We are currently consulting on this draft guidance.
- In deciding whether to issue a penalty notice to a person, the Commissioner will have regard (so far as relevant) to the matters set out in Article 83(1) and Article 83(2) UK GDPR or in s.155(3) DPA 2018. These factors are listed in The factors the Commissioner will take into account when deciding whether to issue a penalty notice and in determining the amount above.
- The Commissioner can impose fines for a wide range of different infringements under the UK GDPR and DPA 2018. The Commissioner will assess each case individually, taking into account the relevant circumstances, before deciding whether it is appropriate to exercise the Commissioner’s administrative discretion to issue a penalty notice.
- Before taking a decision, the Commissioner will consider whether to impose a fine as well as, or instead of, other corrective measures. 48 For example, the Commissioner may decide to require a person to take certain steps specified in an enforcement notice to remedy an infringement, as well as imposing a fine.
- The assessment of whether it is appropriate to issue a penalty notice in relation to a particular infringement is fact-specific and will depend on the circumstances of each individual case. The Commissioner is not bound by previous decisions, but will ensure there is broad consistency in the approach taken when assessing whether issuing a penalty notice is appropriate.
- In carrying out the assessment of whether it is appropriate to issue a penalty notice the Commissioner will have regard to:
- the seriousness of the infringement or infringements;
- any relevant aggravating or mitigating factors; and
- whether imposing a fine would be effective, proportionate and dissuasive.
- This section of the guidance sets out how the Commissioner will approach each of these considerations when deciding whether to issue a penalty notice.
- If the Commissioner decides that it is appropriate to issue a penalty notice, the Commissioner will apply the methodology for determining the fine amount, as set out in Calculation of the appropriate amount of the fine below.
48 Article 58(2) UK GDPR sets out the Commissioner’s corrective powers under UK GDPR. In summary, these are: (a) to issue warnings; (b) to issue reprimands; (c) to order compliance with a data subject’s requests to exercise their rights; (d) to order compliance with UK GDPR; (e) to order a personal data breach to be communicated to a data subject; (f) to impose a ban on processing; (g) to order the rectification or erasure of personal data; (h) to withdraw a certification, order a certification body to withdraw a certification, or order a certification body not to issue a certification; (i) to impose an administrative fine; and (j) to order the suspension of data flows to a recipient in a third country or an international organisation. As set out in section 115 DPA 2018, certain of these corrective powers can only be exercised by the Commissioner giving an enforcement notice under section 149 DPA 2018. The Commissioner has similar corrective measures available in respect of processing under Part 3 or Part 4 DPA 2018 (Section 149(2) DPA 2018 and Schedule 13, paragraph 2 DPA 2018).