Fines are higher for individual rights violations rather than poor data protection

By | Monday November 21st, 2016

Art. 24 Sanctions of the Directive 95/46 recital “The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.” did not gave any specific criteria to Member State to set up sanctions rules.

Currently some national implementing measures of Directive 95/46 foreseen higher fines for poor data protection measures in comparison of other kind of infringements.

Italian 196/2003 foreseen even imprisonment up to two years for art. 33 (minimal protection of personal data) violations in addition of fines up to 120.000 Euros. Meanwhile art. 13 (Information to be provided) violations are affected only by a fine up to 36.000 euros.

GDPR Article 83 “General conditions for imposing administrative fines states that” says that “administrative fines up to 10 000 000 EUR …… pursuant to Articles 8, 11, 25 to 39 and 42 and 43”.  Art. 25 to 39 are focused on data protection.

On the other end “administrative fines up to 20 000 000 EUR …… the data subjects’ rights pursuant to Articles 12 to 22;”.  CHAPTER III Rights of the data subject starts from art.12.

So poor handling of “Information to be provided” will cost Italian data controllers 550 times more.

In my humble opinion Italian data controllers should hurry up and focus more on Informtion to be provided: the information to be given are more detailed in art. 13 of GRDP.

Category: Impact, Risk and Measures Roles and Liabilities Sanctions Tags: , ,

About Pastore

Maurizio Pastore career encompassed different fields of Information and Communication technology (sw development, network and system management), operating in different vertical markets (manufacturing, telecommunication, public administration). In the last five years he was focused on information security and privacy. Since 2012 he acted as Data Privacy Officer and as Chief Information Security Officer in Liguria Digitale, the Regione Liguria ICT company. From 2016 he is focused on Privacy & Security Services for Liguria Digitale Customers. Nowadays he is the DPO for Azienda Ospedaliera S.Luigi Orbassano, ASL TO4, ASL TO5, AISM, FISM, Città Metropolitana di Genova.

One thought on “Fines are higher for individual rights violations rather than poor data protection

  1. paolo calvi

    sacrosanto. aggiungerei che mancano al GDPR le sanzioni penali, in quanto come è noto il diritto comunitario non può legiferare in materia penale. quindi dovranno provvedere gli stati membri. resta da chiedersi se prevarranno orientamenti comuni o andranno in ordine sparso. e cosa farà l’italia: manterrà sanzioni simili alle attuali, centrate sull’omissione delle misure, oppure ne varerà di nuove, coerenti con il nuovo orientamento?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.