles. When using the corrective tools at their disposal (Article 58.2, b-j, GDPR), the supervisory authorities must observe the following principles:

  • Infringement of the Regulation should lead to the imposition of “equivalent sanctions” in the EU. The concept of “equivalence” is central to ensure consistency in the use of the supervisory authorities’ corrective powers. “The level of protection should be equivalent in all Member States”, recital 10, GDPR.
  • Like the other corrective measures, administrative fines should be “effective, proportionate and dissuasive”, (article 83.1, GDPR), both in national cases (Article 55, GDPR) and in cases involving cross-border processing of personal data (as defined in Article 4.23, GDPR.)
  • The competent supervisory authority will make an assessment “in each individual case”. The GDPR requires individual assessments. In light of Recital 148 and Article 83.2, GDPR, the supervisory authorities have the responsibility of choosing the most appropriate measure(s). “In the cases mentioned in Article 83 (4) – (6), this choice must include consideration of all of the corrective measures, which would include consideration of the imposition of the appropriate administrative fine.”
  • A harmonized approach to administrative fines requires an active participation and information exchange among Supervisory Authorities, through for example regular workshops.

Assessment criteria in Article 83.2, GDPR. Article 83.2 provides the following list of criteria the supervisory authorities shall use to assess whether a fine should be imposed and its amount in each individual case.

  • The nature, gravity and duration of the infringement;
  • The intentional or negligent character of the infringement;
  • The degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them;
  • Relevant previous infringements by the controller or processor;
  • The degree of cooperation with the supervisory authority, in order to remedy the infringement;
  • The categories of personal data affected by the infringement (special categories, directly identifiable/indirectly identifiable data subject, encrypted data);
  • The manner in which the infringement became known to the supervisory authority (to what extent, the controller or processor notified the infringement);
  • Whether the controller or processor have been monitored by the supervisory authority with regard to the same subject-matter;
  • The adherence to approved codes of conduct or certification mechanisms;
  • Aggravating or mitigating applicable factors (financial benefits gained, losses avoided).


Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679, wp253


For more information on how the EU Regulation applies to your US company, Francesca Giannoni-Crystal