GDPR - Sanctions for non-compliance

In this final GDPR Update, we will inform you on the possible consequences and sanctions for non-compliance with the GDPR.

Administrative fines

One of the most discussed topics relating to the entering into force of the GDPR, are the administrative fines that may be imposed by a supervisory authority in the event of non-compliance with the GDPR. And not without reason. The administrative fines that may possibly be imposed are substantial (to say the least).

Administrative fines may, depending on the infringed provision of the GDPR, amount to a maximum of EUR 20 million, or, if this is a higher amount, 4% of the total worldwide annual turnover of an organisation. Such fines may be imposed on both the controller and the processor.

For example, a violation of requirements governing privacy by design and default is subject to a maximum fine of EUR 10 million or 2% of the total worldwide annual turnover. Violating the basic principles for processing, including the conditions for obtaining valid consent as well as non-compliance with a supervisory authority’s order may result in the highest fine of EUR 20 million or 4% of the total worldwide annual turnover.

Fortunately, not all infringements of the GDPR will lead to those serious fines. Besides the power to impose administrative fines as described above, a supervisory authority also has the (corrective) power to (amongst others) issue warnings, reprimands and orders. When imposing an administrative fine, in addition to or instead of its other corrective powers, a supervisory authority is obliged to take into account the specifics of the case at hand. What exact fine will be imposed depends on (among others) the nature, gravity and duration as well as the intentional or negligent character of the infringement. In short, the supervisory authority must ensure that the imposition of administrative fines is in each specific case effective, proportionate and dissuasive. The supervisory authorities are allowed to decide on their enforcement policy within the boundaries of the GDPR.

This short overview illustrates the importance of ensuring compliance with the GDPR in order to avoid heavy fines being imposed on your organisation.

A data subject’s right to lodge a complaint and to an effective judicial remedy

Further, the GDPR provides data subjects with the explicit right to lodge a complaint with a supervisory authority, if they consider that any processing of their personal data infringes the requirements of the GDPR. Controllers are even obliged to explicitly inform the data subjects of this right.

Further to a complaint, a supervisory authority may decide to further investigate this company’s processing activities (the scope of such an investigation may be broader than the complaint lodged). In the event that a supervisory authority does not inform a data subject on the progress or outcome of a complaint lodged within 3 months, a data subject shall have the right to an effective judicial remedy.

In connection herewith, each data subject shall have the right to an effective judicial remedy against a controller or processor where he or she considers that his or her rights under the GDPR have been infringed.

In this respect, it should be pointed out that if a court of a Member State is addressed by a data subject regarding the non-compliant processing activities of a controller or processor and such court has information that proceedings concerning processing activities of the same controller or processor are already pending before a court in another Member State, the court that was addressed second may suspend its proceeding. Such court may also, if the proceedings are pending at the first instance, on request of one of the parties (for example, the controller) decline jurisdiction, but only to the extent that the first court seized has jurisdiction over both actions and its law permits consolidation of the proceedings.

Liability for damages

The GDPR also gives data subjects the right to compensation of any material and/or non-material damages resulting from an infringement of the GDPR.

Both controllers and processor are liable for any damages resulting from an infringement of the GDPR. However, processors shall only be liable for damages that are caused as a result of the processor’s actions that were contrary to the controllers’ instructions or a breach of the GDPR requirements particularly addressing processors, such as the data security obligations. A controller or processor will be exempted from liability if he can prove not to be in any way responsible for the event causing the damage.

The GDPR explicitly indicates that data subjects have the right to have their rights to lodge a complaint or to claim damages exercised by a non-for-profit body, organisation or association on their behalf. This opens the door for “mass-claims” in case of large-scale infringements.

Prepare your organisations for GDPR

The possible remedies, liabilities and penalties that may result from non-compliance with the GDPR underline the importance of preparing your organisation for the arrival of GDPR. For some practical guidelines on how to become compliant, please read our previous GDPR Updates. You have still 350 days to go!