ICO's draft Data Protection Fining Guidance

The ICO has published draft Data Protection Fining Guidance for consultation. The guidance is intended to replace parts of the ICO's Regulatory Action Policy (RAP) on its approach to fining. It sets out the legal framework underpinning the ICO's powers to impose fines, the circumstances in which the ICO would consider it appropriate to issue a penalty notice, as well as factors which will influence how the fine is calculated.

The RAP will remain applicable to:

• when the ICO will allow oral representations following a notice of intent to issue a penalty notice
• how the ICO will proceed if the fine is not paid
• guidance on fixed fines for failure to pay the data protection fee.

What is an 'undertaking'?

The ICO focuses on what constitutes an 'undertaking' for the purposes of issuing fines and proposes that where a controller or processor forms part of an undertaking (for example, as a subsidiary), maximum fines will be based on turnover of the undertaking as a whole. While the UK GDPR and Data Protection Act 2018 (DPA) do not define what constitutes an 'undertaking' in the context of imposing fines, the ICO says the recitals to the UK GDPR are clear that the term should be understood in accordance with UK competition law. As such, an undertaking does not, in this context, correspond with the commonly understood notion of a legal entity or company under eg English commercial or tax law, but may comprise one or more legal or natural persons forming a 'single economic unit' rather than a single entity characterised as having a legal personality.

Whether or not an individual controller or processor forms part of a wider undertaking depends on whether it can act autonomously or whether another legal or natural person, for example, a parent company, has decisive influence over it and therefore forms part of the same economic unit. The ICO will consider all relevant factors, but there will be a rebuttable presumption of decisive influence where a parent company owns all or nearly all the voting shares in a subsidiary.

Linked processing operations

The ICO also explains the approach to fines where there is more than one infringement by a controller or processor, ie where one infringement arises from the same or linked processing operations. This will be decided on a case-by-case basis. Where processing operations or sets of operations form part of the same overall conduct, the controller or processor may infringe more than one provision of applicable law. The ICO will consider all relevant circumstances but relevant factors are likely to include the extent to which the processing operations or set of operations are:

• aimed at achieving a particular purpose or form part of the same means of processing determined by a controller
• related to the same, or a similar group of data subjects, and
• carried out concurrently or sequentially or otherwise in a way that is proximate in time.

Where the ICO finds overall conduct has infringed more than one provision, the ICO will identify the statutory maximum applicable to the most serious individual infringement. The ICO may decide to impose a fine for each infringement arising from the same or linked processing operations provided the sum of those penalties does not exceed the statutory maximum for the gravest infringement.

Conversely, an investigation may identify that different forms of conduct by a controller or processor have infringed separate provisions of the UK GDPR or DPA and will not be sufficiently linked. In such cases, the ICO may decide to include the separate infringements in the same penalty notice, however each infringement would be subject to the relevant statutory maximum amount and might therefore exceed the maximum amount for the gravest single infringement.

The consultation is open until 27 November 2023.