News and developments

Enforcement and Sanctions under the GDPR

By Alexandru Ambrozie, Partner

Popovici Niţu Stoica & Asociaţii and Luana Dragomirescu, Managing Associate Popovici Niţu Stoica &

Asociaţii

Maybe

one of the most talked about part of the Regulation 679/2016 (GDPR), the

significantly increased administrative fines are a central element in the new

enforcement regime introduced by the Regulation.

Although

the administrative fines will probably become the most powerful tool in the

hands of the supervisory authorities for addressing non-compliance, they should

be considered along with several other corrective measures, but also with the

right to an effective judicial remedy of the individual against a controller.

shall address below the most important aspects related to the right to a

judicial remedy and compensation, as well as the corrective measures that may

be imposed by the supervisory authority, with highlights on administrative

fines and general criteria for establishing the amount of such fines.

Right to a

Judicial Remedy and Right to Compensation

Each

data subject has the right to an effective judicial remedy against:

the supervisory authority, in case the

supervisory authority does not handle a complaint or does not inform the data

subject within three months on the progress or outcome of the complaint lodged,

as well as against a legally binding decision concerning the data subject;

the

controller or the processor, where he/she considers that his or her rights

under the GDPR have been infringed as a result of the processing of his /her

personal data.

express right to compensation is granted to the data subject for any material

or non-material damages suffered as a result of an infringement. There is no

ceiling set to the right to compensation or to the size of liability, decisions

that can be made against the controller, the processor or both.

The

controllers should keep in mind that they are jointly liable with their

processors and may be held liable for the entire damage, even if the fault

belongs to the processor.

order to mitigate this risk, the controllers should closely scrutinize the

activity of their processors.

Proceedings

against the controller and/or the processor may be brought before the courts

where the data subject has his/her habitual residence or at the headquarters of

the controller or processor.

Corrective

Measures

Supervisory

authorities will maintain prerogatives for monitoring and enforcing compliance

with applicable data protection rules. These shall include possibility to carry

out investigations, to notify the infringements and to obtain access to

information, as well as to the premises of the controller or processor,

including to the data processing equipment, and taking witness statements.

When

talking about corrective powers of the supervisory authority, these shall

include, notably, prerogatives such as: issuing warnings to controllers or

processors whose intended processing operations are likely to infringe

provisions of the GDPR; ordering the controller or processor to bring

processing operations into compliance, but also more drastic measures such:

imposing a temporary or definitive limitation including a ban on processing,

ordering the suspension of data flows to a recipient in a third country or to

an international organization, ordering the rectification or erasure of

personal data or restriction of processing, withdrawing a certification or

ordering the certification body to withdraw a certification and, at last but

not least, issuing a reprimand (in case of minor infringements or if the fine

likely to be imposed would constitute a disproportionate burden) and imposing

administrative fines.

Administrative

Fines

The

administrative fine may be imposed either instead of or in addition to any of

the above corrective measures, depending on the circumstances of each

individual case, and in addition to the rights of data subjects to seek

judicial remedy and compensations.

While

the supervisory authority has discretionary powers on determining the level of

the fine, the fine should be dissuasive

(to send the message that infringements are not acceptable), effective (in stopping the

infringement) and proportionate (to

the size of the organization, as well as the size of the effects).

The

criteria the supervisory authority is expected to use in the assessment both of

whether a fine should be imposed and of the amount of the fine, are, among

others:

the nature, gravity, duration and

consequences of the infringement;

the negligent or intentional character of the

infringement;

the actions taken by the controller to prevent

or mitigate the damage suffered by the data subjects;

the degree of responsibility (such as the

measures taken to ensure compliance with the obligations under the GDPR);

any relevant previous infringements and

compliance with previous measures ordered against the controller or processor;

the manner in which the infringement became

known to the supervisory authority and degree of cooperation with the

supervisory authority, in order to remedy the infringement and mitigate the

possible adverse effects;

the categories of personal data affected by

the infringement (sensitive categories of data will bring greater fines and

corrective measures than standard data);

adherence to a code of conduct or approved

certification (compliance with international security standards such as ISO

270001 may be considered to demonstrate that an organization is taking steps to

implement appropriate measures under the GDPR), and

any other aggravating or mitigating factor,

such as financial benefits gained, or losses avoided, directly or indirectly,

from the infringement.

You

may be noticing that there is a particular focus on organizational culture

towards data protection and being able to demonstrate compliance is almost as

important as being compliant.

light of this, all organizations need to be thinking about the extent to which

they are taking appropriate steps, sufficiently far in advance, to meet their

obligations under the GDPR. You do not want to find yourself having to explain,

while having had a breach, why you had not yet started on the road to the GDPR

compliance, as this may be clear evidence of negligence.

talking practical examples, one of the highest fines in EU was imposed in

connection with a stolen customer database, where the data was allegedly

accessed during an attack on three vulnerable webpages. Poor management,

failure to investigate and ensure that the most basic security measures were in

place, as well as the failure to prevent attacks on a smaller scale on previous

occasions (as part of the steps that the organization ought to have taken if it

was seeking to be responsible in dealing with personal data) were considered

aggravating factors retained by the supervisory authority.

The

GDPR identifies a wide range of breaches, including purely procedural infringements,

to which the administrative fines shall be applied. There are two tiers of

administrative fines.

The

lower tier of fines, which are up to 10

000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide

annual turnover of the preceding financial year, whichever is higher, apply

in case of:

failure to obtain parental consent in case of

services offered to a child;

failure to comply with privacy by design and

privacy by default principles;

in case of joint controllers, failure to

agree to their respective compliance obligations;

failure to designate a representative in the

EU for controllers or processors established outside EU;

failure to comply with requirements for

appointing and acting as data processor;

failure to maintain adequate records of

processing activities;

failure to cooperate with the supervisory

authority;

failure to implement appropriate

organizational and technical security measures;

failure to notify data breaches;

failure to carry out a data privacy impact assessment

(or improperly carry out such assessment) or consult the supervisory authority

when a processing would result in a high risk;

failure to appoint a data privacy officer;

infringement of the provisions of the code of

conduct or failure to comply with certification requirements (where

appropriate).

The

second/higher tier of fines up to 20 000

000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide

annual turnover of the preceding financial year, whichever is higher, will

be imposed for breaches of any of the principles going straight to the heart of

the GDPR:

infringement of the basic principles for data

processing: lawfully, fairly and in a transparent manner, collected for

specified, explicit and legitimate purposes, adequate, relevant and limited to

what is necessary, accurate and, where necessary, kept up to date, retained

only for as long as necessary and processed in an appropriate manner to

maintain security (including sensitive data and conditions for consent);

failure to comply with the data subjects’

rights;

failure to comply with the requirements for

the transfer of data outside EEA;

failure to comply with any national

obligation;

failure to comply with an order issued by the

supervisory authority;

failure to provide access to a supervisory

authority.

Infringement

of GDPR different provisions may lead, among others, to an administrative fine

that may not exceed the amount specified for the most serious of the

infringements.

Set aside, a

single breach of GDPR can lead to multiple consequences for controllers and

processors so the best answer is to make sure that you are not negligent, to

make sure you have taken steps to mitigate damage suffered by data subjects, to

take into account appropriate technical and organizational measures and to

effectively deal with the GDPR.

Legal 500

Our Team

FAQs

Marketing Resources

Newsletters

Contact us

Popovici Nitu Stoica & Asociatii