We are currently consulting on this draft guidance.
- Having assessed the seriousness of the infringement, the Commissioner will take into account any relevant aggravating or mitigating factors. These factors will inform the Commissioner’s decision about whether it is appropriate to issue a penalty notice in the individual circumstances of the case.
Action taken to mitigate the damage suffered by data subjects
- The Commissioner will have regard to any action taken by the controller or processor to mitigate the damage suffered by data subjects. 65
- When an infringement of the UK GDPR takes place, a controller or processor should take steps to mitigate the harmful consequences of the infringement for the data subjects concerned. The Commissioner may consider any actions taken by the controller or processor to mitigate the damage suffered as a mitigating factor.
- The Commissioner will consider when the controller or processor took any such action and, if so, whether the measures implemented were appropriate and effective in mitigating the damage suffered by data subjects. If the action taken had no effect (or only a limited effect) on mitigating the damage suffered by the data subjects, the Commissioner is likely to give it less weight.
- The Commissioner is more likely to take into account measures implemented prior to the controller or processor becoming aware of the Commissioner’s investigation as a mitigating factor. Measures that are only implemented after the start of the Commissioner’s investigation are less likely to be regarded as a mitigating factor.
The degree of responsibility of the controller or processor
- The Commissioner will have regard to the degree of responsibility of the controller or processor, taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32 UK GDPR or in accordance with sections 57, 66, 103 and 107 DPA 2018. 66
- Controllers and processors are required and expected to take responsibility for complying with their obligations under the UK GDPR or Part 3 or Part 4 DPA 2018. In assessing this factor, the Commissioner will consider how far the controller or processor did what it could be expected to do in terms of implementing technical and organisational measures, taking into account:
-
- its size and resources; and
- the nature and purpose of the processing.
- Where relevant, the Commissioner will also take into account any shared responsibility between controllers or between controllers and processors.
- In the light of the level of accountability expected of controllers and processors under UK GDPR and Part 3 and Part 4 DPA 2018, it is more likely that the Commissioner will consider the degree of responsibility to be an aggravating factor or, at best, a neutral factor. In order for this to be considered a mitigating factor, a controller or processor will need to show that it has gone over and above its obligations under UK GDPR and DPA 2018.
Relevant previous infringements by the controller or processor
- The Commissioner will have regard to the extent to which any previous infringements by a controller or processor may be considered an aggravating factor. 67
- Previous infringements that concern a similar subject matter, or infringements that occurred recently, are more likely to be relevant. The Commissioner will therefore give these greater weight.
- However, the Commissioner may also give weight to previous infringements relating to a different subject matter if they arose in a similar manner. Further, if a controller or processor has repeatedly infringed the UK GDPR or DPA 2018, the Commissioner is likely to take this into account as an aggravating factor if it demonstrates a generally lax attitude towards compliance.
- The Commissioner will not consider the absence of any previous infringements to be a mitigating factor because compliance with the UK GDPR and DPA 2018 is expected.
The degree of cooperation with the Commissioner
- The Commissioner will have regard to the degree of cooperation with the Commissioner, in order to remedy the infringement and mitigate the possible adverse effects of the infringement. 68
- The starting point for this assessment is that controllers and processors are expected to cooperate with the Commissioner in the performance of the Commissioner’s tasks, for example by responding to requests for information and attending meetings. 69 The Commissioner considers that the ordinary duty of cooperation is required by law and meeting this standard is therefore not a mitigating factor.
- However, the Commissioner may consider it appropriate to view cooperation as a mitigating factor where the controller or processor has responded to requests during the investigation in a way that:
-
- enables the enforcement process to be concluded significantly more quickly or effectively; or
- significantly limits the harmful consequences for people’s rights and freedoms that might otherwise have occurred.
- By contrast, the Commissioner may view persistent and repeated behaviour that delays regulatory action as an aggravating factor. Examples of such behaviour include not engaging with the Commissioner during the investigation or repeatedly failing to meet deadlines set by the Commissioner without reasonable excuse. 70
The manner in which the infringement became known to the Commissioner
- The Commissioner will have regard to the manner in which the infringement became known to the Commissioner, in particular whether, and if so to what extent, the controller or processor notified the Commissioner of the infringement. 71
- The Commissioner may view a controller or processor bringing an infringement to the Commissioner’s attention of its own volition as a mitigating factor. This applies if the Commissioner was not already aware of the infringement.
- However, this factor is not relevant if a controller or processor is under a statutory duty to comply with notification obligations in the UK GDPR or Part 3 or Part 4 DPA 2018. 72 The Commissioner will not consider notifications required by law, even if made promptly, as a mitigating factor. The Commissioner expects controllers and processors to comply with their statutory obligations.
- Otherwise, the way in which the Commissioner finds out about an infringement – for example following a complaint, media coverage or through the Commissioner’s own intelligence – will generally be considered as neutral.
Measures previously ordered against the controller or processor
- Where measures referred to in Article 58(2) UK GDPR have previously been ordered against the controller or processor concerned with regard to the same subject-matter, the Commissioner will have regard to compliance with those measures. 73
- If a controller or processor has failed to comply with measures previously ordered under Article 58(2) UK GDPR concerning the same subject matter, the Commissioner may consider this to be either an aggravating factor or, if the controller or processor has failed to comply with an enforcement notice or penalty notice, as a separate infringement. 74 The Commissioner will take a similar approach under Part 3 and Part 4 DPA 2018, if a controller or processor has failed to comply with a previous enforcement notice or penalty notice.
