Fines for violating provisions of the GDPR must be effective reasonable dissuasive and strict vicarious liability is not imposed, unlike section 99(2) of the Protection of Personal Information Act, 2013 (POPIA) which reads:
“(2) In the event of a breach the responsible party may raise any of the following defences against an action for damages:
(a) Vis major;
(b) consent of the plaintiff;
(c) compliance was not reasonably practicable in the circumstances of the particular case; or
(d) the Regulator has granted an exemption… .”.
By contrast section 60(3) of the Employment Equity Act (EEA) provides that an employer must be deemed to have contravened a provision of the EEA if the employer has failed to take the steps necessary to eliminate conduct which does not comply with the EEA.
So senior managers who are able to prove that they did all that was reasonably practicable to ensure that employees would not contravene the EEA will be able to avoid being held vicariously liable for the contraventions by employees.
It has been argued that section 99(2) of POPIA should be amended to include the following wording, namely:
Despite subsection (1), an employer is not liable for the conduct of an employee if that employer is able to prove that it did all that was reasonably practicable to ensure that the employee would not act in contravention of this Act.
See: Millard D and Bascerano EG “Employers’ Statutory Vicarious Liability in Terms of the Protection of Personal Information Act” PER / PELJ 2016(19) –
“National authorities can or must assess fines for specific data protection violations in accordance with the General Data Protection Regulation. The fines are applied additionally or instead of further remedies or powers, such as the order to end a violation, an instruction to adjust the data processing to statutory requirements, as well as the granting of a prohibition which is limited in time or permanently, to perform data processing. For the provisions which relate to order processors, they can be directly and/or in conjunction with the person responsible, subject to sanctions.
The fines must be effective, reasonable and dissuasive for each individual case. For the decision of whether and what amount of sanctions can be assessed, the authorities have a statutory catalogue of criteria which must be used in taking a decision. Among other things, intentional infringement, a failure to take measures to mitigate the damage which occurred, or lack of collaboration with authorities can increase the penalties. For the especially severe violations listed in Art. 83, para. 5 of the GDPR, the fine framework can be up to 20 million euros, or in the case of a company, up to 4% of their total global turnover in the previous fiscal year, whichever is higher. But even the catalogue of less severe violations (Art. 83, para. 4) sets forth fines of up to 10,000,000 euros, or, in the case of a company, up to 2% of its entire global turnover of the previous fiscal year, whichever is higher. Especially important here is that the term “company” is equivalent to that used in Art. 101 and 102 of the Treaty on the
Functioning of the European Union (TFEU). According to case law from the Court of Justice of the European Union, this refers to the broad, functional corporate term as a company which is a unit which exercises a commercial activity, independent of its legal form and its type of financing. This commercial unit can therefore consist of one individual company in the sense of a legal subject, but out of several natural or legal persons. Thus, a whole group can be treated as one company. To calculate fines, the entire group’s turnover is used to calculate a penalty based on the company’s turnover. In addition, Member States have rules for sanctions for other violations against the Regulation. This applies to those violations to which a fine has not already been assessed. Therefore, one must ensure that these penalties are also effective, proportional and act as a deterrent.
An objectionable fact in the company can be found through proactive inspection activities conducted by the assigned authorities, by an unsatisfied employee who complains to the authorities or by customers or potential customers who register a notice to the authorities, through the company making its own declaration, or by the press in general, through investigative journalism”.