After a period of more than one year after the entry into force on 25 May 2018 of the Regulation on the Protection of Individuals with regard to the Processing of Personal Data and the Free Movement of such Data (RGPD), we are witnessing a new period of effervescence triggered by the first fines applied for non-compliance with the provisions of the RGPD by the National Authority for Personal Data Processing Supervision - ANSPDCP.
If in 2017 and in the first months of 2018, companies invested impressive time and money resources, in some cases in a counter-timing process, to ensure that they comply with the legal provisions in time, the first year of application of the new European regulation was rather quiet.
Companies that underwent an analysis and compliance process enjoyed a moment of pause, and those who did not have this process saw no immediate effect of the new legal provisions and considered their work to be affected.
Recent sanctions have shown us that national authorities have used this period to strengthen their control apparatus and carry out the first investigations. Thus, in just a few days (June 27 - July 5, 2019), ANSPDCP applied three fines, one of 130,000 euros to a banking institution, one to 15,000 euros to a hotel unit, and a third to 3,000 euros to a consulting company data protection.
Also, at European level, on 8 and 9 July 2019, ICO (the UK Data Protection Authority) announced its intention to fine a large hotel chain with over £ 99m and an airline with 183.39 million pounds (representing, according to The Guardian, 1.5% of the global airline's turnover last year) for breaching the RGDP.
Regarding the activity of ANSPDCP, we note that the three fines applied so far are the result of investigations initiated as a result of complaints or the notification of security breaches by the data operator.
The Authority has recently updated its web page to facilitate access for those interested in the complaints procedure under the RGPD, a simplified procedure that allows for the online complaint form to be filled in.
Also, the Complaints Department was established within the ANSPDCP. It is easy to anticipate that, in the next period, the number of ANSPDCP investigations will increase as well as the number of sanctions applied.
The question is what can a company do if ANSPDCP initiates an investigation into its activity? How does it prepare for such an investigation?
In light of the regulations in force, we can identify measures that need to be taken before, during and after the investigation. Here are some of these.
- periodic analysis of compliance of personal data processing operations with the regulations in force (including verification of implemented IT security measures);
- periodic verification of how individuals empowered to process data on behalf of the company (third party companies) complies with RGPD;
- regular training of company employees both on the provisions of the RGPD and on the internal legislation in this field, as well as on how to act in the case of control of ANSPDCP.
During the investigation:
- identifying the staff of the investigating authority on the basis of the control card and the power of attorney issued to conduct the investigation;
- obtaining as much information about the investigation as possible in order to fully inform the data protection officer (DPO) and the lawyer of the company;
- immediate contact and full disclosure of the DPO and the lawyer of the company;
- full collaboration with control personnel, within the limits of the mandate that inspectors have, including by providing the requested information, documents or records, and allowing the hearing of persons to the extent required to do so, and whether they relate to the objectives of the investigation;
Providing access to confidential information / documents (disclosing confidentiality to control personnel) to the extent that they relate to the objectives of the investigation; carefully read the verification report before signing in order not to incorporate erroneous information.
After completing the investigation:
- analyzing together with the lawyer of the company and other consultants the opportunity to file an appeal against the minutes of the finding / sanctioning;
- implementing the necessary remedial measures and making the necessary changes to comply with RGPD.
Analyzing the cases investigated and / or sanctioned to date by ANSPDCP, but also those in respect of which ICO has announced its intention to impose fines, we note that the practical situations in which a violation of the RGPD may occur are among the more varied and hard to anticipate in a basic / summary analysis.
It is obvious that the process of alignment with the RGPD provisions is an ongoing one, requiring permanent training of staff who manage personal data in all areas of company activity.
Knowing the personal data flows, the obligations imposed on the data controller and the risks to which he is subject in case of violation are essential for avoiding fines of up to 20,000,000 euros or 4% of turnover.