[test525]

>If your guestbook is physical and substantial, this may be limiting without additional systems, but GDPR also is rather vague in the pushback you're allowed to give if you're completing the export with best intentions, so this will likely not be settled until precedent occurs;

And then you are fined 4% of revenue when you are the scapegoat setting a precedent for a vaguely defined law...

[orwin]

Stop spreading FUD please. 1: fines are up to (4%? thought it was 2%) depending on the offense (i dont think even Cambridge analytica would qualify to max fine, even if they were a persistant offender).

2: Yes some terms are vague, some part are vague too (what is considered "big scale"...) but if you want to cry about a vague law that enable government to shut down businesses, look at FOSTA-SESTA. This law is also vague to allow european countries to tinker around. Moreover, a vague law is often in favor of the defendant on european courts (if a litigation is ever taken to european court), so this is an advantage for owners.

3. A warning will be issued before any fine, then some time would be given to comply. If complying is difficult, regulatory instances have to help you by giving you ideas/examples/advice.

4. In the case of a physical guestbook, i'm pretty sure the regulatory instances will just laugh at the demand and ignore it anyway.

5. We had a CNIL contact before the GDPR was even drafted (we host health data) and we store non-hashed IP address of our customers (for ip whitelisting), name, surname, email address and phone number. Everything seems good for him as long as our security audits every year are good. I'm pretty sure we hold more client data than almost every small to medium shop whose business is not selling customer data, yet members of regulatory instance say we are okay. This panic is ridiculous.

[test525]

>Stop spreading FUD please. 1: fines are up to (4%? thought it was 2%) depending on the offense (i dont think even Cambridge analytica would qualify to max fine, even if they were a persistant offender).

I have to laugh since you are telling me to stop spreading FUD and you can't even cite off the top of your head if the fine is 4% or 2%.

The fine is 4% of worldwide revenue or $20million (whichever is larger).

>(i dont think even Cambridge analytica would qualify to max fine, even if they were a persistant offender).

Can you cite the section of the law that makes you so confident in making this assertion?

All the people telling me to stop worrying don't seem to have any ground to stand on. I've read so many feel good assertions about how "this is not how EU law works" and I can't trust any of them since none of the assertions people are stating so confidently are written into the actual law.

All I know is what is possible. If I am violating GDPR in any way I could be fined $20 million dollars and frankly I don't want to be one of the legal pioneers to find out how each of the 28 member states of the EU will interpret how to apply this law.

[DanBC]

> The fine is 4% of worldwide revenue or $20million (whichever is larger).

It is incorrect to suggest that a simple error will lead to the maximum fine. Here is the text of the regulation that sets out all the tests.

https://gdpr-info.eu/art-83-gdpr/

---begin---

Art. 83 GDPR General conditions for imposing administrative fines

Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

1Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). 2When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

> the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

> the intentional or negligent character of the infringement;

> any action taken by the controller or processor to mitigate the damage suffered by data subjects;

> the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

> any relevant previous infringements by the controller or processor;

> the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

> the categories of personal data affected by the infringement;

> the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

> where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

> adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

> any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

> the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

> the obligations of the certification body pursuant to Articles 42 and 43;

> the obligations of the monitoring body pursuant to Article 41(4).

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

> the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

> the data subjects’ rights pursuant to Articles 12 to 22;

> the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;

> any obligations pursuant to Member State law adopted under Chapter IX;

> non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.

1Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. 2In any event, the fines imposed shall be effective, proportionate and dissuasive. 3Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.

[test525]

    Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines >up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
        the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

[DanBC]

Which part of that applies to an address book?

And, again, that's the maximum possible fine for the worst case - taking into account all of this:

> the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

> the intentional or negligent character of the infringement;

> any action taken by the controller or processor to mitigate the damage suffered by data subjects;

> the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

> any relevant previous infringements by the controller or processor;

> the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

> the categories of personal data affected by the infringement;

> the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

> where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

> adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

> any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

[kazen44]

sigh..

the 4% is the maximun fine allowed.. its not a minimum..

this FUD is getting idiotic.

[curun1r]

Actually, the maximum fine is 4% of revenue or €20m, whichever is more. For a small business or organization, the 4% number isn't the scary one.

You can say that in practice this would never happen, but calling it FUD also doesn't seem right since the regulation is super vague and only mentions maximum fines, not likely actual fines.

[test525]

>the 4% is the maximun fine allowed.. its not a minimum..

I think it's always safe to assume the worst from bureaucrats. Especially when no sentencing guidelines exist.

[jdietrich]

>I think it's always safe to assume the worst from bureaucrats.

No it isn't. As a law-abiding web developer, I have had frequent contact with European data protection authorities for many years. Without exception, they have been thoughtful, reasonable and gone out of their way to help me comply with the regulations.

The regulatory authorities exist to ensure compliance, nothing more. They are not a revenue-generating scheme or a Kafkaesque bureaucracy.

