- From: Georg Philip Krog <georg@signatu.com>
- Date: Wed, 15 Jun 2022 15:09:44 +0200
- To: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
- Message-ID: <CAPOUEwnXX7WXXXg6KDHpy=mRZ3DfNmX-VhjVhO72cAXnv3T2qg@mail.gmail.com>
Hi Harsh,
Concepts from EDPB Guidelines on fines.
Here's a summary of information relevant to the DPV.
*Article 83(2)(a) GDPR says:*
2. Administrative fines shall, depending on the circumstances of each
> individual case, be imposed in addition to, or instead of, measures
> referred to in points (a) to (h) and (j) of Article 58(2). When deciding
> whether to impose an administrative fine and deciding on the amount of the
> administrative fine in each individual case due regard shall be given to
> the following: (a) the nature, gravity and duration of the infringement
> taking into account the nature scope or purpose of the processing concerned
> as well as the number of data subjects affected and the level of damage
> suffered by them;
With regard to the DPV, it is interesting to see what the EDPB Guidelines
on fines says about "nature ... of the infringement taking into account
the nature scope or purpose of the processing concerned as well as the
number of data subjects affected and the level of damage suffered by them".
Here's a summary of the Guidelines:
-
Seriousness of the infringement with regard to “The gravity of the
infringement, Article 83(2)(a) GDPR
-
includes assessment of the specific circumstances.
-
Includes:
-
the nature of the processing.
-
the scope of the processing.
-
the purpose of the processing.
-
the number of data subjects affected.
-
the level of damage suffered by data subjects affected.
-
The nature of the processing
-
includes the context in which the processing is functionally
based (e.g. business activity, non-profit, political party, etc).
-
the characteristics of the processing.
-
where the processing has higher risks, the supervisory authority
may consider to attribute more weight to this factor, e.g.:
-
where the purpose is to monitor, evaluate personal aspects or
to take decisions or measures with negative effects for the
data subjects, depending on the context of the processing and the
role of the controller or processor.
-
where there is a clear imbalance between the data subjects and
the controller (e.g. when the data subjects are employees, pupils or
patients), a supervisory authority may attribute more weight to this
factor.
-
where the processing involves vulnerable data subjects, in
particular children, a supervisory authority may attribute
more weight to
this factor.
-
The scope of the processing
-
with reference to:
-
the local, national or cross-border scope of the processing
carried out
-
the data controller’s allocation of resources to the scope of
the processing.
-
these elements highlight a real risk factor, linked to the
greater difficulty for the data subject and the
supervisory authority to
curb unlawful conduct as the scope of the processing increases..
-
the larger the scope of the processing, the more weight the
supervisory authority may attribute to this factor.
-
The purpose of the processing
-
the supervisory authority will attribute more weight to this
factor.
-
the supervisory authority may also consider whether the purpose
falls within the so-called core activities of the controller.
-
the more central the processing is to the controller’s or
processor’s core activities, the more severe irregularities in this
processing will be.
-
The supervisory authority may attribute more weight to this factor
in these circumstances.
-
There may be circumstances in which the processing of personal
data is further removed from the core business of the controller or
processor, but significantly impacts the evaluation nonetheless, e.g.:
-
processing concerning personal data of workers where the
infringement significantly affects those workers’ dignity).
-
The number of data subjects
-
concretely affected
-
potentially affected.
-
the higher the number of data subjects involved, the more weight
the supervisory authority may attribute to this factor.
-
the supervisory authority may, depending on the circumstances of
the case, consider the ratio between the number of data
subjects affected
and the total number of data subjects in that context (e.g.
the number of
citizens, customers or employees) in order to assess whether the
infringement is of a systemic nature.
-
The level of damage suffered and the extent to which the conduct may
affect individual rights and freedoms.
-
"level" of damage suffered is intended to draw the attention of
the supervisory authorities to the damage suffered, or
likely to have been
suffered as a further, separate parameter with respect to the
number of
data subjects involved, e.g.:
-
where the number of individuals affected by the unlawful
processing is high but the damage suffered by them is marginal)..
-
following Recital 75 GDPR, the level of damage suffered refers
to:
-
physical damage
-
material damage
-
non-material damage.
-
the assessment of the damage is limited to what is
functionally necessary to achieve correct evaluation of
the level of
seriousness of the infringement.
*Article 83(2)(g) GDPR says:*
2. Administrative fines shall, depending on the circumstances of each
> individual case, be imposed in addition to, or instead of, measures
> referred to in points (a) to (h) and (j) of Article 58(2). When deciding
> whether to impose an administrative fine and deciding on the amount of the
> administrative fine in each individual case due regard shall be given to
> the following: (g) the categories of personal data affected by the
> infringement;
Here's a summary of the Guidelines:
-
The GDPR clearly highlights the types of data that deserve special
protection and therefore a stricter response in terms of fines.
-
This concerns, at the very least, the types of data covered by
-
Articles 9 and 10 GDPR
-
data outside the scope of Articles 9 and 10 GDPR the dissemination
of which causes immediate damages or distress to the data subject, e..g.:
-
location data
-
highlighted by Directive 2002/58/EC and by the CJEU for
location data in certain cases, see joined cases
C-511/18, C-512/18 and
C-520/18, La Quadrature du Net et al, para. 117 and the
case law there
cited
-
data on private communication
-
highlighted by the special protection awarded by the EU
Legislator to private communications in Article 7 of the
Charter of
Fundamental Rights
-
national identification numbers.
-
financial data, such as transaction overviews or credit card
numbers.
-
In general, the more of such categories of data involved or the more
sensitive the data, the more weight the supervisory authority may
attribute to this factor.
-
The amount of data regarding each data subject is of relevance,
considering that the infringement of the right to privacy and protection
of personal data increases with the amount of data regarding each data
subject.
Best,
Georg
--
Georg Philip Krog
signatu <https://signatu.com>
Received on Wednesday, 15 June 2022 13:10:36 UTC