Читать книгу The Official (ISC)2 CISSP CBK Reference - Leslie Fife, Aaron Kraus - Страница 89

Fines are administered by individual member state supervisory authorities (83.1). The following 10 criteria are to be used to determine the amount of the fine on a noncompliant firm:

 Nature of infringement: Number of people affected, damage they suffered, duration of infringement, and purpose of processing

 Intention: Whether the infringement is intentional or negligent

 Mitigation: Actions taken to mitigate damage to data subjects

 Preventative measures: How much technical and organizational preparation the firm had previously implemented to prevent noncompliance

 History: Past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and past administrative corrective actions under the GDPR, from warnings to bans on processing and fines

 Cooperation: How cooperative the firm has been with the supervisory authority to remedy the infringement

 Data type: What types of data the infringement impacts; see special categories of personal data

 Notification: Whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party

 Certification: Whether the firm had qualified under-approved certifications or adhered to approved codes of conduct

 Other: Other aggravating or mitigating factors, including financial impact on the firm from the infringement