GDPR turned the world of data protection upside down with its significant administrative fines that are imposed both on data controllers as well as data processors, irrespective of whether the non-compliance is a consequence of the business activities of a large or small entity. In fact, any organization that does not comply with the provisions of GDPR will face significant liability. Keeping that in mind, there are two different non-compliance violations. Violations of the provisions listed in Article 83(5)[1] of GDPR may be punished with a maximum fine of up to EUR 20 million or 4% of the total global turnover of the preceding fiscal year, whichever is higher. On the other hand, other GDPR violations which are less serious violations of those violating provisions listed in Article 83(5)[1], a fine of up to EUR 10 million or 2% of the global turnover may be imposed. The reason behind having such high fines is most certainly the desire of the European Union to ensure that the provisions governing the protection of personal data are respected.

Following on interesting news in this particular area of law, the Conference of the German Data Protection Authorities has issued a model for fine calculation by which the Federal Commissioner for Data Protection and Freedom of Information imposed a couple of noticeable fines on data controllers for the non-compliance with the GDPR provisions, among which, the one case that stands out the most is the one where telecommunications service provider 1&1 Telekom GmbH (“1&1”) was charged for EUR 9,550,000 due to inadequate technical and organizational measures deployed in its service telephone centres.

After the fine imposition, the 1&1 filed a lawsuit in which proceeding was found that:

• the fault of the 1&1 as the telecommunications service provider is low,
• that particular practice of giving personal data has been going on for years without anyone ever pointing out its inadequacy and that
• the person concerned in 1&1 was in a legal error that was understandable, but at the same time, avoidable.

In accordance with the abovementioned court’s deduction, the amount of the fine was reduced from EUR 9,550,000 to EUR 900,000, i.e. the final amount of the fine came up to 10% of the initial amount.

The key point to take away is that the said model for fine calculation focuses on the turnover of the company and views it as an essential factor in the process of penalty level determination. This means that for a minor GDPR non-compliance violation an entity with a high turnover will have a disproportionately high fine while for a serious violation, an entity with a low turnover will have a disproportionately low fine.

To conclude, we are witnessing constant development of the data protection field, so what is considered to be a norm today could very much so have a different meaning, perspective, and consequence tomorrow, but you can count on us to keep you updated and in full compliance at all times.

This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.

Contact:

Katarina Živković, Senior Associate
katarina.zivkovic@sog.rs

Aleksandra Bijeljac, Trainee
aleksandra.bijeljac@sog.rs