This is sloppy language of the author and not a quote of the minister.
Considerations when imposing a fine
From the GDPR it also follows that a supervisor must carefully consider whether the imposition of a fine is appropriate (effective, proportionate and dissuasive) for the violation. When it comes to a small infringement, you can also opt for a reprimand instead of a fine. Supervisors may draw up their penalty policy at their discretion. The supervisory authority must in any case take into consideration the following considerations in its consideration (whether or not to impose a fine and the amount of the fine):
- The nature, severity and duration of the infringement. This involves looking at the number of affected parties and the extent of the damage suffered by them;
- Whether the controller or processor acted deliberately or negligently;
- The measures taken to limit the damage;
- Previous infringements by the controller or processor;
- To what extent has the co-operation been granted to the regulator to remedy the infringement and to limit the damage;
- Which category of personal data is concerned;
- How the supervisor has been informed of the infringement, in particular whether the controller or processor himself has made a report;
- Compliance with a previously imposed corrective action;
- Whether the controller or processor is affiliated with approved codes of conduct or certification mechanisms;
- Other aggravating or mitigating factors.