Are GDPR fines - insurable?

Compared to its legal predecessor, the GDPR contains stricter sanction mechanisms. The aim is to ensure that the requirements of the GDPR are actually complied with. One sanction option is contained in Article 83 of the GDPR: The fine. But when does this dreaded fine occur and can you insure yourself against it?

Art. 83 GDPR

A fine pursuant to Art. 83 GDPR can be applied to controllers and processors can be imposed. According to Art. 83 V GDPR, the upper limit is EUR 20 million or 4 % of the worldwide annual turnover of the company or group concerned (whichever is higher). In the case of less serious breaches, such as pure organizational deficiencies, the upper limit is reduced to EUR 10 million or 2 % of the worldwide annual turnover (Art. 83 IV GDPR). The annual turnover is determined on the basis of the turnover in the previous year.

The final amount of the fine depends on many assessment criteria such as the type, severity and duration of the offense, Intent or negligenceprevious infringements, etc. This is regulated in detail by Art. 83 I and II GDPR.

Cases in which fines have been imposed show that the competent supervisory authorities (Art. 58 II lit. i GDPR) certainly exhaust this framework when fines are actually imposed. On the other hand, the supervisory authority can also waive a fine and impose other measures if necessary.

Fines can often even be prevented in advance and reduced in the event of an infringement by reducing the requirements for the Data protection fulfilled For example, by appointing a data protection officer. In principle, the better you fulfill the data protection requirements, the lower the fine in the end.

As long as an employee does not act entirely on their own responsibility and in their own interest, their violation is attributed to the company. If a company commits an infringement sanctioned with a fine through a service provider or similar that it has commissioned, the Company as compensation for damages against the service provider.

Insurance

In principle, it is possible to insure against GDPR fines (insofar as this is possible under current law). Fines incurred in one's own company are covered by most liability insurance policies. If the fine is incurred in another company where the own company performed services in which the GDPR violation occurred, the other company can claim this as damages against the company providing the services (right of recourse). Such incidents are also covered by most pecuniary loss liability insurance policies.

It is crucial to pay attention to the maximum amount of coverage when taking out the insurance. For this purpose, the annual turnover of the own company should first be considered in order to see at which maximum amount one would arrive according to the regulations of Art. 83 GDPR. It should not be forgotten that it can also happen that the fine that your own insurance has to pay is incurred by a company for which it provides its own services. In this case, the fine is based on the turnover of the "client company". When taking out liability insurance, it is therefore necessary to take into account how high the turnover of the companies for which the company will be working will be. It may also be necessary to adjust the liability insurance several times in the course of the company's career.

Expert advice should always be sought for assessment in individual cases.