This section of the Fining Guidance explains how the ICO approaches the calculation of fines where there is more than one infringement arising from the ‘same or linked’ conduct.
In summary, the Fining Guidance explains that:
-
- if a controller or processor’s ‘same or linked’ processing operations are found to infringe more than one provision of UK GDPR or Part 3 or Part 4 DPA 2018, the ICO may impose a fine amount for each infringement provided that the sum of those amounts does not exceed the applicable statutory maximum; or
- if a controller or processor has engaged in separate forms of conduct that are not the ‘same or linked’ and are each found to infringe the UK GDPR or Part 3 or Part 4 of the DPA 2018, the Commissioner may impose separate fines for each form of conduct (subject to the applicable statutory maximums).
Summary of responses
Many of the respondents welcomed the ICO’s approach. However, some sought further clarity or examples setting out the total maximum fine a company could face. One respondent observed that Article 83(3) UK GDPR does not apply to Part 3 or Part 4 DPA 2018.
Another respondent suggested that the draft guidance contains or implies an internal contradiction insofar as it states both that:
-
- where conduct is not part of the ‘same or linked’ processing the ICO will consider imposing fines separately and the total penalty may, in aggregate, exceed the statutory maximum amount; and
- the ICO will limit the total amount of the fine to the statutory maximum for the most serious infringement where the organisation’s overall conduct has infringed more than one provision of the legislation.
This respondent also suggested that the correct interpretation of Article 83(3) UK GDPR is ‘not that the appropriate penalty is calculated for each infringement and added together until the total penalty reaches the statutory maximum, but that the appropriate penalty is calculated for each infringement and the largest penalty for any one infringement then reflects the absolute maximum that can be imposed’.
The ICO’s Response
The ICO welcomes the supportive comments about the approach to the calculation of fines where there is more than one infringement arising from the ‘same or linked’ conduct.
The ICO notes the requests for further clarity and examples. However, the Fining Guidance sets out examples of the relevant factors that the ICO is likely to have regard to in determining whether processing operations are linked and form part of the same overall conduct (see paragraph 40 of the Fining Guidance). The Fining Guidance also includes an example of when the same or linked processing operations may lead to more than one infringement of UK GDPR or Part 3 or Part 4 DPA 2018 (see paragraph 42 of the Fining Guidance).
Taking respondents’ comments into account, the ICO has provided additional explanation in this section to make it clearer how fines would be imposed where Article 83(3) UK GDPR applies and where it does not apply.
As was already stated in the Fining Guidance (at footnote 37), the ICO notes that that the DPA 2018 does not include an equivalent provision to Article 83(3) UK GDPR in respect of processing under the DPA 2018. However, to ensure consistency the ICO will take the same approach in determining penalties in respect of infringements of DPA 2018 as the ICO would in respect of infringements of UK GDPR.
The ICO disagrees with the interpretation of the respondent that suggested that the Fining Guidance contains or implies an internal contradiction. The ICO also disagrees with the respondent’s interpretation of Article 83(3) UK GDPR.
Article 83(3) UK GDPR requires the ICO to consider whether a controller or processor’s processing operations are ‘the same or linked’ when deciding on the appropriate fine. As set out in the Fining Guidance, the ICO distinguishes between circumstances where processing operations giving rise to more than infringement are the ‘same or linked’ (see sub-section ‘More than one infringement arising from the same or linked conduct’) and circumstances where there are separate infringements arising from processing operations that are not the ‘same or linked’ (see sub-section ‘Separate infringements arising from separate conduct’).
The way the statutory maximum applies is determined by whether the controller or processor is being fined for more than one infringement arising from the same or linked conduct (which, in practice, is likely to comprise of a set of processing operations). In such a scenario, it would be unfair for the controller to be subject to a fine up to the statutory maximum for each infringement of UK GDPR found to arise from the same conduct or action.
Instead, as required by Article 83(3) UK GDPR, the ICO will use the statutory maximum amount that applies to the ‘gravest’ (ie most serious) of the infringements found. This is done by reference to the categorisation in the UK GDPR and DPA 2018 that distinguishes between the types of infringements that are subject to:
-
- the standard maximum amount (as specified in Article 83(4) UK GDPR); and
- the higher maximum amount (as specified in Article 83(5) UK GDPR).
By contrast, if the infringements arise from separate (ie different) conduct that is not linked, then it is appropriate for the relevant statutory maximum to apply to each separate infringement. The alternative would be for the ICO to issue separate penalty notices for the infringements.
Therefore, Article 83(3) applies where processing operations are the ‘same or linked’ to ensure that the overall level of fine that can be imposed is capped at the statutory maximum for that conduct. This is explained in paragraph 42 of the Fining Guidance. In calculating the fine amounts where Article 83(3) applies, the ICO will assess the appropriate amount of fine for each infringement and then (as explained in step five of the Fining Guidance) ensure that the overall fine is effective, proportionate and dissuasive and does not exceed the relevant statutory maximum amount.