Article 28c Exercise of sanctioning powers
1. Member States shall ensure that, when determining the type and level of administrative sanctions or measures, the competent authorities take into account all relevant circumstances, including where appropriate:
(a) the gravity and the duration of the breach;
(b) the degree of responsibility of the natural person or legal entity responsible;
(c) the financial strength of the natural person or legal entity responsible, for example as indicated by the total turnover of the legal entity responsible or the annual income of the natural person responsible;
(d) the importance of profits gained or losses avoided by the natural person or legal entity responsible, in so far as they can be determined;
(e) the losses sustained by third parties as a result of the breach, in so far as they can be determined;
(f) the level of cooperation of the natural person or legal entity responsible with the competent authority;
(g) previous breaches by the natural person or legal entity responsible.
2. The processing of personal data collected in or for the exercise of the supervisory and investigatory powers in accordance with this Directive shall be carried out in accordance with Directive 95/46/EC and Regulation (EC) No 45/2001 where relevant.