The New European General Data Protection Regulation: Remedies, liability, fines and penalties

Author: Sascha Villoro 

As the date on which the GDPR will be fully applicable comes closer (25th of May), we thought it would be interesting to talk about the consequences of non-compliance. As you may have guessed from the title, data controllers and processors may expect to have to pay fines, compensations and be subject to remedial action if they do not comply with the GDPR.

We will start with the administrative fines, since they pose the most serious threat to any company that runs into trouble:

  • Minor infringements (such as violations of key principles of the GDPR) will be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
  • Major infringements (e.g. procedural infractions) will be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

But in cases in which a data controller or processor is established in more than just one country or centralizes the processing of data belonging to data subjects from different countries (this more common than ever nowadays), which authority will be in charge? The supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor. By derogation of this first rule, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its own Member State.

Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, corrective measures referred to Article 58.2 of the GDPR. These measures include, among others:  warnings, reprimands, audits, temporary or definitive limitations including a bans on processing, withdrawing certifications, etc.

For infractions deemed not as severe as to warrant such steep fines, the GDPR instructs Member States to lay down the rules for imposing different penalties. These are still unknown for the most part, but each Member State shall notify to the Commission the provisions of its law regarding these penalties by 25 May 2018.

How may the respective supervisory authority find out about an infraction? There are two ways: either through an investigation in the form of a data protection audit or because a data subject has lodged a complaint against a company with said authority.

But data subjects are not limited to lodging complaints: they may also seek judicial remedy, which is the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation by a data controller or processor. 

Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.

Now you might think that either an administrative or a judicial proceeding might be somewhat cumbersome for a natural person. So that no data subject is deterred from exercising their rights, the Regulation provides that the data subject shall have the right to mandate a not-for-profit body, organization or association to lodge the complaint on his or her behalf, to exercise the right to judicial remedy on his or her behalf, and to exercise the right to receive compensation on his or her behalf (where provided for by Member State law).

The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union provide that everyone has the right to the protection of personal data concerning him or her. And as such a right, any damage to it by a controller or processor results in its liability: any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive monetary compensation from the controller or processor for the damage suffered.

With this wide array of fines, penalties, compensations, etc. it is quite apparent that the EU is cracking down on any organization which is not fully compliant with the new rules. While some Supervisory Authorities might be more fine-happy than others, the high earnings that Member States may receive from the steep fines are likely to result in heightened sanctioning practices in almost all member states.