There are also those "sellers", which, in spite of any prospective and strategic vision (a bird in the hand is worth two in the bush), begin their presentations with the dreadful figures pursuant to Article 83, paragraphs 4, 5 and 6.
Finally, there are those who, with passion, try to communicate something constructive.
Fines play a role, as it should be in all systems that impose a certain behavior, to ensure the peremptory norm.
The widespread figures are real, but the system of fines is more complex than it is outlined: in some ways, it is more strict; for others, it is more "predictable" or more "manageable".
Let us not forget that the liability profiles are and remain three: civil, administrative and criminal.
The scope of the compensation is laid down in Article 82 (1), which states as follows:
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
On the other hand, Article 84 (1) states that fines for infringements, not subject to administrative fines pursuant to Article 83, shall be determined by each Member States.
Presumably, therefore, the provisions relating to the civil and criminal liability profiles, referred to in Legislative Decree no. 196, could be reconfirmed even after the exercise of the delegation - conferred by Article 13 of the European delegation law 2016-2017 - by the Italian Government.
On the other hand, with regard to administrative fines, Article 83 (2) clearly states that:
“Administrative fines shall be imposed […] in addition to […]or instead of, measures referred to Article 58(2)”.
This reference is useful for capturing the scalability of the system of fines; in fact, the paragraph attributes to the supervisory Authority a corrective power and indicates a number of measures, some "dull" - such as the warning, to the controller or the processor, of the fact that the intended treatments may violate the regulation - others more stringent - such as the limitation of the processing or the suspension of data flows to countries outside the Union or (but this is known) the imposition of administrative fines.
By referring to the hypothesis that Article 83 is applied, the same, in paragraph 2, says that "When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following ", and lists eleven conditions.
The list is very detailed: it takes into account the extent of the consequences of the infringement, the measures taken, the cooperation with the Authority and how it has become aware of the infringement, "recidivism" and so on.
As for public bodies, Article 83 (7) states that it is left to the each Member State to lay down "whether and to what extent administrative fines may be imposed on public authorities and bodies ".
This said, two considerations emerge on all:
- Firstly, the civil Liability profiles, in a context of greater harmonization, the result of the existence of a Regulation and of what is stated in Article 82, will be bearer of class action and claims for compensation for moral and material damages of "anyone" felt damaged.
- Secondly, an important pitfall is to be sought not only in fines but in the scope of certain obligations, for example in the provisions referred to Articles 33 and 34 of the EU Regulation.
In particular, Article 34 of the EU Regulation defines the timing and procedures for proceeding with the communication of a personal data breach to the data subjects.
Why would this institute represent an "important pitfall" (not the only one, of course)?
The answer is easy: because, until today (or we should say until May 25, 2018), the impact of a breach of a system would, in practice, emerge only in the hypothesis of a significant media personal data breach or in the case in which a data subject had noticed that his own information, processed by a specific controller, had been violated.
Statistically, a phenomenon of minimal relevance, whereas the “only” thing to avoid was the inspection activity and the following decisions of the Authority; but also here, with numbers proportional to the limited control capacity, compared to a huge number of controllers, given the extent of the applicability of the regulatory framework in force to the protection of personal data.
Vice versa, from May 25, 2018, the communication to the data subject, appropriate if viewed, for example, from the "consumer" point of view, represents a "great opportunity" for him, to evaluate what to do with the communication received, i.e. simply take note or exercise the rights recognized; among these, the possibility of addressing a claim for compensation against the controller, also having a plausible indication of soundness, upon condition only that the controller felt an obligation to proceed with such communication.
Of course, the “communication” is not integrated compare to any breach.
The communication is, in fact, required if the personal data breach "is likely to result in a high risk to the rights and freedoms of natural persons", while the notification to the Authority should be made "unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons ".
Briefly, on "n" personal data breaches, the cases of data breach to be notified to the Authority will be "n less x" - where 'x' is equivalent to cases that do not require notification - and, of these, only "n less x less y" cases - where 'y' is equivalent to cases that do not require communication - should be communicated to the data subject.
In addition, Article 34 also suggests the conditions, under which the controller would not be required to comply with that requirement; among them, the use of security measures (the reference to encryption is almost the indication of a best practice) and the possible disproportion between "risk" and "effort" to fulfill the same obligation (a disproportion that would implicate, however, a public communication of the violation).
In conclusion, it is not just - and not so much - about the administrative fines that the data controllers and processors have to verify and adapt their information management system, but for the system of fines as a whole and for the obligations that, as briefly illustrated, can lead to a multiplier effect of the compensation claims.
It follows from this that a path aimed at avoiding fines, rather than on the processing of data in accordance with the principles pursuant to Articles 5 and 25 of the EU Regulation, would in itself constitute a complicated way of continuous (and onerous) adjustments.
