Oops! Caught red-handed? What are the sanctions for violating data protection rules?

This is not a trivial question because the supervisory authority designated in each Member State will now be entitled to impose more stringent administrative sanctions under the new General Data Protection Regulation ('GDPR') than what is currently possible. And that’s not all: sanctions can otherwise be imposed by courts also. 

So, what could happen when one violates data protection rules?

The administrative sanctions imposed by the supervisory authority are two-fold: it can (i) take one or more of the measures listed in the GDPR, such as issue a warning or impose a temporary or definitive ban on processing personal data, or (ii) impose a monetary sanction, depending on the circumstances of each individual case, or do both.

For the latter sanction, the GDPR stipulates two possible maximum fines, depending on the nature of the violation concerned. The first maximum administrative fine is EUR 10,000,000.00 or 2% of the defaulting entity’s total worldwide turnover of the preceding financial year, whichever is higher.

The GDRP identifies various grounds on which such sanctions could be imposed. It could be, for example, a failure to notify a personal data breach whenever it is required or a failure to implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. An administrative fine can also be imposed if one fails to carry out a data protection impact assessment whenever required to do so. Such impact assessment could be required for, e.g, certain high-risk data processing operations such as the creation of personal profiles by social networks or the use of video footages recorded from CCTV surveillance.

The second maximum fine is EUR 20,000,000.00 or 4% of the defaulting entity’s global turnover. This maximum would apply to more “serious” cases of violation, such as transferring personal data to a third country without taking appropriate measures to safeguard the data or without observing the data subject’s objection to the processing of his/her personal data.

In any event, when considering a sanction, the supervisory authority must take into account various factors, such as the duration of the violation and its intentional or negligent nature, the categories of data and the number of data subjects concerned, as well as the attitude of the defaulting entity, including any relevant, previous violation(s). Also, the GDPR states that all measures must be effective, proportionate and dissuasive. This makes it a rather delicate issue, as this means that a supervisory authority is not entitled to simply impose any sanction they see fit whenever there is a violation of data protection rules. Rather, it should ensure – and justify – that the specific sanction being imposed meets these objectives.

And if one disagrees with the sanction imposed? Then the party sanctioned may lodge an appeal before the courts of the Member State where the supervisory authority concerned is established.

Alongside administrative sanctions imposed by the supervisory authority, data controllers and/or processors can be sued before a court in the Member State where they are established or a court of a Member State where the data subject has his/her habitual residence. These proceedings can be brought by the data subjects themselves and/or the applicable supervisory authority, and even, under certain conditions, by any body, organization or association that advocates the protection of personal data. The judicial remedies are laid down in the national laws.

All of the foregoing reminds us that privacy compliance has become an even more significant issue. Businesses have been granted a two-year transition period before the GDPR comes into effect. It is to be expected, however, that supervisory authorities will already start interpreting current data protection legislation in the light of the new provisions of the GDPR.

This article was co-written by alumnus Max Rozendaal.