Effective, proportionate and dissuasive penalties are not automatically imposed, but must be considered on case by case basis.
The following must be taken into account when deciding whether a penalty should be imposed and what the level of the penalty should be:
- nature, gravity and duration of the infringement having regard to the
- nature scope or purpose of the processing concerned
- the number of data subjects affected and
- the level of damage suffered by them;
- intentional or negligent character of the infringement;
- action taken by the controller or processor to mitigate the damage suffered by data subjects;
- degree of responsibility of the controller or processor (Article 24) having regard to technical and organisational measures implemented by them pursuant to Articles 25 (data protection by design and by default) and 32 (security of processing);
- any relevant previous infringements by the controller or processor;
- the degree of co-operation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement (Article 31 - co-operation with the supervisory authority);
- categories of personal data affected by the infringement;
- manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
- in a case measures have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with these measures;
- adherence to approved codes of conduct or approved certification mechanisms;
- any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
In a case where a minor infringement has occurred and the likely penalty would impose a disproportionate burden on a natural person (such as a sole trader), a reprimand may be issued as an alternative.