Responsibility according to the General Data Protection Regulations


I recently published about the GDPR Penalty System. It is of course clear that you need to know how much you have to pay when you breach the rules. However that kind of components have to taken into consideration before you get the penalty? In order to get this clear I came across the page of GDPR Associates The combined knowledge of many professionals gives insight in real deal around GDPR. One of the main questions is for example: When do you have to take full Responsibility according to the General Data Protection Regulations

GDPR Associates

An Association of experts around the globe brought together to assist clients to better understand the implications of GDPR, to share knowledge, advice & guidance.

We are experts in identifying the technology, talent, legal and auditing skills you need to ensure you have a complete, secure, defensible GDPR strategy, allowing you to focus on building your brand, customer, employee and supplier confidence in the digital economy, whilst mitigating the impact of any potential data breach.

Responsibility according to the General Data Protection Regulations

When deciding whether to impose a fine or the amount to be paid as a fine, the following will be taken into consideration for each individual case:

The nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned. But also the number of data subjects affected and the level of damage suffered by them

The intentional or negligent character of the infringement

Any action taken by the controller or processor to mitigate the damage suffered by data subjects

The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them

Any relevant previous infringements by the controller or processor

The degree of cooperation with the supervisory authority in order to remedy the infringement.  And mitigate the possible adverse effects of the infringement

The categories of personal data affected by the infringement

The manner in which the infringement became known to the supervisory authority. In particular whether, and if so to what extent, the controller or processor notified the infringement

Where measures referred to in Article 58(2) have previously been ordered against the controller or processor. Concerning with regard to the same subject-matter, compliance with those measures

Adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42

Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained. But also losses avoided, directly or indirectly, from the infringement.

Penalties and Payments

If somebody in your organization makes different mistakes than the total amount of the administrative fine will not exceed the fine for the most serious infringement for the same or linked processing operations. Member States will also have the ability to apply penalties for infringements to the GDPR. The Member State will be responsible for implementing such penalties, which must be effective, proportionate and dissuasive. Besides these fines and penalties individuals will have the right to claim compensation as well. They can do this for any damage suffered as a result of violating the GDPR.