In its resolution published on 19 September 2018, the National Authority for Data Protection and Freedom of Information (NAIH) assessed the criteria to take into consideration during the process of setting a fine, especially the level of the fine that NAIH may impose in case of the first infringement of the data protection regulations.
The Authority is being guided by the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council (“Regulation”) and the Act CXII of 2011 on Informational Self-determination and Freedom of Information (“Info Act”) with regard to the determination of the fine.
Article 83 (1) of the Regulation states, that the administrative fines shall be effective, proportionate and dissuasive. Pursuant to Preamble (148) in a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.
This provision was completed by Section 75/A of the Info Act according to which the Authority shall exercise its competence provided for in Article 83 (2)-(6) of the Regulation in due consideration of the principle of proportionality, in particular with the provision that in the event of any non-compliance with the Regulation for the first time, the Authority shall in principle issue warning to the data controller or data processor in order to arrange the remedy of the infringement.
The Authority shall take into account the Data Protection Working Party (WP29) guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, available at the following link: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611237