With the effectiveness of the Regulation, the Inspector General for Protection of Personal Data (“GIODO”) is given the power to impose administrative fines in an amount commensurate with the severity of a specific infringement. The fines imposed in each individual case must be effective, proportionate, and dissuasive.
Administrative fines are imposed depending on the circumstances of each individual case. When deciding on the amount of the administrative fine, due regard is given, among others, to the following:
- The nature, gravity, and duration of the infringement.
- The intentional or negligent character of the infringement.
- Any action taken by the controller or processor.
- The degree of responsibility of the controller or processor.
- Previous infringements.
- The categories of personal data affected by the infringement.
If a controller or processor infringes several provisions of the Regulation, for the same or linked processing operations, the total amount of the administrative fine cannot exceed the amount specified for the gravest infringement.
The amount of the administrative fine depends on what infringement has been committed. The Regulation differentiates between two categories of infringements. The first one comprises infringements of the fundamental rules of data processing. These infringements are subject to an administrative fine of up to EUR 20,000,000, or in the case of an undertaking, of up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher. The other category includes infringements of the obligations of the controller and the processor comprised in the exhaustive list of Article 83.4 of the Regulation. These infringements are subject to an administrative fine of up to EUR 10,000,000, or in the case of an undertaking, of up to 2% of its total worldwide annual turnover of the preceding financial year, whichever is higher. The fine amounts have been reduced to PLN 100,000 for the public entities referred to under Article 9(1)-(12) and (14) of the Public Finance Act of 27 August 2009.
The PLN equivalent of the above amounts expressed in EUR is calculated at the average EUR exchange rate published by the National Bank of Poland in the table of average exchange rates as at 28 January of each year.
It is also worth noting that any person who has suffered material or non-material damage as a result of an infringement of the Regulation has the right to receive compensation from the controller or processor for the damage suffered. The right to receive the compensation referred to above is exercised under court proceedings.
Given the high rates of fines that can be imposed, it is by no means too early for processors to take an interest in putting in place new arrangements to ensure compliance with the Regulation.