Oops! Caught red-handed? What are the sanctions for violating data protection rules?

This is not a trivial question because the supervisory authority designated in each Member State will now be entitled to impose more stringent administrative sanctions under the new General Data Protection Regulation ('GDPR') than what is currently possible. And that’s not all: sanctions can otherwise be imposed by courts also. 

So, what could happen when one violates data protection rules?

The administrative sanctions imposed by the supervisory authority are two-fold: it can (i) take one or more of the measures listed in the GDPR, such as issue a warning or impose a temporary or definitive ban on processing personal data, or (ii) impose a monetary sanction, depending on the circumstances of each individual case, or do both.

For the latter sanction, the GDPR stipulates two possible maximum fines, depending on the nature of the violation concerned. The first maximum administrative fine is EUR 10,000,000.00 or 2% of the defaulting entity’s total worldwide turnover of the preceding financial year, whichever is higher.

The GDRP identifies various grounds on which such sanctions could be imposed. It could be, for example, a failure to notify a personal data breach whenever it is required or a failure to implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. An administrative fine can also be imposed if one fails to carry out a data protection impact assessment whenever required to do so. Such impact assessment could be required for, e.g, certain high-risk data processing operations such as the creation of personal profiles by social networks or the use of video footages recorded from CCTV surveillance.

The second maximum fine is EUR 20,000,000.00 or 4% of the defaulting entity’s global turnover. This maximum would apply to more “serious” cases of violation, such as transferring personal data to a third country without taking appropriate measures to safeguard the data or without observing the data subject’s objection to the processing of his/her personal data.

In any event, when considering a sanction, the supervisory authority must take into account various factors, such as the duration of the violation and its intentional or negligent nature, the categories of data and the number of data subjects concerned, as well as the attitude of the defaulting entity, including any relevant, previous violation(s). Also, the GDPR states that all measures must be effective, proportionate and dissuasive. This makes it a rather delicate issue, as this means that a supervisory authority is not entitled to simply impose any sanction they see fit whenever there is a violation of data protection rules. Rather, it should ensure – and justify – that the specific sanction being imposed meets these objectives.

And if one disagrees with the sanction imposed? Then the party sanctioned may lodge an appeal before the courts of the Member State where the supervisory authority concerned is established.

Alongside administrative sanctions imposed by the supervisory authority, data controllers and/or processors can be sued before a court in the Member State where they are established or a court of a Member State where the data subject has his/her habitual residence. These proceedings can be brought by the data subjects themselves and/or the applicable supervisory authority, and even, under certain conditions, by any body, organization or association that advocates the protection of personal data. The judicial remedies are laid down in the national laws.

All of the foregoing reminds us that privacy compliance has become an even more significant issue. Businesses have been granted a two-year transition period before the GDPR comes into effect. It is to be expected, however, that supervisory authorities will already start interpreting current data protection legislation in the light of the new provisions of the GDPR.

This article was co-written by alumnus Max Rozendaal.

Zie ook : Stibbe ( Mr. Erik Valgaeren ,  Mr. Nicolas Roland )

[+ http://www.stibbe.com]

Mr. Erik Valgaeren Mr. Erik Valgaeren
[email protected]
Mr. Nicolas Roland Mr. Nicolas Roland
[email protected]

Laatste artikels van Mr. Erik Valgaeren

After the Uber case and the Airbnb case … the Star Taxi App case: focus on the question of the ...

Societal and digital developments are reflected in the case law of the CJEU. For several years now, European judges resolv...

Read more

GDPR: Cross-border transfers - don’t be on the wrong track!

The virtual world has no borders, and we often do not realize the massive data flows generated within companies operating ...

Read more

Watch out for your drone: new Belgian Royal Decree is out!

The Royal Decree on the use of drones in the Belgian airspace has come into force on 25 April 2016. The Royal Decree autho...

Read more

Article 29 WP sceptical on the EU/US Privacy Shield

On 6 October 2015, the CJEU invalidated the U.S. Safe Harbor. The EU Commission then published a draft adequacy decisio...

Read more

Laatste artikels van Mr. Nicolas Roland

Court of Cassation: right to privacy encompasses (online) ‘right to be forgotten’

On 29 April 2016, the Court of Cassation dismissed an appeal lodged by the Belgian newspaper Le Soir against the ruling of...

Read more

New data retention obligations for providers of publicly available electronic communications serv...

On 18 July 2016, the Belgian Official Gazette published the Act of 29 May 2016 on the collection and storage of data in th...

Read more

GDPR: Cross-border transfers - don’t be on the wrong track!

The virtual world has no borders, and we often do not realize the massive data flows generated within companies operating ...

Read more

Embedding privacy is not an empty word

One of the obligations imposed on personal data processing entities by the general data protection regulation (“GDPR...

Read more

LexGO Network