Blog » WORSE THAN PENALTY? THE DATA PROTECTION AUTHORITY’S SANCTION TOOLKIT
WORSE THAN PENALTY? THE DATA PROTECTION AUTHORITY’S SANCTION TOOLKIT
29 January 2018
When it comes to the sanctions under the EU General Data Protection Regulation, everybody speaks about the astronomic penalties up to 10-20 Million Euros, however, it is only one of the 10 corrective measures of the data protection authority. And in some case complying with non-financial corrective measures can be much more painful than simply paying penalty. So, we present the 9 non-financial corrective measures in this article.
The Article 29 Working Party recently published guidelines on setting administrative fines under the GDPR, in which it summarized the circumstances to be taken into account before applying penalties and other sanctions, so that the GDPR have equivalent application throughout the EU, and in order to impose effective, dissuasive and proportional sanctions.
The Working Parties’ opinion stresses that the national data protection authority has wide range of means, and in addition to penalties it can impose 9 other types of corrective measures, that we present in 3 groups, considering their severity.
The warning, as the lightest measure means that the data protection authority draws attention to the breach of GDPR, and informs the data controller about the potential consequences.
A reprimand is still that kind of measure that does not have any direct disadvantage, and by which the data protection authority “only” establishes the fact of data breach, without any immeadiate legal consequences.
Although the warnings and reprimands do not have any direct adverse effect, in case of a future breach, they will be considered as aggravating circumstance.
Compliance orders represent the next level of corrective measures, by which the data protection authority orders the data controller to perform a given action.
It can be that the data controller must comply with the request of a data subject, or it has to inform the data subjects about a personal data breach.
The data protection authority can also oblige the data controller to make its operation compliant with the GDPR, for example by adopting internal rules, or by rectifying, deleting personal data, etc.
You must see that complying with these corrective measures can be at least as costly as paying penalties, let alone the time needed to ensure compliance.
Limitation, ban, withdrawal
In more serious cases the data protection authority can limit, or in certain cases, ban the data processing which can have very severe financial disadvantage on the data controller’s operation.
It is a special case, when the data protection authority suspends the data transfer outside the EU, which can be very delicate for companies whose subsidiary, parent company or business partner is located in non-EU countries.
Last but not least, the data protection authority can withdraw the certification of the company, which proves that its operations are GDPR compliant.
I think the negative effects of these measures to the daily operation of the firm or to the company’s goodwill does not need further explanation.
When it comes to sanctions under GDPR, in certain cases non-financial measures, like compliance orders, data transfer suspension, or certificate withdrawal can be much more painful and critical to the life of the company, than pure monetary penalties.
The Working party highlights, that the 9 above measures must be considered as alternatives of the administrative penalty, at the same time data protection authorities should not be shy to impose fines, if this is the most effective. Of course, the best, if our company respects the provisions of the GDPR and the data protection authority does not have to choose among the 10 corrective measures!
ONLINE SALE OF MEDICINAL PRODUCTS WITHOUT BORDERS? LUXEMBURG RULED
Cross-border online sale of medicinal products is a recurring issue before the Court of Justice of the European Union. This is no coincidence, as trade in medicines is a strictly regulated area in all Member States, which can easily conflict with the EU principle of freedom to provide services, and in the end, the "price" of excessive national restrictions is borne by the consumers. In our article, we summarize the recent ruling of the Court of Justice of the European Union on the limitation of the principle.Read more »
HOW REPORTING OF EMPLOYEE-TRAININGS HAS CHANGED FROM SEPTEMBER 2020 IN HUNGARY?
From September 2020 the rules, which regulate the status of the adult educators and the organisation of adult educations have changed. There are significantly more educations, which are considered as adult education and performing an adult education entails a lot more obligation. The changes affect almost every employer who organises certain kind of educations for its employees. We summarize the most important changes concerning the adult education.Read more »
LUXEMBOURG RULED: MESSI DRIBBLED PAST EVEN THE EUROPEAN TRADEMARK OFFICE
Messi hit the legal news again, this time not because of his tax issues. In September, the match between the EUIPO and the world-famous football player, which was ongoing since 2011, finally ended. Messi won the match, as the European Court of Justice ruled that because of his significant reputation, his name can be registered as a trademark despite the fact that it is similar to several earlier trademarks, which is otherwise a ground for exclusion. In our short article, we summarise the details of the case and the legal significance of the decision.Read more »