Sanctions and penalties under the GDPR

In order to maximize compliance with the new provisions, data controllers and data processors may be sanctioned for non-observance of the GDPR. The Regulation provides for several types of sanctions, which are described below.

The GDPR gives data subjects extensive rights, which may be exercised against the controller and processor. For example, Art. 82 GDPR gives any person who has suffered material or non-material damage as a result of the GDPR infringement the right to receive compensation directly from the controller/processor. Recital 85 gives several examples of such material or non-material damages.

The exercise of the right to receive compensation must be brought before the courts competent under the national law of the MS, where the controller/processor is established.  However, it is also possible to bring such proceedings before the courts of the MS where the data subject has his/her habitual residence (unless the controller/processor is a public authority of a MS acting in the exercise of its public powers).

The GDPR pays special attention to administrative fines, which are described in detail in Art. 83 GDPR. Infringements of the controller’s/processor’s obligations pursuant to Articles 8, 11, 2539, 42 and 43 GDPR (mentioned below) are subject to administrative fines of up to 10,000,000 EUR, or, in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year (whichever amount is higher).

These include infringements of the provisions concerning: children’s consent; anonymization of data; data protection by design and by default; joint controllers; EU representatives; obligations of the processors; processing under the controller’s/processor’s authority (in accordance with the controller’s instructions); records of processing activities; cooperation with the supervisory authority; security of processing; breach notification; breach communication to the data subject; data-protection-impact assessment; prior consultation with the supervisory authority; designation, position and tasks of the Data Protection Officer, as well as certification and certification bodies.

Higher administrative fines–up to 20,000,000 EUR, or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher)–are for infringements of: basic processing principles, including conditions for consent; data subjects’ rights; data transfers to a third country/international organization; any obligations pursuant to MS law adopted under Chapter IX (“Provisions relating to specific processing situations“); non-compliance with an order or a temporary/definitive limitation of processing or the suspension of data flows or failure to provide access.

However, not every breach must be fined. Instead of or in addition to a fine, the supervisory authorities have the corrective powers to

(1) issue a warning that intended processing activities are expected to infringe the GDPR,

(2) withdraw a certification or

(3) suspend data flows to a recipient in a third country or an international organization.

Whereas controllers are liable for damage resulting from unlawful processing, processors are responsible only for their acts that are non-compatible with their obligations explicitly set by the GDPR, or if they acted beyond the controller’s instructions. The controller and processor can be exempted from liability, if they are not responsible in any way for the event giving rise to the damage.