The supervisory authority of each Member State under the GDPR will now be entitled to impose more stringent administrative sanctions. And that’s not all: sanctions can also be imposed by courts.
So, what could happen when one violates data protection rules?
The administrative sanctions imposed by the supervisory authority are two-fold: it can (i) take one or more of the measures listed in the GDPR, such as issue a warning or impose a temporary or definitive ban on processing personal data, or (ii) impose a fine, depending on the circumstances of each individual case, or do both.
For the latter, the GDPR stipulates two possible maximum fines, depending on the nature of the violation. The first maximum administrative fine is EUR 10 million or 2% of the defaulting entity’s total worldwide turnover of the preceding financial year, whichever is higher.
The GDPR identifies various grounds on which this fine could be imposed. For example, in case of a failure to notify a data breach or a failure to implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed. An administrative fine can also be imposed if one fails to carry out a DPIA whenever required to do so.
The second maximum fine is EUR 20 million or 4% of the defaulting entity’s global turnover. This maximum would apply to more “serious” violations, such as transferring personal data to a third country without taking appropriate measures to safeguard the data or without observing the data subject’s objection to the processing of his or her personal data.
In any event, when considering a sanction, the supervisory authority must take into account various factors, such as the duration of the violation, its intentional or negligent nature, the categories of data, and the number of data subjects concerned, as well as the attitude of the defaulting entity, including any relevant, previous violation(s). Also, the GDPR states that all measures must be effective, proportionate and dissuasive. This means that a supervisory authority is not entitled to simply impose any sanction it sees fit whenever there is a violation of data protection rules. Rather, it should ensure—and justify—that the specific sanction being imposed meets these objectives.
And if one disagrees with the sanction imposed? Then the party sanctioned may lodge an appeal before the courts of the Member State where the supervisory authority concerned is established.
In addition to these administrative sanctions, data controllers and/or processors can be sued before a court in the Member State where they are established or a court of a Member State where the data subject has his or her habitual residence. These proceedings can be brought by the data subjects themselves and/ or by the relevant supervisory authority, and even, under certain conditions, by any body, organization or association that advocates the protection of personal data. The more specific remedies are those laid down in the national laws.
All of the foregoing reminds us that privacy compliance is becoming an even more significant issue. As we know, the GDPR will only become effective as from 25 May 2018. It is to be expected, however, that supervisory authorities will already start interpreting current data protection legislation in the light of the new provisions of the GDPR.
To read more about this series of articles (and the articles that were published previously), please click here