The WP29 adopted its guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679.
In fact, Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities together with the other measures provided by Article 58.
This document is intended for use by the supervisory authorities to ensure better application and enforcement of the Regulation and expresses their common understanding of the provisions of Article 83 of the Regulation as well as its interplay with Articles 58 and 70 and their corresponding recitals.
It analysed the principles that the supervisory authorities must respect when carrying out their tasks under Article 58 (2) (b) to (j) of the GDPR. These principles are:
- Infringement of the Regulation should lead to the imposition of “equivalent sanctions”: the WP29 defined the notion and scope of equivalent sanctions to ensure consistent application of the GDPR;
- Like all corrective measures chosen by the supervisory authorities, administrative fines should be “effective, proportionate and dissuasive”: The assessment of what is effective, proportionate and dissuasive in each case will also have to reflect the objective pursued by the corrective measure chosen, that is either to re-establish compliance with the rules, or to punish unlawful behaviour (or both);
- The competent supervisory authority will make an assessment “in each individual case”;
- A harmonised approach to administrative fines in the field of data protection requires active participation and information exchange among Supervisory Authorities.
Article 83 (2) of the GDPR contains a list of criteria that supervisory authorities are expected to apply when assessing whether to impose a fine and the amount thereof. The WP 29 has developed recommendations for supervisory authorities to interpret this list of criteria.