- The Commissioner will assess the seriousness of the infringement, taking into account:
- If the Commissioner decides that the infringement was serious, having regard to those factors, then it is likely that the Commissioner will issue a penalty notice, unless there are mitigating factors that outweigh that assessment (see Relevant aggravating or mitigating factors below) 52. However, where the assessment of seriousness is more finely balanced, the Commissioner may nevertheless issue a penalty notice where there are relevant aggravating factors. In either case, the Commissioner will also consider whether issuing a penalty notice is effective, proportionate and dissuasive.
- The Commissioner’s findings about the seriousness of the infringement will inform the starting point for the level of fine imposed (see Calculation of the appropriate amount of the fine below).
Nature, gravity and duration of the infringement
- The assessment of the nature of the infringement involves consideration of the relevant circumstances of the case and the specific provision of the UK GDPR or DPA 2018 that has been infringed. This includes taking into account whether:
-
- the infringement prevented the provision concerned from being applied effectively or prevented the objective it sought to protect being fulfilled; and
- the infringement is subject to the standard maximum fine or the higher maximum fine.
- The assessment of the gravity of the infringement involves consideration of the:
-
- nature of the processing;
- scope of the processing;
- purpose of the processing;
- number of data subjects affected by the processing; and
- level of damage suffered by data subjects affected by the processing.
- In carrying out this assessment, the factors the Commissioner takes into account will include the following:
-
- Nature of the processing: The Commissioner will consider the context and characteristics of the processing by the controller or processor, having regard to whether it involves business activities, charitable or other non-profit motives, or is carried out by a public body. The Commissioner may, depending on the context, give more weight to this factor if the nature of the processing is likely to result in high risk to data subjects, taking into account the Commissioner’s published guidance. For example, ‘high risk’ processing may include processing operations that involve:
- the application of new or innovative technology;
- automated decision-making;
- the use of biometric or genetic data;
- monitoring or tracking; or
- invisible processing.
- Nature of the processing: The Commissioner will consider the context and characteristics of the processing by the controller or processor, having regard to whether it involves business activities, charitable or other non-profit motives, or is carried out by a public body. The Commissioner may, depending on the context, give more weight to this factor if the nature of the processing is likely to result in high risk to data subjects, taking into account the Commissioner’s published guidance. For example, ‘high risk’ processing may include processing operations that involve:
The Commissioner may also give more weight to this factor where:
-
- Scope of the processing: The Commissioner will consider the scope of the processing in terms of both its territorial scope (local, national or involving the international transfer of data) and the extent and scale of the processing. The Commissioner may give greater weight to this factor where the scope or scale of the processing is large and, for example, it involves systematic and extensive profiling of data subjects.
- Purpose of the processing: The Commissioner will take into account the purpose of the processing carried out by the controller or processor. The Commissioner may give greater weight to this factor if the relevant processing is central to a controller or processor’s main business and commercial activities, thereby forming a core part of its activities. This may, for example, be the case where a controller’s business model and revenue relies on the processing of personal data for the purpose of direct marketing or targeted advertising. However, the Commissioner will also have regard to the purpose of the processing where it is not directly related to the controller or processor’s core activities. This applies particularly where the processing may significantly affect people’s rights and freedoms.
- Number of data subjects affected: The greater the number of data subjects affected by the infringement, the more weight the Commissioner will give to this factor. In making the assessment, the Commissioner will take into account the number of data subjects potentially affected, as well as those actually affected, by the infringement. The Commissioner may also have regard to the number of complaints received from data subjects about the conduct that has led to the finding of the infringement or infringements. However, the absence of such complaints will not be regarded as an indication that conduct found to infringe UK GDPR or DPA 2018 is less serious.
- Level of damage suffered: The Commissioner will consider the extent to which the infringement affected people’s rights and freedoms or otherwise led to them suffering, or being likely to suffer, harm. The damage suffered may be physical, material or non-material. 56 Such damage may include actual or potential harm to data subjects in the form of, for example:
- physical or bodily harm;
- psychological harm;
- economic or financial harm;
- discrimination;
- reputational harm; or
- loss of human dignity. 57
In carrying out the assessment of the level of damage, the Commissioner will take into account the fact that:
-
-
- some harms are more readily identifiable (for example, financial loss or identity theft) whereas others are less tangible (for example, distress and anxiety or loss of control over personal data); and
- where an infringement affects a large number of data subjects, it may result in a high degree of damage in aggregate and give rise to wider harm to society, even if the impact on each person affected is more limited.
