Short Reads

GDPR: Oops! Caught red-handed? What are the sanctions for violating data protection rules?

Oops! Caught red-handed? What are the sanctions for violating data pr

GDPR: Oops! Caught red-handed? What are the sanctions for violating data protection rules?

18.08.2016

The supervisory authority of each Member State under the GDPR will now be entitled to impose more stringent administrative sanctions. And that’s not all: sanctions can also be imposed by courts.

So, what could happen when one violates data protection rules?

The administrative sanctions imposed by the supervisory authority are two-fold: it can (i) take one or more of the measures listed in the GDPR, such as issue a warning or impose a temporary or definitive ban on processing personal data, or (ii) impose a fine, depending on the circumstances of each individual case, or do both.

For the latter, the GDPR stipulates two possible maximum fines, depending on the nature of the violation. The first maximum administrative fine is EUR 10 million or 2% of the defaulting entity’s total worldwide turnover of the preceding financial year, whichever is higher.

The GDPR identifies various grounds on which this fine could be imposed. For example, in case of a failure to notify a data breach or a failure to implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed. An administrative fine can also be imposed if one fails to carry out a DPIA whenever required to do so.

The second maximum fine is EUR 20 million or 4% of the defaulting entity’s global turnover. This maximum would apply  to more “serious” violations, such as transferring personal data to a third country without taking appropriate measures to safeguard the data or without observing the data subject’s objection to the processing of his or her personal data.

In any event, when considering a sanction,  the supervisory authority must take into account various factors, such as the duration of the violation, its intentional or negligent nature, the categories of data, and the number of data subjects concerned, as well as the attitude of the defaulting entity, including any relevant, previous violation(s). Also, the GDPR states that all measures must be effective, proportionate and dissuasive. This means that a supervisory authority is not entitled to simply impose any sanction it sees fit whenever there is a violation of data protection rules. Rather, it should ensure—and justify—that the specific sanction being imposed meets these objectives.

And if one disagrees with the sanction imposed? Then the party sanctioned may lodge an appeal before the courts of the Member State where the supervisory authority concerned is established.

In addition to these administrative sanctions, data controllers and/or processors can be sued before a court in the Member State where they are established or a court of a Member State where the data subject has his or her habitual residence. These proceedings can be brought by the data subjects themselves and/ or by the relevant supervisory authority, and even, under certain conditions, by any body, organization or association that advocates the protection of personal data. The more specific remedies are those laid down in the national laws.

All of the foregoing reminds us that privacy compliance is becoming an even more significant issue. As we know, the GDPR will only become effective as from 25 May 2018. It is to be expected, however, that supervisory authorities will already start interpreting current data protection legislation in the light of the new provisions of the GDPR.

To read more about this series of articles (and the articles that were published previously), please click here

Team

Related news

22.07.2021 NL law
Towards a European legal framework for the development and use of Artificial Intelligence

Short Reads - Back in 2014, Stephen Hawking said, “The development of full artificial intelligence could spell the end of the human race.” Although the use of artificial intelligence is nothing new and dates back to Alan Turing (the godfather of computational theory), prominent researchers – along with Stephen Hawking – have expressed their concerns about the unregulated use of AI systems and their impact on society as we know it.

Read more

19.07.2021 BE law
One year of Schrems II: a state of affairs for international data transfers

Articles - International data transfers have been the subject of intense debates ever since the Court of Justice issued its landmark judgement of Schrems I, on 6 October 2015. The intensity of the debate was further reinforced since the Schrems II decision one year ago, on 16 July 2020. The decision annulled the U.S. Privacy Shield and severely tightened the rules on the use of standard contractual clauses (“SCCs”).

Read more

18.05.2021 NL law
Kroniek: De bestuursrechtelijke aspecten van de AVG

Articles - Tom Barkhuysen, Steven Bastiaans en Fatma Çapkurt (Universiteit Leiden) schreven samen de eerste editie van de nieuwe jaarlijkse NTB kroniek: de bestuursrechtelijke aspecten van de AVG. Hierin bespreken zij onder meer de meest relevante (bestuursrechtelijke) jurisprudentie van het afgelopen jaar op het gebied van de AVG.

Read more

18.06.2021 NL law
FAQ: Wat houdt het Wetsvoorstel elektronische gegevensuitwisseling in de zorg (Wegiz) in en wat is de verhouding tot de AVG?

Short Reads - (Digitale) gegevensuitwisseling in de zorg is een actueel thema. Illustratief is een item bij EenVandaag van april 2021 waarin de analoge werkwijze bij gegevensuitwisseling in de zorg wordt aangekaart, maar ook dit artikel in het NRC van afgelopen maand waarin verslag werd gedaan van een datalek waardoor duizenden gevoelige patiëntgegevens op straat kwamen te liggen. 

Read more

04.05.2021 NL law
Participatie en privacyregels: hoe te combineren onder de Omgevingswet?

Short Reads - In het stelsel van de Omgevingswet (Ow) is een belangrijke rol bedacht voor participatie bij de totstandkoming van besluiten. Het beoogde resultaat: tijdig belangen, meningen en creativiteit op tafel krijgen en daarmee een groter draagvlak en kwalitatief betere besluitvorming bereiken. Door een grotere betrokkenheid van meer personen gaan overheden en initiatiefnemers ook meer persoonsgegevens verwerken. Dit brengt privacyrisico’s met zich mee. Wat regelt de Ow op het gebied van privacy, de verwerking van persoonsgegevens en datagebruik?

Read more