3 minute read
3.1- One sanctionable conduct
3.1 - One sanctionable conduct
25. As a first step, it is essential to establish whether there is one and the same sanctionable conduct (“idem”) or there are multiple ones in order to identify the relevant sanctionable behavior to be fined. Therefore, it is important to understand what circumstances are considered as one and the same conduct, as opposed to multiple conducts. The relevant sanctionable behavior needs to be assessed and identified on a case-by-case basis. For example in a certain case “the same or linked processing operations” might constitute one and the same conduct.
Advertisement
26. The term “processing operation” is included in Article 4(2) GDPR, where “processing” is defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
27. When assessing, ”the same or linked processing operations”, it should be kept in mind that all obligations legally necessary for the processing operations to be lawfully carried out can be considered by the supervisory authority for its assessment of infringements, including like for instance transparency obligations (e.g. Article 13 GDPR). This is also underlined by the phrase “for the same or linked processing operations”, which indicates that the scope of this provision includes any infringement that relates to and may have an impact on the same or linked processing operations.
28. The term “linked” refers to the principle that a unitary conduct might consist of several parts that are carried out by a unitary will and are contextually (in particular regarding identity in terms of data subject, purpose and nature), spatially and temporally related in such a close way that an outside observer would consider them as one coherent conduct. A sufficient link should not be assumed easily, in order for the supervisory authority to avoid infringement of the principles of deterrence and effective enforcement of European law. Therefore, these aspects of relations for a sufficient link need to be assessed on a case-by-case basis and need to be handled restrictively.
Example 1a – The same or linked processing operations
A financial institution requests a credit check from a credit reporting agency (CRA). The financial institution receives this information and stores it in its system.
Although the collection and storage of the creditworthiness data by the financial institution each are by themselves processing operations, they form a set of processing operations that are carried out by a unitary will and are contextually, spatially and temporally related in such a close way that an outside observer would consider them as one coherent conduct. Therefore, the processing operations performed by the financial institution are to be considered as being “linked” and form the same conduct.
Example 1b – The same or linked processing operations
A data broker decides to implement a new processing activity as follows: it decides to collect – as a third party – the consumer transaction history from dozens of retailers without a legal basis, to perform psychometric analysis to predict future behavior of individuals, including political voting behavior, willingness to quit their job and more. In the same decision the data broker decides to not include this procedure in the records of processing activities, not to inform data subjects and to ignore any data subject access requests related to the new processing operations. The processing operations involved in this processing activity form a set of processing operations that are carried out by a unitary will and are
