Article 58(2)(b) - GDPR
Reprimand to companies according to GDPR
The national supervisory authority may issue a reprimand to companies according to GDPR in case of breaches of the regulation. Reprimand is one of the corrective powers of each national supervisory authority pursuant to Article 58(2)(b) of the GDPR, that can be issued where processing operations have infringed provisions of the GDPR, and is a more lenient sanction than a fine.
When can a reprimand become relevant for companies in the event of a breach of GDPR?
The more serious breaches of GDPR, the greater the consequences. A reprimand is a type of formal warning that the national supervisory authority usually issues when the breach is not serious.
What are minor infringements under the GDPR?
When a personal data breach does not lead to a significant risk to the rights and freedoms of data subjects, it is a minor infringement.
If a company accidentally sends a detergent newsletter to the wrong email address and the message contains the customer's name. In all likelihood, it does not lead to a high risk if another person becomes aware that someone has purchased laundry detergent from the company.
Does it make any difference whether the infringement is intentional or negligent?
If a breach of GDPR has been committed intentionally instead of negligently, there is a higher probability that the company will receive a fine instead of reprimand from the supervisory authority. Therefore, it is good to know the concepts of intent and negligence.
Intentional infringement
If someone knowingly discloses, destroys or modifies personal data, or otherwise processes personal data in violation of the rules of the GDPR, it constitutes an activity that takes place intentionally. Intent means that the person who knowingly causes the violation knows what he or she has done, and wanted it or accepted the consequence.
An employee processes personal data unlawfully and intentionally by downloading a copy of the customer register on their last day of employment, and then disclosing it to their new employer who is a competitor of the company.
Negligent infringement
Negligent infringement: When a breach occurs by mistake, without any intention or knowledge of it, or through a lack of prudence, the breach has occurred due to negligence. For example, it may be because an employee has been careless in the processing of personal data, but did not want to cause any damage.
The IT manager creates user accounts for new employees on their first business day, and accidentally activates administrator rights to a user account that would not have it. This resulted in the user accidentally having access to more personal data than intended, in breach of the data protection principle of data minimisation.
Benefit of remedying infringements directly
If a company breaches the GDPR and is subsequently subject to notification to the supervisory authority and reviewed by the supervisory authority, it may be advantageous to remedy the breaches as soon as possible. Remedies should be taken before the supervisory authority takes a decision on the case.
If it relates to a less serious breach of the GDPR and the company has taken corrective actions, the supervisory authority may take this into account and in some cases issue a reprimand instead of a fine. In other words, taking immediate corrective action may be considered a mitigating factor, even when the company is subject to an ongoing supervisory case.
Limit the damage and other consequences
Companies should try to limit the risks and damage caused by a personal data breach or infringements of the GDPR. The supervisory authority takes the corrective actions taken by the company into account when reaching its decision on an appropriate sanction.
- For example, if a company becomes the victim of a data breach, which leads to credit card information getting into the wrong hands, it may be appropriate for the company to immediately inform the data subjects concerned about the breach. This will allow the data subjects to block their credit cards and prevent major damage. The faster the corrective action is taken, the less risk of damage.
Learn more about GDPR
National supervisory authorities have the power to impose administrative fines on companies that violate the GDPR
Companies that violate the GDPR can be imposed an administrative fine issued by the national supervisory authority. The amount of the fine depends on several factors, such as the size of the company, whether the infringement was committed intentionally, the number of data subjects affected, the categories of personal data concerned, etc. In the worst case, the administrative fines can amount to many millions and have devastating consequences for the company. The maximum amount for serious infringements is EUR 20 million or 4% of the company’s worldwide annual turnover (the highest of the options).