![[2023] UKUT 132 (AAC)](https://backend.juristeca.com/files/emisores/logo_3a2BKne.png){kind=logo}
Penalty amount
Penalty amount
Having dismissed the appeal against the imposition of a MPN, the Tribunal turned to consider the appropriate penalty amount. The Tribunal was satisfied that the Commissioner’s initial indicative penalty of £400,000 was appropriate, based on the facts as then understood, as was the reduction to £275,000 in the light of the Appellant’s financial position (paragraph 92 of the Tribunal’s reasons). However, the Tribunal’s conclusion that far fewer data subjects must have been affected than assumed by the Commissioner, which followed from the finding that 67,000, rather than 500,000, relevant documents were seized by the MHRA, had to be taken into account in fixing a revised penalty.
The considerations taken into account by the Tribunal in fixing the amount of the penalty were as follows:
“the statutory intention of both the GDPR and DPA is that a higher financial penalty should be imposed under this that…the predecessor legislation” (paragraph 92 of the Tribunal’s reasons);
a penalty should not be avoided solely due to financial hardship, but this was an important consideration “in terms of mitigation”. In the Appellant’s case, it “has already been reflected in an appropriate manner in the MPN under appeal” (paragraph 93);
while the breach affected far fewer data subjects than originally assumed, the number of seized documents remained “very large” and, of these, 12,491 contained ordinary personal data and 53,871 special category data (paragraph 94);
most documents contained personal data of “highly vulnerable data subjects”, which was a “significant aggravating factor” (paragraph 94);
unlike the Commissioner, the Tribunal found that the Appellant had breached Article 5(1)(e) of the GDPR. Given that, and the “long list of aggravating criteria identified in the MPN”, it would not be appropriate simply to reduce the Commissioner’s £275,000 penalty in proportion to the reduced number of breach documents (paragraph 95).
Taking these matters into consideration, the Tribunal concluded as follows:
“96…I have decided that the amount of the MPN should be reduced to £92,000, which is a reduction of approximately two thirds”.
The Tribunal also dismissed the Enforcement Notice appeal. I shall describe its reasons briefly since the dismissal of that appeal is not challenged. The Tribunal concluded that it was “proportionate and reasonable” to issue an Enforcement Notice on 17 December 2019 “in relation to [the Appellant’s] data protection policies” (paragraph 97 of the Tribunal’s reasons). The steps taken by the Appellant before that date, in discussion with the Commissioner, to demonstrate GDPR-compliant policies were inadequate. At September 2019, the Appellant’s policy documents remained incomplete and “referred to some changes that were yet to be implemented” (paragraph 98).
- Heading
- The decision of the Upper Tribunal is to refuse this appeal. The decision of the First-tier Tribunal, taken on 9 August 2021, under file reference EA/2020/0065/V, did not involve an error on a point o
- Meaning of terms used in these reasons
- The main issue of wider interest: summary of conclusion
- Background
- First-tier Tribunal’s decision
- Agreed facts
- Tribunal’s general role
- Burden of proof
- Standard of proof
- Relevance of law of agency
- General conclusions
- Whether a MPN was appropriate
- Penalty amount
- Legislative framework
- Data Protection Act 2018
- giving “careful attention” to the Commissioner’s reasons for imposing the MPN
- Ground 1 - arguments
- there is the potential for significant financial implications, but deprivation of liberty is not an issue
- the Commissioner’s work is clearly very important since he seeks to protect the fundamental rights of data subjects
- Ground 2 – reliance on Hope & Glory
- licensing authority sub-committees are comprised of elected individuals who are answerable to their electors Ground 2 –arguments
- Ground 3 – civil or criminal standard of proof
- Ground 3 – the arguments
- the term “satisfied”, in section 155(1)(a), DPA is relevant to the burden of proof not the standard
- Ground 4 – law of agency
- making a controller legally responsible for the acts of its processor is consistent with an agency relationship; and
- Ground 4 – the arguments
- Ground 5 – Tribunal’s reliance on breach of Article 24(1)
- The arguments
- Ground 6 – considerations relevant to amount of penalty
- rejected the Appellant’s argument that the breach documents originated from care homes when there was no countervailing evidence
- failed to deal with the points made in the Appellant’s skeleton argument at paragraphs 56(5) and (7) to (11)
- The arguments
- paragraph 56 of the skeleton argument . The Tribunal did not disregard the submission that the Commissioner’s finding of careless storage was contradicted by CCTV evidence (see paragraphs 65(xi) and 8
- Ground seven – the arguments
- Conclusions
- Ground 2
- Ground 3
- I do not understand why the ultimate destination of monies paid to satisfy a MPN should be of any relevance to its essential character or why it should tend to show that MPN proceedings have the ‘seri
- Ground 4
- Ground 5
- Ground 6
- Ground 7
- Conclusions