Are GDPR fines - insurable?
Compared to its legal predecessor, the GDPR contains stricter sanction mechanisms. The aim is to ensure that the requirements of the GDPR are actually complied with. One sanction option is contained in Article 83 of the GDPR: The fine. But when does this dreaded fine occur and can you insure yourself against it?
Art. 83 GDPR
A fine pursuant to Art. 83 GDPR may be imposed on controllers and processors. According to Art. 83 V GDPR, the upper limit is 20 million euros or 4 % of the global annual turnover of the company or group concerned (whichever is higher). In the case of less serious infringements, such as pure organizational deficiencies, the upper limit drops to 10 million euros or 2 % of the worldwide annual turnover (Art. 83 IV GDPR). The annual turnover is determined on the basis of the turnover in the previous year.
The final amount of the fine depends on many assessment criteria such as the type, severity and duration of the violation, intent or negligence, previous violations, etc. This is regulated in detail by Art. 83 I and II GDPR.
Cases in which fines have been imposed show that the competent supervisory authorities (Art. 58 II lit. i GDPR) certainly exhaust this framework when fines are actually imposed. On the other hand, the supervisory authority can also waive a fine and impose other measures if necessary.
You can often even prevent fines in advance and reduce them in the event of a violation by meeting the data protection requirements, e.g. by appointing a data protection officer; in principle, the better you meet the data protection requirements, the lower the fine in the end.
As long as an employee does not act entirely on his or her own responsibility and in his or her own interest, his or her violation is attributed to the company. If a company incurs a violation sanctioned by a fine as a result of a service provider it has commissioned or similar, the company can claim this as damages against the service provider.
In principle, it is possible to insure against GDPR fines (insofar as this is possible under current law). Fines incurred in one's own company are covered by most liability insurance policies. If the fine is incurred in another company where the own company performed services in which the GDPR violation occurred, the other company can claim this as damages against the company providing the services (right of recourse). Such incidents are also covered by most pecuniary loss liability insurance policies.
It is crucial to pay attention to the maximum amount of coverage when taking out the insurance. For this purpose, the annual turnover of the own company should first be considered in order to see at which maximum amount one would arrive according to the regulations of Art. 83 GDPR. It should not be forgotten that it can also happen that the fine that your own insurance has to pay is incurred by a company for which it provides its own services. In this case, the fine is based on the turnover of the "client company". When taking out liability insurance, it is therefore necessary to take into account how high the turnover of the companies for which the company will be working will be. It may also be necessary to adjust the liability insurance several times in the course of the company's career.
Expert advice should always be sought for assessment in individual cases.