Bavaria issues GDPR guidance on sanctions
Germany’s state of Bavaria Data Protection Authority for the private sector has provided organisations with some guidance on compliance with the EU General Data Protection Regulation (GDPR). The guidance, issued on 1 September, provides information on the various sanctions available – this will be a major change compared to Germany’s current regime.
The DPA clarifies that when administering fines, it is the whole entity, not just an individual company in a group that is being penalised. Therefore, the fine is calculated as a percentage of the annual turnover of the entire group. The criteria for establishing the amount of the fine may be affected by the company’s level of cooperation with the supervisory authority, together with earlier history. Lack of previous violations and positive cooperation would help companies mitigate the level of the fine.
The Bavarian DPA is of the view that organizations may be held responsible for DP violations committed by their staff. The GDPR does not specify the extent to which fines may be imposed on employees. National implementation is expected to clarify this aspect in Germany.
See (in German) https://www.lda.bayern.de/media/baylda_ds-gvo_7_sanctions.pdf