Matthew B. Welling

Bavarian DPA: fines under GDPR to be calculated based on revenues of whole company group; ICO publishes report on data security incident trends.

Bavarian DPA: fines under GDPR to be calculated based on revenues of whole company group

On September 01, 2016, the German Data Protection Authority of Bavaria (BayLDA) has announced that according to their understanding, sanctions under the GDPR will be calculated based on the revenue of a whole company group. According to the authority, this should apply even when only one single entity is responsible for an incident.

In its position paper, the BayLDA elaborates that fines under the GDPR have to be “effective, proportionate, and dissuasive.” For most infringements, the fine can amount up to a maximum of either € 10 million, or 2% of the company’s annual global turnover (the higher will apply). For serious infringements, the fine can even amount up to the higher of € 20 Million or 4% of the respective turnover. The turnover will comprise of the turnover of the whole company group a company belongs to, according to recital 150 of the preamble, which relates to the “economic concept of an undertaking”.

Although the BayLDA’s position paper is non-binding, the interpretations and views published can nevertheless be considered very important hints on how in particular the German Data Protection authorities will interpret and enforce the new Regulation, which will enter into force on 25 May 2018. The European Data Protection Board, a group of representatives of the EU Member States (currently known as Article 29 Working Party), is expected to issue guidelines on the calculation of fines.

UK Data Protection Authority publishes report on data security incident trends Q2/2016

In a report published at the end of August 2016, the UK’s Information Commissioner (ICO) has published details about data incidents reported under the Privacy and Electronic Communication regulations.

In the period from April to June 2016, the ICO issued 4 monetary penalties amounting to between £80,000 and £185,000 and received 545 new cases, which means an increase of 22% in comparison to the first quarter of 2016. The health sector continued to account for the biggest number of incidents, which is due to the combination mandatory incident reporting, the size of the health sector as well as the sensitivity of data processed. However, a large number of incidents also related to local governments, which handle large volumes of information.

Interesting for companies not only in the U.K.: according to the ICO’s report, the largest number of data security incidents still occur due to data posted or faxed to an incorrect recipient, followed by incidents caused by loss or theft of paperwork and e-mails sent to incorrect recipients. Only a comparatively low number of incidents however occur based on cyber-attacks such as phishing or exfiltration. This applies throughout all industrial sectors.

Companies would therefore be well-advised to enhance their staff’s awareness of the importance of the protection of data and to organize training sessions in order to mitigate the risk of personal incidents.