Short Reads

GDPR: Oops! Caught red-handed? What are the sanctions for violating data protection rules?

Oops! Caught red-handed? What are the sanctions for violating data pr

GDPR: Oops! Caught red-handed? What are the sanctions for violating data protection rules?

18.08.2016

The supervisory authority of each Member State under the GDPR will now be entitled to impose more stringent administrative sanctions. And that’s not all: sanctions can also be imposed by courts.

So, what could happen when one violates data protection rules?

The administrative sanctions imposed by the supervisory authority are two-fold: it can (i) take one or more of the measures listed in the GDPR, such as issue a warning or impose a temporary or definitive ban on processing personal data, or (ii) impose a fine, depending on the circumstances of each individual case, or do both.

For the latter, the GDPR stipulates two possible maximum fines, depending on the nature of the violation. The first maximum administrative fine is EUR 10 million or 2% of the defaulting entity’s total worldwide turnover of the preceding financial year, whichever is higher.

The GDPR identifies various grounds on which this fine could be imposed. For example, in case of a failure to notify a data breach or a failure to implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed. An administrative fine can also be imposed if one fails to carry out a DPIA whenever required to do so.

The second maximum fine is EUR 20 million or 4% of the defaulting entity’s global turnover. This maximum would apply  to more “serious” violations, such as transferring personal data to a third country without taking appropriate measures to safeguard the data or without observing the data subject’s objection to the processing of his or her personal data.

In any event, when considering a sanction,  the supervisory authority must take into account various factors, such as the duration of the violation, its intentional or negligent nature, the categories of data, and the number of data subjects concerned, as well as the attitude of the defaulting entity, including any relevant, previous violation(s). Also, the GDPR states that all measures must be effective, proportionate and dissuasive. This means that a supervisory authority is not entitled to simply impose any sanction it sees fit whenever there is a violation of data protection rules. Rather, it should ensure—and justify—that the specific sanction being imposed meets these objectives.

And if one disagrees with the sanction imposed? Then the party sanctioned may lodge an appeal before the courts of the Member State where the supervisory authority concerned is established.

In addition to these administrative sanctions, data controllers and/or processors can be sued before a court in the Member State where they are established or a court of a Member State where the data subject has his or her habitual residence. These proceedings can be brought by the data subjects themselves and/ or by the relevant supervisory authority, and even, under certain conditions, by any body, organization or association that advocates the protection of personal data. The more specific remedies are those laid down in the national laws.

All of the foregoing reminds us that privacy compliance is becoming an even more significant issue. As we know, the GDPR will only become effective as from 25 May 2018. It is to be expected, however, that supervisory authorities will already start interpreting current data protection legislation in the light of the new provisions of the GDPR.

To read more about this series of articles (and the articles that were published previously), please click here

Team

Related news

03.07.2020 NL law
E-book NOW-2: Second Temporary Emergency Bridging Measure Work Retention

Articles - On 17 March 2020, the Dutch cabinet announced the first emergency package of support measures to alleviate the economic consequences of the corona crisis. This emergency package inter alia comprised the First Temporary Emergency Bridging Measure for the purpose of Work Retention (“NOW-1”) and the Temporary Bridging Measure for Self-Employed Persons (“Tozo-1”).

Read more

29.07.2020 NL law
Over temperaturen ten tijde van corona

Articles - Met haar standpunt ten aanzien van het meten van temperaturen van werknemers, geeft de Autoriteit Persoonsgegevens (AP) verduidelijking over de reikwijdte van haar toezicht. Deze nuancering houdt in dat, als er geen sprake is van verwerking van persoonsgegevens, de AVG niet geldt en de AP dus niet handhavend kan optreden.

Read more

03.07.2020 NL law
E-book NOW-2: Tweede tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid

Articles - Op 17 maart 2020 kondigde het kabinet het eerste noodpakket aan met steunmaatregelen om de economische gevolgen van de coronacrisis te dempen. Onderdeel van dit noodpakket zijn onder andere de Eerste tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid (“NOW-1”) en de Tijdelijke overbruggingsregeling zelfstandige ondernemers (“Tozo-1”).

Read more