Adherence to approved codes of conduct or certification mechanisms
- The Commissioner will have regard to adherence to approved codes of conduct pursuant to Article 40 UK GDPR or approved certification mechanisms pursuant to Article 42 UK GDPR. 75
- Where a controller or processor has signed up to an approved code of conduct, the Commissioner will consider whether any action taken by a monitoring body in relation to a failure to comply with requirements covered by the code of conduct is sufficient without the Commissioner also issuing a penalty notice. However, the power of monitoring bodies to take appropriate action is without prejudice to the tasks and powers of the Commissioner. 76
- If a controller or processor has failed to comply with a code of conduct of which it is a member or meet the criteria of a certification mechanism directly relevant to the infringement, the Commissioner may consider this to be an aggravating factor. The Commissioner may also consider it as evidence relevant to whether the controller or processor’s conduct is intentional or negligent.
Any other aggravating or mitigating factors
- The Commissioner will have regard to any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained or losses avoided, directly or indirectly, from the infringement. 77
- Such factors may include:
-
- Any economic or financial benefit obtained as a result of the infringement. If a controller or processor profits from an infringement, the Commissioner is likely to give this significant weight as an aggravating factor. In order to be effective, proportionate and dissuasive, any fine should ensure that controller and processors are not in a position to make a profit or otherwise benefit financially from infringing data protection law. The Commissioner is therefore likely to investigate any economic or financial benefits that may have accrued to the controller or processor, including costs saved from any failure to invest in appropriate measures. The Commissioner recognises that in some cases it may not be possible to precisely quantify any such benefits.
- Any action the controller or processor took pro-actively to report a cyber security breach to other appropriate bodies (such as the National Cyber Security Centre (NCSC)) and whether it followed any advice or guidance provided. The Commissioner works with a range of other regulators and agencies, particularly in relation to cyber security matters. The Commissioner may give weight to a controller or processor’s engagement and cooperation with another appropriate body as a mitigating factor, where that cooperation goes beyond what is required by law. The Commissioner expects the controller or processor to demonstrate and provide evidence of the steps it has taken to follow any such advice or guidance. 78 Reporting a security breach to another body is not a substitute for complying with an obligation to report personal data breaches to the Commissioner.
- As explained in Calculation of the appropriate amount of the fine below, the Commissioner will also have regard to these aggravating and mitigating factors when deciding on the appropriate fine amount.
65 Article 83(2)(c) UK GDPR. Section 155(3)(c) DPA 2018 is similarly worded: ‘any action taken by the controller or processor to mitigate the damage or distress suffered by the data subjects’.
66 Article 83(2)(d) UK GDPR and section 155(3)(d) DPA 2018.
67 Article 83(2)(e) UK GDPR. Section 155(3)(e) DPA 2018 refers to ‘any relevant previous failures by the controller or processor’.
68 Article 83(3)(f) UK GDPR and section 155(3)(f) DPA 2018.
70 Depending on the circumstances, the Commissioner may alternatively consider that such lack of cooperation is evidence that a person has failed to comply with an information notice, assessment notice or enforcement notice in breach of section 155(1)(b) DPA 2018.
71 Article 83(3)(h) UK GDPR and section 155(3)(h) DPA 2018.
72 See Article 33 UK GDPR, section 67 DPA 2018, and section 108 DPA 2018. Notification of a personal data breach does not necessarily imply that the controller or processor has infringed UK GDPR or Part 3 or Part 4 DPA 2018.
73 Article 83(3)(i) UK GDPR. The measures referred to in Article 58(2) UK GDPR are set out at footnote 48. In relation to Part 3 and Part 4 DPA 2018, section 155(3)(i) contains a similar factor, but refers only to ‘the extent to which the controller or processor has complied with previous enforcement notices or penalty notices’. Section 155(3)(i) is therefore not limited by such notices being required to relate to the ‘same subject-matter’.
74 As set out in section 115(8) DPA 2018, the Commissioner’s powers under Article 58(2)(c) to (h) and (j) are exercisable only by giving an enforcement notice under section 149 DPA 2018. Similarly, the Commissioner’s powers under Article 58(2)(i) and Article 83 UK GDPR are exercisable only by giving a penalty notice under section 155 DPA 2018 (see section 115(9) DPA 2018).
75 Article 83(3)(j). The equivalent provision in section 155(3)(j) DPA 2018 simply refers to ‘adherence to approved codes of conduct or certification mechanisms’.
77 Article 83(3)(k) UK GDPR and section 155(3)(k) DPA 2018.
78 For example, guidance on cyber security matters may include that provided by the NCSC, the National Institute of Standards and Technology (NIST) or the International Organisation for Standardisation (ISO). The extent to which a controller or processor has complied with such guidance is also likely to be relevant to whether there has been an infringement of the UK GDPR or Part 3 or Part 4 DPA 2018. However, whether or not an infringement has occurred in a particular case will depend on the assessment of all the relevant circumstances.