The GDPR explicitly states that penalties must be proportionate and sets out no fewer than eleven factors that must be considered before any penalty is issued. It also explicitly establishes a mechanism for ensuring that enforcement is consistent across all member states, by means of the European Data Protection Board. The regulations simply do not allow a member state to "go rogue" and start handing out €20m fines for trivial infractions.

https://gdpr-info.eu/art-83-gdpr/

https://gdpr-info.eu/chapter-7/

[test525]

> The GDPR explicitly states that penalties must be proportionate

Proportionate to what? The max fine is 4% or revenue or $20 million dollars, whichever is larger.

So is it proportionate to the $20 million dollar fine? If my infraction was small they can just fine me a small proportionate fine of 1% of the maximum.

Why couldn't the EU bureaucrats have stated in clear terms what infractions would receive what fines? Why couldn't they have released a sentencing guideline? And there will be 28 countries applying this law and setting fines in a thousand different ways.

> They are not a revenue-generating scheme or a Kafkaesque bureaucracy.

This law is absolutely kafkaesque and you can't point to any written case law or section of the law that can concretely dispel my doubts since it does not exist. All you and other posters can do is state that I'm spreading FUD and give me feel good assertions about how I can trust in the benevolent EU bureaucracy and that I should have faith in the system. Can you not understand why I can't take that seriously when millions of dollars and my entire way of life are at stake?

[Macha]

> Why couldn't the EU bureaucrats have stated in clear terms what infractions would receive what fines? Why couldn't they have released a sentencing guideline? And there will be 28 countries applying this law and setting fines in a thousand different

"So, using customer email addresses for marketing lists and not infringing any other way is a worth a 0.1% of revenue fine but our analysts project a 0.5% increase in revenue from our marketing list, so let's do it anyway". It's to give authorities scope to punish organisations making calculations like the above, more than "Your local library decided to tell everyone who took out a book last year about their new book club, not realising it's an illegal use of personal data".

[orwin]

And you are allowed to take it to the european court if you think the fine is bullshit. And if you don't already know, european court don't take bullshit very well.

Anyway, all regulatory instances are working together (in a group named G29, imagination is not their strength) to draw guidelines for fines and warnings. They will also discuss together ongoing cases (to avoid multiple prosecutions i guess). If you are not trying to cheat data from your customers and if your security is up to date, you risk nothing.

[s73v3r_]

That will never, ever, ever, ever happen. I guarantee that no inn will ever be fined 4% of revenue over a simple paper guestbook.

[merinowool]

Maybe not today, but who knows how this law will be used in the future. This could be used shut political website by slapping it with fine for non compliance. Vague law means any company can be found non compliant. By the time you appeal you'll be bankrupt.

[SamReidHughes]

In America in this century they tried to seize an entire inn for renting to the wrong kind of people.

[s73v3r_]

You're gonna have to have a citation for that.

[SamReidHughes]

Motel Caswell.

[test525]

You really don't think it's possible that one of the 28 member nations of the EU will pass down an absurdly large fine for some minor infraction? This happens all the time...

The fact is, if I am not GDPR compliant in any way there is no mechanism built into the law to limit the amount I am fined and some judge that is in a bad mood or hates the idea of my business can simply fine me 20 million to kill my business and still be abiding by the letter of the law.

[craigsmansion]

> You really don't think it's possible

For signing a guestbook or something similarly trivial? No.

If you truly believe that (if it really escalated) the European Commission, and then the European parliament, and then ultimately the European Court of Justice is going to put up with 20-million-fine-for-a-guestbook shenanigans, I don't know what to tell you, except that I think your definition of "reasonable" is not reasonable.

Maybe I'm not jaded enough, and I can believe in a single bad actor, but all of them? Including an entire institution that has direct public accountability?

As an aside, I think it would be helpful if participants in GDPR discussions would indicate if they approach it from a USA or EU angle (or even a non-EU and non-USA perspective. I've haven't really noticed any specific opinions from outside the USA/EU).

[s73v3r_]

"You really don't think it's possible that one of the 28 member nations of the EU will pass down an absurdly large fine for some minor infraction?"

For the infraction of having a guestbook? Absolutely not.

"The fact is, if I am not GDPR compliant in any way there is no mechanism built into the law to limit the amount I am fined"

I don't see that as a problem.

" some judge that is in a bad mood or hates the idea of my business can simply fine me 20 million to kill my business and still be abiding by the letter of the law."

Then you appeal. You're acting like there's no recourse or appeals mechanism for you.

[DanBC]

> The fact is, if I am not GDPR compliant in any way there is no mechanism built into the law to limit the amount I am fined

The law specifies the maximum fine, so you can't go over that. It also specifies that fines have to be proportionate. If you think the fine is disproportionate you have the right to appeal - that is also built into the law. If you think the appeal erred in law you get further rights of appeal. If your country hasn't made these legal routes available to you then you can take your country to the European courts.