Overview of assessment criteria as stated by article 29 working party (fines)

In general, it seems to be that the message the Article 29 Working Party is trying to convey is that the organisations putting in an effort regarding the adherence to requirements of the GDPR, will be rewarded once it comes down to an actual procedure. Therefore, the only way to stimulate a positive outcome, is to be prepared. Here is a small overview of assessment criteria as stated by article 29 working party regarding the conditions of fines.

  1. The nature, gravity and duration of the infringement
  2. The intentional or negligent character of the infringement
  3. Any action taken by the controller or the processor to mitigate the damage suffered by the data subjects
  4. The degree of responsibility of the controller or processor taking into account the technical and organisational measures implemented by them pursuant to articles 25 and 32 GDPR
  5. Any relevant previous infringement
  6. The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
  7. The categories of personal data affected by the infringement
  8. The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement
  9. Where measures referred to in Article 58 (2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures
    1. adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42
    2. any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

Be the first to comment

Leave a Reply

Your email address will not be published.