-
The Commissioner’s assessment of the level of damage suffered by data subjects will be limited to what is necessary to evaluate the seriousness of the infringement. Typically, it would not involve quantifying the harm, either in aggregate or suffered by specific people. It is also without prejudice to any decisions a UK court may make about awarding compensation for damage suffered. 58
- The assessment of the duration of the infringement involves considering how long the infringement went on for. The longer the duration of the infringement, the more weight the Commissioner is likely to attribute to this factor. This is because of the greater potential for harm to have occurred. However, infringements of a short duration are not necessarily less serious. They may also lead to significant harm to data subjects.
- In assessing seriousness in relation to failures to comply with information notices or assessment notices, the Commissioner will, in particular, take into account the extent to which the failure to comply is likely to negatively affect the Commissioner’s ability to act. This might be, for example, because the information is needed to progress an investigation or for the purpose of discharging another of the Commissioner’s functions.
- In assessing seriousness in relation to failures to comply with enforcement notices, the Commissioner will, in particular, take into account the extent to which the failure to comply has:
-
- led, or is likely to lead, to further damage or distress to data subjects; or
- resulted in the controller or processor obtaining an advantage or deriving a benefit from the failure.
Intentional or negligent character of the infringement
- The Commissioner will consider whether the infringement was intentional or negligent as part of the assessment of its seriousness. 59 Where there is evidence of intent on the part of the controller or processor, the Commissioner may regard the infringement as particularly serious and may therefore be more likely to issue a penalty notice. Negligent infringements can also be serious. The Commissioner may also decide to issue a penalty notice in case where the controller or processor is found to be negligent.
- In this context, an infringement is committed intentionally where the evidence shows the controller or processor knew its conduct was likely to constitute an infringement of the UK GDPR or DPA 2018, but it either deliberately continued with the conduct or was indifferent to whether it infringed UK GDPR or DPA 2018. In other words, the controller or processor wilfully ignored the known risk of its conduct infringing the law.
- The circumstances that the Commissioner considers may indicate an intentional infringement include where:
-
-
- senior management authorised the unlawful processing; or
- a controller or processor carried out the processing despite advice about the risks involved (including where the risks had been brought to its attention by an individual, the Commissioner or other third party) or with disregard for its existing internal policies.
-
- An infringement is committed negligently where the controller or processor breached the duty of care required by UK GDPR or DPA 2018. Therefore, the Commissioner may issue a penalty notice for an infringement of UK GDPR or DPA 2018 where the controller or processor’s failure to comply with its statutory obligations was unintentional. 60
- In assessing negligence, the Commissioner will take into account all relevant evidence about whether the controller or processor breached the duty of care required by law. This requires taking into account the individual circumstances of each case in order to establish the controller or processor’s liability. However, the Commissioner's assessment is likely to include, for example, considering evidence about the extent to which the infringement resulted from the controller or processor:
-
-
-
- failing to adopt policies aimed at ensuring compliance with data protection law;
- failing to read and abide by its existing data protection policies or, where relevant, failing to take steps to comply with a code of conduct of which it is a member or meet the criteria of a certification mechanism;
- infringing UK GDPR or DPA 2018 through human error, particularly where the person (or people) involved had not received adequate training on data protection risks;
- failing to check for personal data in information that is published or otherwise disclosed; or
- failing to apply technical updates in a timely manner.
-
-
- In relation to a failure to comply with an information notice or assessment notice, the Commissioner will also consider whether the controller, processor or (in the case of an information notice) any other person has a reasonable excuse for failing to comply. The circumstances that may constitute a reasonable excuse are not fixed. The Commissioner will assess on a case-by-case basis whether any reasons for a failure to comply amount to a reasonable excuse. The Commissioner will take into account how far a significant and genuinely unforeseeable or unusual event beyond the person’s control caused the failure. However, the Commissioner is unlikely to consider that a person has a reasonable excuse in circumstances where they have not, in the Commissioner’s view, otherwise made reasonable efforts to comply with the notice.
