Privacy: Possible fines of up to EUR 100 million or more

The bill for the new European General Data Protection Regulation includes extremely high fines of up to EUR 100 million or 5% of the global annual turnover of a company. When are you likely to incur such a fine?

High fines

In our recent newsletter on privacy, we reported that there will be a new law to provide the same data protection regulations throughout the European Union. One important aspect of these regulations will be the introduction of new penalties including extremely severe sanctions for (repeated) breaches of privacy of EU citizens.

In the Netherlands, fines are imposed by the CBP (College bescherming persoonsgegevens; Data Protection Agency). At the moment, the CBP can impose a maximum fine of EUR 4,500. The latest fines however, could be up to maximum of EUR 100,000,000 or 5% of the global annual turnover of a company, depending on which amount is higher.

Violations

You may be fined for the following violations, for instance:

• Processing of personal data without consent or legal basis.
• Processing of personal data with regard to:
  • racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs,
  • trade union membership,
  • genetic information,
  • health,
  • sex life,
  • criminal convictions and related security measures.
• Not taking appropriate technical and organizational measures to prevent data leaks, unauthorized access to and elimination of data.
• Not reporting data leaks in time, as, for instance loss of a USB device or website hacking.
• Non-performance of data protection impact assessment upon processing data that involve special privacy risks, for instance regarding health.

Action

Be sure to organize your data processing (HRM, ICT, online shop, website, software, cameras, GPS, etc.) in conformity with the new General European Data Protection Regulation. This regulation is expected to become effective in the course of 2015/2016. Thus, there is still plenty of time to make necessary adjustments in order to prevent fines.

More information

Russell Advocaten will inform you regularly on the most recent developments regarding this General European Data Protection Regulation and its potential consequences for your business. Would you like to know more about the application of the new General Data Protection Regulation, or do you have any other questions on how to organize your company in the context of the new data protection regulation? Please contact: