[orwin]

Stop spreading FUD please. 1: fines are up to (4%? thought it was 2%) depending on the offense (i dont think even Cambridge analytica would qualify to max fine, even if they were a persistant offender).

2: Yes some terms are vague, some part are vague too (what is considered "big scale"...) but if you want to cry about a vague law that enable government to shut down businesses, look at FOSTA-SESTA. This law is also vague to allow european countries to tinker around. Moreover, a vague law is often in favor of the defendant on european courts (if a litigation is ever taken to european court), so this is an advantage for owners.

3. A warning will be issued before any fine, then some time would be given to comply. If complying is difficult, regulatory instances have to help you by giving you ideas/examples/advice.

4. In the case of a physical guestbook, i'm pretty sure the regulatory instances will just laugh at the demand and ignore it anyway.

5. We had a CNIL contact before the GDPR was even drafted (we host health data) and we store non-hashed IP address of our customers (for ip whitelisting), name, surname, email address and phone number. Everything seems good for him as long as our security audits every year are good. I'm pretty sure we hold more client data than almost every small to medium shop whose business is not selling customer data, yet members of regulatory instance say we are okay. This panic is ridiculous.

[test525]

>Stop spreading FUD please. 1: fines are up to (4%? thought it was 2%) depending on the offense (i dont think even Cambridge analytica would qualify to max fine, even if they were a persistant offender).

I have to laugh since you are telling me to stop spreading FUD and you can't even cite off the top of your head if the fine is 4% or 2%.

The fine is 4% of worldwide revenue or $20million (whichever is larger).

>(i dont think even Cambridge analytica would qualify to max fine, even if they were a persistant offender).

Can you cite the section of the law that makes you so confident in making this assertion?

All the people telling me to stop worrying don't seem to have any ground to stand on. I've read so many feel good assertions about how "this is not how EU law works" and I can't trust any of them since none of the assertions people are stating so confidently are written into the actual law.

All I know is what is possible. If I am violating GDPR in any way I could be fined $20 million dollars and frankly I don't want to be one of the legal pioneers to find out how each of the 28 member states of the EU will interpret how to apply this law.

[DanBC]

> The fine is 4% of worldwide revenue or $20million (whichever is larger).

It is incorrect to suggest that a simple error will lead to the maximum fine. Here is the text of the regulation that sets out all the tests.

https://gdpr-info.eu/art-83-gdpr/

---begin---

Art. 83 GDPR General conditions for imposing administrative fines

Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

1Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). 2When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

> the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

> the intentional or negligent character of the infringement;

> any action taken by the controller or processor to mitigate the damage suffered by data subjects;

> the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

> any relevant previous infringements by the controller or processor;

> the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

> the categories of personal data affected by the infringement;

> the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

> where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

> adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

> any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

> the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

> the obligations of the certification body pursuant to Articles 42 and 43;

> the obligations of the monitoring body pursuant to Article 41(4).

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

> the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

> the data subjects’ rights pursuant to Articles 12 to 22;

> the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;

> any obligations pursuant to Member State law adopted under Chapter IX;

> non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.

1Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. 2In any event, the fines imposed shall be effective, proportionate and dissuasive. 3Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.

[test525]

    Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines >up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
        the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

[DanBC]

Which part of that applies to an address book?

And, again, that's the maximum possible fine for the worst case - taking into account all of this:

> the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

> the intentional or negligent character of the infringement;

> any action taken by the controller or processor to mitigate the damage suffered by data subjects;

> the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

> any relevant previous infringements by the controller or processor;

> the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

> the categories of personal data affected by the infringement;

> the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

> where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

> adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

> any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.