Short Reads

GDPR: Oops! Caught red-handed? What are the sanctions for violating data protection rules?

Oops! Caught red-handed? What are the sanctions for violating data pr

GDPR: Oops! Caught red-handed? What are the sanctions for violating data protection rules?

18.08.2016

The supervisory authority of each Member State under the GDPR will now be entitled to impose more stringent administrative sanctions. And that’s not all: sanctions can also be imposed by courts.

So, what could happen when one violates data protection rules?

The administrative sanctions imposed by the supervisory authority are two-fold: it can (i) take one or more of the measures listed in the GDPR, such as issue a warning or impose a temporary or definitive ban on processing personal data, or (ii) impose a fine, depending on the circumstances of each individual case, or do both.

For the latter, the GDPR stipulates two possible maximum fines, depending on the nature of the violation. The first maximum administrative fine is EUR 10 million or 2% of the defaulting entity’s total worldwide turnover of the preceding financial year, whichever is higher.

The GDPR identifies various grounds on which this fine could be imposed. For example, in case of a failure to notify a data breach or a failure to implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed. An administrative fine can also be imposed if one fails to carry out a DPIA whenever required to do so.

The second maximum fine is EUR 20 million or 4% of the defaulting entity’s global turnover. This maximum would apply  to more “serious” violations, such as transferring personal data to a third country without taking appropriate measures to safeguard the data or without observing the data subject’s objection to the processing of his or her personal data.

In any event, when considering a sanction,  the supervisory authority must take into account various factors, such as the duration of the violation, its intentional or negligent nature, the categories of data, and the number of data subjects concerned, as well as the attitude of the defaulting entity, including any relevant, previous violation(s). Also, the GDPR states that all measures must be effective, proportionate and dissuasive. This means that a supervisory authority is not entitled to simply impose any sanction it sees fit whenever there is a violation of data protection rules. Rather, it should ensure—and justify—that the specific sanction being imposed meets these objectives.

And if one disagrees with the sanction imposed? Then the party sanctioned may lodge an appeal before the courts of the Member State where the supervisory authority concerned is established.

In addition to these administrative sanctions, data controllers and/or processors can be sued before a court in the Member State where they are established or a court of a Member State where the data subject has his or her habitual residence. These proceedings can be brought by the data subjects themselves and/ or by the relevant supervisory authority, and even, under certain conditions, by any body, organization or association that advocates the protection of personal data. The more specific remedies are those laid down in the national laws.

All of the foregoing reminds us that privacy compliance is becoming an even more significant issue. As we know, the GDPR will only become effective as from 25 May 2018. It is to be expected, however, that supervisory authorities will already start interpreting current data protection legislation in the light of the new provisions of the GDPR.

To read more about this series of articles (and the articles that were published previously), please click here

Team

Related news

25.10.2018 BE law
Ignace Vernimme and Michiel Van Roey speak on IP rightsduring Agoria's Research & Standardization Event

Speaking slot - On Thursday 25 October, Agoria's Regulatory and Standardization Expertise Center organizes its 5th information day about regulations and standards for topics including international trade, privacy and contract law, transport, Internet of Things and blockchain, eHealth, ... at regional, national and European level.

Read more

10.10.2018 NL law
Ongevraagd advies Raad van State: normering van geautomatiseerde overheidsbesluitvorming

Short Reads - Op 31 augustus 2018 heeft de Afdeling advisering van de Raad van State (hierna: "Afdeling advisering") een 'Ongevraagd advies over de effecten van de digitalisering voor de rechtsstatelijke verhoudingen' betreffende de positie en de bescherming van de burger tegen een "iOverheid" uitgebracht. Het gebeurt niet vaak dat de Afdeling advisering zo een ongevraagd advies uitbrengt. Dit onderstreept het belang van de voortdurend in ontwikkeling zijnde technologie en digitalisering in relatie tot de verhouding tussen de overheid en de maatschappij.

Read more

23.08.2018
ECJ: Facebook fan page administrator is a joint data controller

Short Reads - On 5 June 2018, the European Court of Justice ("ECJ") decided on several preliminary questions that were raised in an administrative proceeding between the German Data Protection Authority ("GDPA") and Wirtschaftsakademie Schleswig-Holstein GmbH ("Wirtschaftsakademie"), a German educational services provider that offers its services through a Facebook fan page. In its decision, the ECJ held, among other things, that Wirtschaftsakademie qualifies as a data controller ex Article 2 under d Directive 95/46/EC[1] ("Privacy Directive").

Read more

12.10.2018 NL law
Tim Berners-Lee's Solid proposal: the future of data traffic?

Short Reads - The General Data Protection Regulation (GDPR) aims to strengthen the rights of individuals in respect of their personal data. Although this aim has been achieved to a certain extent, the fundamental framework of the way personal data is processed remains unchanged. Companies are still able to use large amounts of user data, in many cases without even obtaining their consent. Tim Berners-Lee, the inventor of the World Wide Web, has announced his plans for a decentralised web, in which users remain in control of their personal data.

Read more

07.08.2018 NL law
General Data Protection Regulation comes into effect

Short Reads - On 25 May 2018, the European Union's General Data Protection Regulation (GDPR) came into effect. The GDPR replaces the EU's prior directive governing the processing and transfer of personal data, which was in place since 1995. As a regulation, the GDPR is directly applicable in all 28 EU member states and thus removes the need for national implementing legislation. However, the GDPR allows member states discretion in certain areas, as a result of which national legislation may still be implemented. In the Netherlands, the GDPR Implementation Act came into effect on 25 May 2018.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring