Data protection penalties
Sanctions are the order of the day
It is common knowledge that failure to comply with the Data Protection Law is punishable. It is well known, in general terms, that non-compliance with the law (regardless of its purpose) leads to the imposition of a fine or sanction, as appropriate.
Well, data protection is no exception. The Law of Personal Data Protection and guarantee of digital rights 3/2018(LOPD-GDD) dedicates Title X entirely, to regulate the sanctioning regime in this matter.
It determines the penalty regime, the responsible subjects, as well as the different infringements, which are qualified from minor to very serious, taking into consideration the differentiation that the General Data Protection Regulation 679/2016(GDPR) establishes when setting the amount of the penalties.
Likewise, corrective measures and the statute of limitations for sanctions are indicated.
Fines / Data Protection Penalties
Non-compliance with legal provisions, in most cases, has consequences that may take the form of sanctions.
Not complying with data protection regulations is not something innocuous and unimportant; on the contrary, both European regulations, through the RGPD, and Spanish regulations, the LOPD-GDD, define a penalty system that must be known and taken into account, as we can have unpleasant surprises that we would have liked to avoid.
Article 70 of the LOPD-GDD identifies the parties responsible for this sanctioning regime, which are:
- The persons in charge of the treatment
- The persons in charge of the treatment
- The representatives of the persons responsible for or in charge of the processing of data
- Certification entities
- The accredited code of conduct supervisory entities
As can be seen, a wide range of subjects may be subject to sanctions if they do not duly comply with the legal provisions on data protection, regardless of the territoriality criterion, since sanctions may be applied to processing within and outside the European territory.
The LOPD-GDD differentiates between minor, serious and very serious infringements, the difference between them being the statute of limitations, as well as the fixing of the amount.
Very serious infringements include, for example, processing personal data in violation of the principles of legality, accuracy, confidentiality, for purposes other than those for which consent was given, processing special category data without the legal requirements, failure to comply with the duty to provide information, failure to block data, unauthorized data transfers, as well as failure to comply with the resolutions of the supervisory authority, among others (art. 72 LOPD-GDD).
Serious infringements include, for example, processing data of a minor without obtaining consent, obstructing the exercise of data subjects’ rights, failure to adopt adequate technical and organizational security measures, hiring a processor that does not comply with legal requirements, failure to keep a record of processing activities, failure of the processor to notify security breaches, failure to comply with the requirements of the supervisory authority, failure to carry out an impact assessment, when mandatory, among others (art. 73 LOPDGDDD).
Minor infractions are, for example, requesting payment of an amount from the data subject when exercising their rights, as well as not attending to their own requests for rights, the failure of the person in charge to comply with the provisions of the contract with the data controller, not informing the data subject of a security breach, not publishing the contact details of the data protection officer, among others (art. 74 LOPDGDD).
Amount of data protection penalties
Article 71 of the LOPDGDD states that the acts and conduct referred to in paragraphs 4, 5 and 6 of Article 83 of Regulation (EU) 2016/679 constitute infringements, which are:
Fines of not more than EUR 10,000,000 or, in the case of a company, not more than 2% of the total annual aggregate turnover of the previous financial year, whichever is greater:
Fines of not more than EUR 20,000,000 or, in the case of a company, of an amount equal to not more than 4% of the total annual aggregate turnover of the previous financial year, whichever is greater:
Real cases of data protection sanctions
The following are some recent examples of well-known entities:
although there are numerous cases that are not so well known, which are published in the AEPD itself, which is the authority that has the sanctioning power, the Spanish Data Protection Agency (AEPD). Examples:
- Incorrect processing of personal data: €75,000.
- Failure to properly attend to the rights of a client: 2.500 €.
- Video surveillance without complying with the RGPD: 9,600€.
- Sending 1 advertising email incorrectly: 1.000€.
- Sending 1 advertising SMS incorrectly: 1,500 €.
- Failure to appoint a data protection officer with the necessary qualifications: 50.000€.
A good data protection consultancy in Valencia
In Business Adapter Data Protection , we meet the criteria of a good data protection Data protection consultancy in Valencia. Put us to the test and ask for a quote:
[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]CONTACT[/su_button]