I know that LOPD and LSSI is not the same as GDPR. However, each country in the EU need to modify its own LOPD in order to adapt it to the GDPR.
*I've done some further reading and according to the 1st and 2nd paragraphs of GDPR Art. 83 each DPA will establish the fines, which should respect what is said in 4, 5 and 6 (including the maximum fines, so clearly 10 and 20 MEuros or 2% and 4% of the previous year turnover). So after that, I found what is going on and in the case of Spain, the council of Ministers approved the law 24th Nov. 2017 (http://www.congreso.es/docu/docum/ddocum/dosieres/sleg/legislatura_12/spl_13/pdfs/1.pdf) and it was expected to be sanctioned by the Parliament last week, after some discussion and some changes. However seems to be delayed as the parliament asked for some amendments. In this document, again, it is indicated that the DPA will follow what is being said in GDPR (see * above) and doesn't mention the amount of each fine, because "Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive." See also the text in p. 2 of the GDPR. This facilitates the DPAs to take in consideration *each* individual case, or even to change the fines in the future. However, the Spanish law, talks about some specific fine amounts in the article 78, referred to the prescription of the infringements depending on the fine amount. For example, for fines up to 40.000 Euros, 300.000 euros and over 300.000 euros. What that means? Each DPA have to modify the "actual" LOPD and associated tables of fines, and the GDPR only stablishes the maximum amounts. Other countries already have done that: Italy: LEGGE 20 novembre 2017, n. 167 Germany: Bundesdatenschutzgesetz France: looks like a similar situation as Spain So, for the countries that have not yet finalized the approval of the "new LOPD", the fines are still the same as the ones defined in the "actual LOPD". So, I think I was right in my assertion, and the minimum fines in Spain, will be for sure lower than 40.000 euros, and my guess is that will start as today with 600 or so ... at the end in will depend on the "individual decision" (based in a categorization table, which the Spanish DPA for sure has already prepared, but will not make public until the new LOPD is approved by the parliament). Of course I'm not saying that you should ignore the GDPR because the fines are low. I think everybody really need to adapt their data protection procedures to it. Regards, Jordi PD: An informal document that I've found say that the new fines are in the ranges of 900-40.000, 40.001-300.000 and 300.000-600.000. -----Mensaje original----- De: NANOG <nanog-boun...@nanog.org> en nombre de Rob McEwen <r...@invaluement.com> Fecha: domingo, 27 de mayo de 2018, 0:16 Para: <nanog@nanog.org> Asunto: Re: Whois vs GDPR, latest news On 5/26/2018 3:36 PM, JORDI PALET MARTINEZ via NANOG wrote: > Talking from the experience because the previous laws in Spain, LOPD and LSSI Jordi, LOPD/LSSI does not = GDPR But even if there was a probability that GDPR would operate like they do: (1) it is alarming that the fines mentioned on GDPR are 10-20X higher than even LOPD/LSSI's higher fines -AND- regarding LOPD/LSSI's relatively low minimum fine of 600 EUROs that you mentioned - it was explicated mentioned on the page you referenced - HOWEVER there is NOT any similar official (relatively) low-cost fines mentioned for GDPR anywhere.... there is only that NOT-reassuring "up to" phrase. For someone hit with a GDPR fine, I don't think telling them, "JORDI PALET MARTINEZ claimed that the fine will be more reasonable for a smaller business that had a less egregious offense" - is going to necessarily make it so. Believe me, I WANT you to be my GDPR fairy. I really really do. But I have to operate my business more realistically. -- Rob McEwen https://www.invaluement.com ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.consulintel.es The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
