The General Data Protection Regulation (GDPR) has now been in force for four years. As is the case with any other regulation, the level of regulatory risk is linked to its enforcement in practice.
In 2022 in Malta there have been, so far, eight decisions issued by the Information and Data Protection Commissioner (IDPC), however, these only present a partial image of the data cases reported to the IDPC. Prior to notifying the supervisory authority, controllers should carry out a risk assessment in order to determine whether the breach is likely to result in a risk to the rights and freedoms of the data subjects. Breaches should only be reported to the IDPC, when they are determined to pose a risk to the data subjects. Furthermore, in the event that a data subject considers that the processing of personal data relating to him or her infringes the GDPR such data subject has the right to lodge a complaint with a supervisory authority.
Locally it seems that the most common type of incidents reported to the IDPC relate to unauthorised disclosures of personal data and unlawful video surveillance within accessible and public places. In fact, three of the eight decisions issued so far this year have been in relation to this kind of infringement. Even though the corrective action for these infringements has been in the form of reprimands and orders rather than fines, such infringements illustrate that data protection deals with any kind of processing of personal data and is not simply limited to filing systems and passwords.
Fines should be imposed on a case by case basis. The GDPR makes reference to the maximum fines which can be given. These are the higher of €10 million, or in the case of undertakings, 2% of the total worldwide annual turnover of the preceding financial year for infringements which are less critical and the higher of either €20 million, or in the case of undertakings, 4% of the total worldwide annual turnover of the preceding financial year for infringements which are more serious. The highest fine which has been imposed so far by the IDPC was that of €65,000. This was imposed on an entity which infringed principles of security regarding personal and special categories of data of a substantial number of data subjects. In order to lawfully process special categories of data, controllers must identify both a basis under Article 6 of the GDPR together with an exception for processing under Article 9 of the GDPR. Sanctions for violations of the GDPR are based on a number of factors including inter alia data sensitivity, the number of data subjects involved, the breadth of exposure, as well as the potential detriment suffered by data subjects.
It is important to ensure that a consistent level of protection for natural persons is found throughout the EU. Application of the GDPR does not depend on the size of an entity but on the nature of the said entity’s activities. Even if the entity is a small and medium sized enterprise, if there are activities which may present a risk to the data subject’s rights and freedoms this will be reflected in the action which is taken by the authorities in the case of an infringement. Accordingly, controllers should seek to provide a high level of security to the personal data collected to ensure compliance with the GDPR but also to mitigate the risk of personal data breaches/infringements which could have undesirable consequences to their businesses both in terms of revenue and reputation.
Contact us
