We are currently consulting on this draft guidance.
- In many cases, a controller or processor’s conduct may infringe more than one provision of the UK GDPR or Part 3 or Part 4 DPA 2018.
- This situation is addressed by Article 83(3) UK GDPR, which states that ‘if a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of the [UK GDPR], the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement’.37 In other words, where the Commissioner finds that the ‘same or linked processing operations’ infringe more than one provision of UK GDPR, the overall fine imposed by the Commissioner in relation to the infringements arising from those processing operations must not exceed the maximum statutory amount that applies to the most serious of the individual infringements identified.38
- To determine whether Article 83(3) applies to limit the total amount of the fine that can be imposed, the Commissioner will consider in each case whether:
- the controller or processor’s conduct gives rise to more than one infringement resulting from the ‘same or linked processing operations’; or
- the controller or processor has engaged in separate forms of conduct involving different processing operations that are not the ‘same or linked’ and have given rise to separate infringements.
- The Commissioner’s approach is explained in more detail below.
More than one infringement arising from the ‘same or linked’ conduct
- The Commissioner will assess on a case-by-case basis whether more than one infringement relates to the same or linked processing operations.
- As defined in section 3(4) DPA 2018 and Article 4(2) UK GDPR, ‘processing’ means an ‘operation or set of operations’ that is performed on personal data or sets of personal data. The definitions in the DPA 2018 and UK GDPR each set out a non-exhaustive list of such processing operations.
- To lawfully carry out a processing operation or set of processing operations, the controller or processor must comply with a range of provisions in the UK GDPR or Part 3 or Part 4 DPA 2018. For example, a controller must have a lawful basis for processing the information. It must also comply with the relevant transparency obligations. Accordingly, the same processing operation or set of processing operations may lead to more than one infringement of UK GDPR or Part 3 or Part 4 DPA 2018.39
- Similarly, different processing operations or sets of processing operations may be sufficiently ‘linked’ such that they form part of the same overall conduct. This may, in turn, lead to the controller or processor infringing more than one provision of the UK GDPR or Part 3 or Part 4 DPA 2018.
- In determining whether processing operations are linked and form part of the same overall conduct, the Commissioner will have regard to the relevant circumstances of the case. In particular, this will include assessing the extent to which the infringements arise from conduct that involves a series of closely-related processing operations. Relevant factors are likely to include the extent to which the processing operations or set of processing operations are:
- aimed at achieving a particular purpose or form part of the same means of processing determined by a controller;
- related to the same, or a similar group of, data subjects; and
- carried out concurrently, sequentially or otherwise in a way that is proximate in time.
- Where the Commissioner finds that a controller or processor’s overall conduct has infringed more than one provision of the UK GDPR or Part 3 or Part 4 DPA 2018, the Commissioner will apply Article 83(3) UK GDPR and identify the statutory maximum applicable to the most serious individual infringement.
- In such cases, the Commissioner may decide to impose a fine for each infringement arising from the same or linked processing operations, provided that the sum of those penalties does not exceed the applicable statutory maximum.40 For example, the Commissioner may decide to impose a fine on an information society service for an infringement of Article 8 UK GDPR and a fine for an infringement of Article 13 UK GDPR that relate to the same or linked processing operations. The total fine must not exceed the statutory maximum for the gravest infringement under Article 83(4) and (5) UK GDPR. In this example, that is the Article 13 UK GDPR infringement (subject to the higher maximum amount).41
Separate infringements arising from separate conduct
- By contrast, an investigation may identify that different forms of conduct by a controller or processor have infringed separate provisions of the UK GDPR or Part 3 or Part 4 DPA 2018 (ie circumstances where the processing operations are not sufficiently linked).
- For example, during an investigation about a controller’s security breach involving the disclosure of its employees’ salaries and bank account details, the Commissioner may also obtain evidence that the controller had not complied with its transparency obligations in respect of its direct marketing activities.
- In such a case, the Commissioner may decide to include the separate infringements in the same penalty notice, particularly if it would streamline the procedure and avoid duplication of effort (on the part of both the party involved and the Commissioner).42 However, Article 83(3) UK GDPR would not apply because the infringements involve separate conduct and do not relate to the same or linked processing operations. Therefore, each infringement would be subject to the relevant statutory maximum amount. The total amount of the penalty may (subject to the requirements of proportionality) exceed the amount specified for the gravest infringement.
37 Article 83(3) UK GDPR. The DPA 2018 does not include an equivalent provision to Article 83(3) UK GDPR in respect of processing under the DPA 2018. However, to ensure consistency the Commissioner will take the same approach in determining penalties in respect of infringements of DPA 2018 as the Commissioner would in respect of infringements of the UK GDPR.
38 See EDPB, Binding Decision 1/2021, WhatsApp Ireland, adopted on 28 July 2021, paragraphs 315 to 327.
39 For example, see the Commissioner’s decision of 4 April 2023 in TikTok Information Technologies UK Limited and TikTok Inc, which found infringements of Article 5(1)(a), Article 8, Article 12 and Article 13 UK GDPR.
40 See EDPB, Binding Decision 1/2021, WhatsApp Ireland, adopted on 28 July 2021, paragraphs 315 to 327.
41 Article 83(5)(b) provides that an infringement of data subjects’ rights pursuant to Articles 12 to 22 are subject to the highest maximum amount. Article 83(4)(a) provides that the obligations of the controller and the processor pursuant to Article 8, among others, are subject to the standard maximum amount.
42 In this example, the separate infringements would be (i) failure to comply with Article 5(1)(f) and Article 32 UK GDPR (in relation to the security breach) and (ii) failure to comply with Article 12 and Article 13 UK GDPR (in relation to transparency obligations).