Starting on May 20th 2019, the Guarantor no longer has to "take into account" the novelty of GDPR (General Data Protection Regulation) or the purposes of sanctioning.
As is known, art. 22 of Legislative Decree 101/2019 stated that the Privacy Guarantor, in applying the administrative sanctions provided for by the new European Regulation (GDPR), "would have taken into account" the fact they were in their first phase of application.
A generic prediction that, however, gave hope for as long as it lasted, that is until May 20th this year, when the effectiveness of the aforementioned rule expired. A hope that was not misplaced by companies, if it is true that the only sanction (amounting to 50,000 Euros) was imposed on the Rosseau Association for not having implemented adequate security measures after the political website it managed underwent a data breach in summer 2017.
But now the Guarantor is no longer obliged to be understanding and can impose the sanctions provided by the GDPR with the wide discretion that the generic provisions of the same regulation allow. Suffice it to say that the GDPR quantifies the fines only in the maximum, indicated as € 10 million - or € 20 million - depending on annual turnover. And the Guarantor, in imposing them, must consider criteria such as: the malicious or negligent nature of the violations; the precedents of the person responsible for the violations themselves; the nature and gravity of the infringements; the number of victims; the measures taken to mitigate the damage and the cooperation provided to the Guarantor by the person responsible for the violation (LC).