- In carrying out the assessment, the Commissioner will also take into account the fact that controllers are responsible for compliance with the data protection principles and for implementing appropriate technical and organisational measures to demonstrate compliance with UK GDPR or Part 3 or Part 4 DPA 2018. 61 Where there are two or more joint controllers, the Commissioner will assess the responsibility of each of the controllers for the infringement to determine whether any or all of them acted intentionally or negligently. Processors also have a range of obligations under UK GDPR and Part 3 and Part 4 DPA 2018, particularly in relation to the security of personal data. 62 The Commissioner therefore also expects processors to take responsibility, where applicable, for evaluating risks and implementing measures to mitigate them. 63
Categories of personal data affected by the infringement
- The categories of personal data affected by the infringement are also relevant to the assessment of seriousness. The UK GDPR and Part 3 and Part 4 DPA 2018 make clear that the processing of certain categories of personal data deserves special protection. These categories include:
-
- special category data (Article 9 UK GDPR);
- personal data relating to criminal convictions and offences (Article 10 UK GDPR); and
- personal data falling within the definitions of ‘sensitive processing’ in Part 3 and Part 4 DPA 2018. 64
- The Commissioner is likely to consider infringements involving the processing of such data as being particularly serious.
- In assessing seriousness, the Commissioner may also take into account other types of personal data affected by the infringement where that data may be regarded as particularly sensitive. This includes where the dissemination of the personal data is likely to cause damage or distress to data subjects, for example:
-
- location data;
- private communications (particular those involving intimate details or confidential information about the data subject);
- passport or driving licence details; or
- financial data.
49 Article 83(2)(a) UK GDPR or section 155(3)(a) DPA 2018.
50 Article 83(2)(b) UK GDPR or section 155(3)(b) DPA 2018.
51 Article 83(2)(g) UK GDPR or section 155(3)(g) DPA 2018.
52 As explained in Relevant aggravating or mitigating factors, mitigating factors may include, for example, any action taken by the controller or processor to mitigate the damage suffered by data subjects (Article 83(2)(c) UK GDPR or section 155(3)(c) DPA 2018), the degree of cooperation with the Commissioner (Article 83(2)(f) UK GDPR or section 155(3)(f) DPA 2018), or any other mitigating factor applicable to the circumstances of the case (Article 83(2)(k) UK GDPR or section 155(3)(k) DPA 2018).
53 For example, Recital 43 to the UK GDPR explains that consent should not provide a valid legal ground for processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller. This includes where the imbalance arises from the market position of the controller.
54 As set out in Recital 38 to the UK GDPR, children merit special protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.
55 As set out in Recital 75 to the UK GDPR, risks may result where the personal data of vulnerable people, particularly children, are processed.
57 See ICO, Overview of Data Protection Harms and the ICO’s Taxonomy, April 2022. In the context of this Fining Guidance, the ICO uses the terms ‘damage’ and ‘harm’ interchangeably.
58 Any person who suffers damage as a result of an infringement has a right to receive compensation from the relevant controller or processor (see Article 82 UK GDPR and section 169 DPA 2018).
59 Article 83(2)(b) UK GDPR and section 155(3)(b) DPA 2018. See also Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos (NVSC) v Valstybinė duomenų apsaugos inspekcija (Lithuanian Data Protection Inspectorate), Case C-683/21, EU:C:2023:949, paragraph 86.
60 See Article 29 Data Protection Working Party, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016//679, WP 253, adopted on 3 October 2017. See also, in relation to the application of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) [2016] OJ L 119/1, the Court of Justice of the EU’s findings in NVSC v Lithuanian Data Protection Inspectorate, paragraph 81 (‘a controller may be penalised for conduct falling within the scope of the GDPR where that controller could not have been unaware of the infringing nature of its conduct, whether or not it was aware that it was infringing the provisions of the GDPR’) and paragraph 82 (‘it is not necessary for there to have been action by, or even knowledge on the part of, the management body’ for Article 83 GDPR to apply).
61 See Article 5(2) and Article 24 UK GDPR and sections 56 and 102 DPA 2018.
62 See Article 32 UK GDPR and sections 66 and 107 DPA 2018.
63 See Recital 83 UK GDPR. Note also that the responsibility and liability of a controller for the conduct of a processor does not extend to situations where the processor has processed personal data for its own purposes or the processor has processed personal data in a way that is incompatible with the arrangements determined by the controller such that the controller cannot reasonably be considered to have consented to the processing (see NVSC v Lithuanian Data Protection Inspectorate, paragraph 85).
64 See section 35(8) DPA 2018 and section 86(7) DPA 2018.