In the last blog, we discussed that the controller is accountable for all breaches of the GDPR and this is partly true. The controller is always responsible for protecting the personal data of its users, but under the GDPR, the processors are also accountable for breaches with the data they process for the controller. This a big difference with the Dutch WBP law, where the accountability solely lies with the controller.
What if the ‘Autoriteit Persoonsgegevens’ (AP), charged with upholding the law in the Netherlands, comes knocking at your door? The thing you hear the most is you're going to be fined tens of millions of euros or a percentage of your revenue. While this is actually possible, you probably would have to neglect all warnings to get fined directly. The supervisors also have a lot of other possibilities to make you uphold the law.
A warning or reprimand
An order to comply with a data subjects request for executing its rights under GDPR
An order to communicate a data breach to the affected party or to the public
Removal of certificates
An order to temporarily or permanently suspend data processing
An order to suspend data flows outside of the EU
But - there it is again - in comparison with the WBP, the AP doesn't first have to issue a warning or other corrective measures before issuing a fine. If you do some ‘Cambridge Analytica type of work’ they might just go straight ahead with a fine and that can come in two categories.
A fine of up to € 10 million or 2% of worldwide annual revenue for procedural infringements, like not having a registry, not having a data processing officer when you should have, or not notifying a supervisor in case of a data breach.
A fine of up to € 20 million or 4% of worldwide annual revenue for data infringements like processing data without consent, exporting data out of the EU, not complying with requests of data subjects.
The AP recently made a statement that they won't come out blazing with fines after 25th May, but will offer a helping hand to companies to comply with GDPR.