Personal data, methodology for fines discussed, could reach up to 20 million euros

In summary, the Commissioner's document assesses five steps that are the basis for calculating an administrative measure. This takes into account the processing process or activity, the turnover of the enterprise, mitigating or aggravating circumstances, and proportionality.

A few months after the entry into force of the law "On the Protection of Personal Data", the office of the Commissioner for Personal Data Protection and the Right to Information has made public the methodology on which administrative measures will be calculated in cases of violations, sending it to interest groups for consultation.

We recall that the new law was aligned with the European Union directive, specifically Regulation 2016/679 of the European Parliament and of the Council (GDPR), which, among other things, provides for sanctions of up to 2 billion lek or 20 million euros, fines that are considered too high for the size of businesses and the Albanian economy, as only about 210 businesses in the country have a turnover higher than 2 billion lek (20 million euros), according to the "Monitor 200" ranking.

But what does the methodology in question, which is currently in the consultation phase, foresee? In the description of its purpose, it is emphasized that the final sanction measure depends on all the circumstances of the specific case, which will be assessed on a case-by-case basis.

"Therefore, the Commissioner's Office aims for a harmonization approach regarding the existence of a model followed for calculating the sanction amount, instead of harmonizing the result of the calculation," the methodology states.

Synthesized overview of the methodology

In summary, the Commissioner's document assesses five steps that are the basis for calculating an administrative measure. This takes into account the processing process or activity, the turnover of the enterprise, mitigating or aggravating circumstances, and proportionality.

Identification of the processing processes/activities according to the specific case and assessment of the implementation of point 3 of Article 93 of the Data Protection Law (Chapter 3).

Determination of the model for the further calculation of the sanction based on an assessment of (Chapter 4): a) the classification of the violation according to points 1, 2 and 3 of Article 94 of the Data Protection Law; b) the seriousness of the violation according to letters “a”, “b” and “e” of point 2 of Article 93 of the Data Protection Law; c) the turnover of the Enterprise, as an important element to be taken into consideration with a view to imposing an effective, proportionate and dissuasive sanction, according to point 1 of Article 93 of the Data Protection Law.

Assessment of aggravating and mitigating circumstances related to the previous or current conduct of the controller/processor and the increase or decrease of the sanction in accordance with these circumstances (Chapter 5).

Identification of the legally defined ceiling for the sanction amount related to the different processing processes/activities. The increases applied in previous or subsequent steps cannot exceed this ceiling (Chapter 6).

Conducting an analysis of whether the final amount of the calculated sanction meets the requirements of effectiveness, proportionality and deterrence, as required by the provisions of point 1, of 93, of the Data Protection Law and increasing or decreasing the amount of the sanction accordingly (Chapter 7)./MONITOR