What is the legal framework?
Since it came into force in May 2018, the GDPR introduced legal principles for companies and public sector organisations not complying with its standards of personal data protection and processing, consisting primarily of the following obligations that must be upheld:
- Generally optimising the security of personal data
- Obtaining agreement of data subjects via formal request
- Informing data subjects about the processing of their data (principal of transparency, right to information…);
- Ensuring people’s rights are respected by implementing appropriate measures (right to be forgotten, portability…);
- Keeping a register of data processing;
- Appointing a data protection officer (DPO), in some cases mandatory;
What are the penalties?
Within this legal framework, the French National Commission on Informatics and Liberty (CNIL) is the authority tasked with upholding compliance of GDPR standards. In the case of non-compliance, CNIL is authorised to impose various administrative sanctions. Instead of being radical punishments, these penalties aim to encourage companies and public sector organisations to conform to the standards.
Administrative fines:
- A fine of 10 million euros or 2% of global revenue for non-compliance with the obligations for controllers and processors, the certifying body and the code of conduct monitoring body.
- A fine of 20 million euros or 4% of global revenue for non-compliance with the obligations of consent (failure to obtain valid consent) and other rights of data subjects the obligation to put specific measures in place in the event of data being transferred to a non-European country, obligations resulting from the rights of member states, injunctions and other remedying measures imposed by the CNIL.
Criminal penalties:
In addition to the administrative fines, organisations can also, for example, be taken to court by those suffering damages, according to Articles 226-16 to 226-24 of the French Criminal Code relating to violations of individuals’ rights resulting from digital files or processing. Depending on the severity of the infraction, penalties can soar to up to five years in prison and 300,000 euros in fines.
And that’s to say nothing of the loss of reputation.
On top of all this, the CNIL can obligate companies to make their various errors public and report on their administrative and criminal sanctions. All of this can have a very negative effect on the company’s image.
As you can imagine, the media fallout from this kind of case can lead to loss of trust among potential and existing customers and the impact can be two-fold if it encourages investors to pull out their capital.