GDPR Fines / Penalties

GDPR Fines / Penalties

National authorities can or must assess fines for specific data protection violations in accordance with the General Data Protection Regulation. The fines are applied in addition to or instead of further remedies or corrective powers, such as the order to end a violation, an instruction to adjust the data processing to comply with the GDPR, as well as the power to impose a temporary or definitive limitation including a ban on data processing. For the provisions which relate to processors, he may be subject to sanctions directly and/or in conjunction with the controller.

The fines must be effective, proportionate and dissuasive for each individual case. For the decision of whether and what level of penalty can be assessed, the authorities have a statutory catalogue of criteria which it must consider for their decision. Among other things, intentional infringement, a failure to take measures to mitigate the damage which occurred, or lack of collaboration with authorities can increase the penalties. For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. But even the catalogue of less severe violations in Art. 83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher. Especially important here, is that the term “undertaking” is equivalent to that used in Art. 101 and 102 of the Treaty on the Functioning of the European Union (TFEU). According to case law of the European Court of Justice, “the concept of an undertaking encompasses every entity engaged in an economic activity, regardless of the legal status of the entity or the way in which it is financed”. An undertaking can therefore not only consist of one individual company in the sense of a legal person, but also out of several natural persons or corporate entities. Thus, a whole group can be treated as one undertaking and its total worldwide annual turnover can be used to calculate the fine for a GDPR infringement of one of its companies. In addition, each Member State shall lay down rules on other penalties for infringements of the Regulation which are not already covered by Art. 83. Those are most likely criminal penalties for certain violations of the GDPR or penalties for infringements of national rules which were adopted based on flexibility clauses of the GDPR. The national penalties must also be effective, proportionate and act as a deterrent.

A punishable situation in a company can be revealed through proactive inspection activities conducted by the data protection authorities, by an unsatisfied employee or by customers or potential customers who complain to the authorities, through the company making a self-denunciation, or by the press in general, especially through investigative journalism.

The Enforcement Tracker gives an overview of reported fines and penalties which data protection authorities within the EU have imposed so far.

Suitable GDPR articles

Art. 58 GDPR Powers Art. 70 GDPR Tasks of the Board Art. 83 GDPR General conditions for imposing administrative fines Art. 84 GDPR Penalties

Suitable Recitals

(148) Penalties (149) Penalties for Infringements of National Rules (150) Administrative Fines (151) Administrative Fines in Denmark and Estonia (152) Power of Sanction of the Member States

External Links

 

Authorities

Article 29 Data Protection Working Party ► WP 253 – Guidelines on the application and setting of administrative fines

European Commission ► Enforcement and sanctions

Data Protection Authority Isle of Man ► Fines, penalties and sanctions

EU publications ► Handbook on European data protection law – Sanctions, page 247

 

Expert contribution

Journal of Intellectual Property, Information Technology and Electronic Commerce Law ► Is Data Protection Law Growing Teeth?

IAPP ► Top 10 operational impacts of the GDPR: Part 10 – Consequences for GDPR Violations

Privacy Europe Blog ► European Data Protection Regulation Information Sheet – Enforcement, Risks and Sanctions, Page 7

A&L Goodbody ► The GDPR: A Guide for Businesses – Investigative, Corrective & Advisory Powers of Supervisory Authorities / Administrative fines, Page 31, 33

 

For more information, see here:  https://gdpr-info.eu/issues/fines-penalties/

 

These materials were obtained directly from the International Government public websites and public websites and are posted here for your review and reference only.  No Claim to Original International Government Works or public websites.  These may not be the most recent versions.  The International Governments and public websties may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.

These materials were obtained directly from the U.S. Federal Government public websites, U.S. State Government public websites, or the International Government public websites and are posted here for your review and reference only. No Claim to Original U.S. Government Works, Original U.S. State Government Works, or Original International Government Works. This information may not be the most recent version. The U.S. Government, U.S. States, or International Governments may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.