Short Reads

GDPR: Oops! Caught red-handed? What are the sanctions for violating data protection rules?

Oops! Caught red-handed? What are the sanctions for violating data pr

GDPR: Oops! Caught red-handed? What are the sanctions for violating data protection rules?

18.08.2016

The supervisory authority of each Member State under the GDPR will now be entitled to impose more stringent administrative sanctions. And that’s not all: sanctions can also be imposed by courts.

So, what could happen when one violates data protection rules?

The administrative sanctions imposed by the supervisory authority are two-fold: it can (i) take one or more of the measures listed in the GDPR, such as issue a warning or impose a temporary or definitive ban on processing personal data, or (ii) impose a fine, depending on the circumstances of each individual case, or do both.

For the latter, the GDPR stipulates two possible maximum fines, depending on the nature of the violation. The first maximum administrative fine is EUR 10 million or 2% of the defaulting entity’s total worldwide turnover of the preceding financial year, whichever is higher.

The GDPR identifies various grounds on which this fine could be imposed. For example, in case of a failure to notify a data breach or a failure to implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed. An administrative fine can also be imposed if one fails to carry out a DPIA whenever required to do so.

The second maximum fine is EUR 20 million or 4% of the defaulting entity’s global turnover. This maximum would apply  to more “serious” violations, such as transferring personal data to a third country without taking appropriate measures to safeguard the data or without observing the data subject’s objection to the processing of his or her personal data.

In any event, when considering a sanction,  the supervisory authority must take into account various factors, such as the duration of the violation, its intentional or negligent nature, the categories of data, and the number of data subjects concerned, as well as the attitude of the defaulting entity, including any relevant, previous violation(s). Also, the GDPR states that all measures must be effective, proportionate and dissuasive. This means that a supervisory authority is not entitled to simply impose any sanction it sees fit whenever there is a violation of data protection rules. Rather, it should ensure—and justify—that the specific sanction being imposed meets these objectives.

And if one disagrees with the sanction imposed? Then the party sanctioned may lodge an appeal before the courts of the Member State where the supervisory authority concerned is established.

In addition to these administrative sanctions, data controllers and/or processors can be sued before a court in the Member State where they are established or a court of a Member State where the data subject has his or her habitual residence. These proceedings can be brought by the data subjects themselves and/ or by the relevant supervisory authority, and even, under certain conditions, by any body, organization or association that advocates the protection of personal data. The more specific remedies are those laid down in the national laws.

All of the foregoing reminds us that privacy compliance is becoming an even more significant issue. As we know, the GDPR will only become effective as from 25 May 2018. It is to be expected, however, that supervisory authorities will already start interpreting current data protection legislation in the light of the new provisions of the GDPR.

To read more about this series of articles (and the articles that were published previously), please click here

Team

Related news

20.09.2022 EU law
Launch of Metaverse blog series

Articles - Stibbe launches a new blog series focusing on the legal challenges of the Metaverse. In our upcoming blog posts, we will discuss the legal challenges of NFTs, crypto-assets, Metaverse platforms, crypto exchanges, DAO, and many more.

Read more

28.07.2022 NL law
Zuiver commercieel belang ook gerechtvaardigd belang: Raad van State laat zich er niet over uit

Short Reads - Op 27 juli 2022 heeft de Raad van State bevestigd dat de Autoriteit Persoonsgegevens onterecht een boete van € 575.000 aan VoetbalTV heeft opgelegd. De hoop bestond dat de Afdeling antwoord zou geven op de vraag of de AP terecht of onterecht meent dat een zuiver commercieel belang géén gerechtvaardigd belang kan zijn in de zin van de Algemene Verordening Gegevensbescherming. Het antwoord op deze vraag blijft echter uit.  

Read more

28.07.2022 NL law
Purely commercial interest also a legitimate interest? Council of State leaves the question unanswered.

Short Reads - On 27 July 2022, the Council of State confirmed that the Dutch Data Protection Authority wrongly imposed a €575,000 fine on VoetbalTV. But the Council did not answer the question whether the AP rightly or wrongly believes that a purely commercial interest cannot be a legitimate interest within the meaning of the General Data Protection Regulation.

Read more