51 Ways to Get into Trouble with GDPR

Publshed on 
October 25, 2018
Lionheart Squared

In this Blog, we created a quick view which GDPR activities are aligned to the 2%/€10,000,000 administrative fine category, and which are aligned to the 4%/€20,000,000 category.

51 Ways to Get into Trouble with GDPR

(and it can cost you millions!)

24 April 2019

Unless you were just rescued from being a castaway on a deserted island for the past two years, you are aware of the headline grabbing news about how the European Union has implemented the General Data Protection Regulation (GDPR) effective 25 May 2018.

Of the 99 articles in the GDPR, more than half are tied to requirements that, if infringed, can lead to administrative fines in the millions.

The EU data protection authorities have been swift to use their new consultative, investigative, and corrective powers. They have the power to issue fines up to the higher of 10 million Euros or 2  % of an organisation’s total worldwide annual turnover of the preceding financial year, and 20 million Euros or   4  %, respectively. Beside the ‘effective, proportionate, and dissuasive’ administrative fines, EU data protection authorities can exercise injunctive powers over data controllers and data processors.

While one should work diligently to avoid the GDPR fines, non-compliance can also wreak havoc on organisations if a data protection authority orders them to stop processing personal data (temporarily or permanently). Google is none too happy about the efforts and costs involved in fighting the French data protection authority’s €50,000,000 fine1.

Organisations should also brace themselves for EU-based individuals represented by EU non-governmental organisations (e.g., ‘None of Your Business’)  filing claims on the individuals’ behalf for infringements of the GDPR, regardless of materiality.

There are at least 51 ways to run afoul of the GDPR

To stay out of trouble, one tricky area for data controllers to master is when to rely on legitimate interest as their legal basis for processing personal data. Art. 6(1) defines the six legal bases to consider before determining that legitimate interests applies.

(a) consent that is freely given by data subject and can be revoked any time
(b) contract performance or preparation to enter into contract at data subject’s request
(c) legal compliance of controller
(d) vital interests of natural persons
(e) public interest tasks vested in controller
(f) ‘Legitimate Interests’ pursued by a controller or by a third party

Besides selecting the appropriate legal basis before collecting personal data, organisations need to apply all GDPR principles described in Art. 5, starting with:

“Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.”

Processing qualifies as ‘lawful, fair and transparent’ if the processing honours purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality.

Identifying the correct legal basis for processing personal data is but one of many steps that organisations must take to satisfy the GDPR.

Members of the Data Protection Network can download their latest legitimate interest assessments guide2containing scenarios and sample questionnaires to ensure the controller’s interests are balanced and do not override the fundamental rights and freedoms of the individuals. There is no cost to sign up for a DPN membership. The UK Information Commissioner’s Office recently published tips for legitimate interest on its website3.

This table is designed to give a bird’s eye view of the 51 GDPR requirements that, if infringed, may result in undesirable effects on data controllers and data processors.

GDPR Administrative Fines €10 000 000 or 2% of global annual turnover

No.GDPR Art.Article subject to fine / Activity
183(4)(a)Art. 8 / Conditions applicable to child’s consent in relation to information society services
283(4)(a)Art. 11 / Processing which does not require identification
383(4)(a)Art. 25 / Data protection by design and default
483(4)(a)Art. 26 / Joint controllers
583(4)(a)Art. 27 / Representatives of controllers or processors not established in the Union
683(4)(a)Art. 28 / Processor
783(4)(a)Art. 29 / Processing under the authority of the controller or processor
883(4)(a)Art. 30 / Records of processing activities
983(4)(a)Art. 31 / Cooperation with supervisory authority
1083(4)(a)Art.32 / Security of processing
1183(4)(a)Art. 33 / Notification of a personal data breach to the supervisory authority
1283(4)(a)Art.34 / Communication of a personal data breach to the data subject
1383(4)(a)Art. 35 / Data protection impact assessment
1483(4)(a)Art. 36 / Prior consultation
1583(4)(a)Art. 37 / Designation of the data protection officer (DPO)
1683(4)(a)Art. 38 / Position of the data protection officer (DPO)
1783(4)(a)Art. 39 / Tasks of the data protection officer
1883(4)(b)Art. 42 / Certification
1983(4)(b)Art. 43 / Certification bodies
2083(4)(c)Art. 41(4) / Certification body

GDPR Administrative Fines €20 000 000 or 4% of global annual turnover

No.GDPR Art.Article subject to fine / Activity
183(5)(a)Art. 5 / Principles relating to processing personal data
283(5)(a)Art. 6 / Lawfulness of processing
383(5)(a)Art. 7 / Conditions for consent
483(5)(a)Art. 9 / Processing of special categories of personal data
583(5)(b)Art. 12 / transparent information, communication, and modalities for the exercise of the rights of the data subject
683(5)(b)Art. 13 / Information to be provided where personal data are collected from the data subject
783(5)(b)Art. 14 / Information to be provided where personal data have not been obtained from the data subject
883(5)(b)Art. 15 / Right of access by the data subject
983(5)(b)Art. 16 / Right to rectification
1083(5)(b)Art. 17 / Right to erasure (‘right to be forgotten’)
1183(5)(b)Art. 18 / Right to restriction of processing
1283(5)(b)Art. 19 / Notification obligation regarding rectification or erasure of personal data or restriction of processing
1383(5)(b)Art. 20 / Right to data portability
1483(5)(b)Art. 21 / Right to object
1583(5)(b)Art. 22 / Automated individual decision-making, including profiling
1683(5)(c)Art. 44 / General principles for transfers
1783(5)(c)Art. 45 / Transfers on the basis of an adequacy decision
1883(5)(c)Art. 46 / Transfers subject to appropriate safeguards
1983(5)(c)Art. 47 / Binding corporate rules (BCR)
2083(5)(c)Art. 48 / Transfers or disclosures not authorised by Union law
2183(5)(c)Art. 49 / Derogations for specific situations
2283(5)(d)Ch. IX / Infringing any obligation pursuant to Member State law adopted under Ch. IX
2383(5)(d)Art. 85 / Processing and freedom of expression and information
2483(5)(d)Art. 86 / Processing and public access to official documents
2583(5)(d)Art. 87 / Processing of national identification number
2683(5)(d)Art. 88 / Processing in the context of employment
2783(5)(d)Art. 89 / Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
2883(5)(d)Art. 90 / Obligations of secrecy
2983(5)(d)Art. 91 / Existing data protection rules of churches and religious associations
3083(5)(e)Art. 58(1) / Failure to provide access in violation of 58(1)
3183(5)(e); 83(6)Art. 58(2) / Non-compliance with an order or temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to 58(2)

Note:Consult the official text for full description of GDPR requirements4

1 https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc

2DPN guidance at https://www.dpnetwork.org.uk/dpn-legitimate-interests-guidance

3 UK ICO’s guide at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/


© 2019 Karima Saini, CIPP/E & CIPP/US, CIPM & FIP

The information provided and the opinions expressed represent the views of the author and do not constitute legal advice nor can be construed as offering comprehensive guidance of the various EU member state data protection legislations, regulations or other statutory measures referred to herein.