- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Wed, 15 Jun 2022 15:49:45 +0100
- To: Georg Philip Krog <georg@signatu.com>, Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Hi Georg, thank you for this exceedingly detailed analysis and breakdown into short digestable points. Next I think we should take each of these and see whether we have concepts in DPV to cover these, IF yes then whether they are sufficient, IF no for either then how to express them and where - in main DPV or dpv-gdpr or elsewhere. On 15/06/2022 14:09, Georg Philip Krog wrote: > Hi Harsh, > > Concepts from EDPB Guidelines on fines. > Here's a summary of information relevant to the DPV. > > *Article 83(2)(a) GDPR says:* > > 2. Administrative fines shall, depending on the circumstances of > each individual case, be imposed in addition to, or instead of, > measures referred to in points (a) to (h) and (j) of Article 58(2). > When deciding whether to impose an administrative fine and deciding > on the amount of the administrative fine in each individual case due > regard shall be given to the following: (a) the nature, gravity and > duration of the infringement taking into account the nature scope or > purpose of the processing concerned as well as the number of data > subjects affected and the level of damage suffered by them; > > With regard to the DPV, it is interesting to see what the EDPB > Guidelines on fines says about "nature ... of the infringement taking > into account the nature scope or purpose of the processing concerned as > well as the number of data subjects affected and the level of damage > suffered by them". > > Here's a summary of the Guidelines: > > * > > Seriousness of the infringement with regard to “The gravityof the > infringement, Article 83(2)(a) GDPR > > o > > includes assessment of the specific circumstances. > > o > > Includes: > > + > > the nature of the processing. > > + > > the scope of the processing. > > + > > the purpose of the processing. > > + > > the number of data subjects affected. > > + > > the level of damage suffered by data subjects affected. > > o > > The nature of the processing > > + > > includes the context in which the processing is > functionally based (e.g. business activity, non-profit, > political party, etc). > > + > > the characteristics of the processing. > > + > > where the processing has higher risks, the supervisory > authority may consider to attribute more weight to this > factor, e.g.: > > # > > where the purpose is to monitor, evaluate personal > aspects or to take decisions or measures with negative > effectsfor the data subjects, depending on the context > of the processing and the roleof the controller or > processor. > > + > > where there is a clear imbalancebetween the data subjects > and the controller (e.g. when the data subjects are > employees, pupils or patients), a supervisory authority may > attribute more weight to this factor. > > + > > where the processing involves vulnerable data subjects, in > particular children, a supervisory authority may attribute > more weight to this factor. > > o > > The scope of the processing > > + > > with reference to: > > # > > the local, national or cross-border scopeof the > processing carried out > > # > > the data controller’s allocation of resources to the > scope of the processing. > > # > > these elements highlight a real risk factor, linked to > the greater difficulty for the data subject and the > supervisory authority to curb unlawful conduct as the > scope of the processing increases. > > # > > the larger the scope of the processing, the more weight > the supervisory authority may attribute to this factor. > > o > > The purpose of the processing > > + > > the supervisory authority will attribute more weight to > this factor. > > + > > the supervisory authority may also consider whether the > purpose falls within the so-called core activities of the > controller. > > + > > the more central the processing is to the controller’s or > processor’s core activities, the more severe irregularities > in this processing will be. > > + > > The supervisory authority may attribute more weightto this > factor in these circumstances. > > + > > There may be circumstances in which the processing of > personal data is further removed from the core business of > the controller or processor, but significantly impacts the > evaluation nonetheless, e.g.: > > # > > processing concerning personal data of workers where the > infringement significantly affects those workers’ dignity). > > o > > The number of data subjects > > + > > concretely affected > > + > > potentially affected. > > + > > the higher the number of data subjects involved, the more > weight the supervisory authority may attribute to this factor. > > + > > the supervisory authority may, depending on the > circumstances of the case, consider the ratio between the > number of data subjects affected and the total number of > data subjects in that context (e.g. the number of citizens, > customers or employees) in order to assess whether the > infringement is of a systemic nature. > > o > > The level of damage suffered and the extent to which the conduct > may affect individual rights and freedoms. > > + > > "level" of damage suffered is intended to draw the > attention of the supervisory authorities to the damage > suffered, or likely to have been suffered as a further, > separate parameter with respect to the number of data > subjects involved, e.g.: > > # > > where the number of individuals affected by the unlawful > processing is high but the damage suffered by them is > marginal). > > # > > following Recital 75 GDPR, the level of damage suffered > refers to: > > * > > physical damage > > * > > material damage > > * > > non-material damage. > > # > > the assessment of the damage is limited to what is > functionally necessary to achieve correct evaluation of > the level of seriousness of the infringement. > > > > *Article 83(2)(g) GDPR says:* > > 2. Administrative fines shall, depending on the circumstances of > each individual case, be imposed in addition to, or instead of, > measures referred to in points (a) to (h) and (j) of Article 58(2). > When deciding whether to impose an administrative fine and deciding > on the amount of the administrative fine in each individual case due > regard shall be given to the following: (g) the categories of > personal data affected by the infringement; > > > Here's a summary of the Guidelines: > > * > > The GDPR clearly highlights the types of data that deserve special > protection and therefore a stricter response in terms of fines. > > * > > This concerns, at the very least, the types of data covered by > > o > > Articles 9 and 10 GDPR > > o > > data outside the scope of Articles 9 and 10 GDPR the > dissemination of which causes immediate damages or distress to > the data subject, e.g.: > > + > > location data > > # > > highlighted by Directive 2002/58/EC and by the CJEU for > location data in certain cases, see joined cases > C-511/18, C-512/18 and C-520/18, La Quadrature du Net et > al, para. 117 and the case law there cited > > + > > data on private communication > > # > > highlighted by the special protection awarded by the EU > Legislator to private communications in Article 7 of > the Charter of Fundamental Rights > > + > > national identification numbers. > > + > > financial data, such as transaction overviews or credit card > numbers. > > * > > In general, the more of such categories of data involved or the > more sensitive the data, the more weight the supervisory authority > may attribute to this factor. > > * > > The amount of data regarding each data subject is of relevance, > considering that the infringement of the right to privacy and > protection of personal data increases with the amount of data > regarding each data subject. > > > Best, > Georg > > -- > Georg Philip Krog > > signatu <https://signatu.com> -- --- Harshvardhan J. Pandit, Ph.D Research Fellow ADAPT Centre, Trinity College Dublin https://harshp.com/
Received on Wednesday, 15 June 2022 14:49:04 UTC