Proposals for EU DP Regulation: Mandatory DPOs and fines up to 2% of annual turnover

The European Commission proposes more accountability – no general notification duty – but bigger fines for non-compliance in the official proposals published today by the European Commission. The highest fine that was being planned, 5% of annual turnover, has been reduced to 2%, or 1 million Euros. While processing of personal data without a legal basis or not appointing an internal Data Protection Officer would be punishable by the highest fine, even less serious offences could be subject to fines of 250,000 Euros. DPOs would be mandatory in the public sector and in companies that have at least 250 employees.

Viviane Reding, EU Justice Commissioner, denied that the proposals for enforcement had been watered down, and made it clear that non-EU companies offering services to, or monitoring the behaviour of, EU citizens would also have to comply with EU law.

The Regulation proposes a one-stop-shop, asking companies to deal with just the country’s Data Protection Authority (DPA) where their main establishment is located.

Binding Corporate Rules approval would be reduced to one country with swift involvement by other relevant DPAs. There would be no need for additional authorisation at national level.

Data breaches would have to be notified to the regulator as soon as possible and if feasible, within 24 hours of discovering the breach.

DP authorities would be given powers to impose a temporary or definitive ban on processing, and carry out inspections.

See the proposals for a Regulation.

A few places remain available at the UK Information Commissioner Roundtable on 14th February in London. For more information and registration.

Read more about this topic in the next PL&B UK and International Reports.