logo text

Tuesday, 3 January 2017

Sanctions and enforcement under the GDPR

by Stephanie Pritchett

This practice note was published on Lexis®PSL IP & IT in January 2017. Click for a free trial of Lexis®PSL.

The main approach to sanctions and enforcement that has been taken under the European Union General Data Protection Regulation (“GDPR”) is to introduce higher penalties for non-compliance, in the hopes of producing higher levels of compliance because of the increased penalty provisions and in particular the increased levels of fines for non-compliance – up to the greater of 4% of total global annual turnover or 20 million euro.

National Member State Data Protection Supervisory Authorities (“SAs”), such as the Information Commissioner’s Office in the United Kingdom (“UK”), now have the support of a much more robust law and a bigger stick to use to force organisations to act in a compliant manner. Although there are certainly stronger sanctions than existed under the previous European Union Data Protection Directive (“EU Directive”), only time will tell exactly how the newly carved stick will be used in practice by SAs to enforce the GDPR. There are still a lot of uncertainties about the way that this legislation will be implemented by Member States, SAs and the various EU data protection bodies.

This Practice Note sets out some detailed information about the different types of sanctions and enforcement that will exist under the GDPR.



MONITORING AND ENFORCEMENT OF THE APPLICATION OF THE GDPR – ROLES AND POWERS


Establishment of a Supervisory Authority
  • Under Article 51 of the GDPR, each EU Member State must have or set up at least one independent public authority to be responsible for monitoring and enforcing the provisions of the GDPR and to protect the rights and freedoms of individuals. These authorities are known under the GDPR as “Supervisory Authorities”.
  • If a Member State appoints more than one SA, it must designate which authority will represent it on the European Data Protection Board (“EDPB”) and set out a mechanism to ensure compliance by the other authorities with the rules relating to the GDPR “Consistency Mechanism” (as described further below in this Practice Note).
  • SAs are required to co-operate with each other and with the European Commission.
  • Under Article 28 of the previous EU Directive, each Member State was required to have a similar data protection authority in place. It is not therefore expected that the role of most existing authorities (for example, the Information Commissioner’s Office (“ICO”) in the UK) will change. Organisations should be able to continue interacting with their existing bodies in a similar way.
  • Under the GDPR, SAs and their members must:

    • Be set up by appropriate legislation and transparent procedures in the Member State and have appropriately skilled and experienced staff acting subject to a duty of professional secrecy in order to exercise the SAs powers in a fair, uniform and impartial manner.
    • Act independently in carrying out their functions.
    • Not be influenced by or take instructions from anyone when performing their duties.
    • Not be involved in any way in any incompatible behaviour or occupation during their term in office.
    • Be given adequate human, technical and financial resources, premises and infrastructure that are necessary to carry out their duties and powers.
    • Be subject to financial control and budgets that do not affect their independence.

Recitals 117, 118 & 121

Articles 5154
Lead Supervisory Authority
  • Each SA can only exercise its powers on the territory of its own Member State but, under the Lead SA approach (see below), the SA’s regulatory action could affect processing occurring in other EU Member States.
  • Under the GDPR, if a Data Controller or Data Processor organisation has establishments in a number of different Member States, the SA for its “main establishment” (which in simple terms is an organisation’s headquarters for EU operations or the location where it makes its main decisions regarding data-processing activities in the EU) will act as its “Lead SA”. This Lead SA:
    • Will have the power to regulate that organisation throughout all of the Member States where the organisation carries out cross-border data-processing activities.
    • Is intended to provide a single decision-making process in situations where a number of different Member State SAs would otherwise be required to regulate the same activities by the same organisation in a number of different Member States. It is hoped that this will mean greater harmonisation of the data protection legislation across Europe.
  • Many practitioners are calling this Lead SA approach the “one-stop shop”, equating it to similar approaches taken in other areas of regulatory enforcement (for example, trading standards).
  • Under Article 28 of the previous EU Directive, each Member State’s enforcement powers were mostly restricted to that Member State’s territory. This meant that organisations were often subject to inconsistent decisions being taken in different Member States. The changes under the GDPR will, however, create new challenges for multinationals operating across Europe and interacting with a number of SAs. It is, for example, unclear and uncertain whether this Lead SA approach will work well in practice or whether national SAs will still try to regulate organisations that should otherwise be subject to another SA’s jurisdiction.
Recitals 124128; Articles 51, 55 & 56

Duties of the Supervisory Authority

The main duties of SAs as set out under the GDPR are as follows:
  • To monitor and enforce application of the GDPR.
  • To promote general awareness of the risks, rules, safeguards and rights relating to data processing (especially in relation to children).
  • To advise national and governmental institutions as well as other institutions and bodies on the application of the GDPR.
  • To promote awareness of GDPR obligations to Data Controllers and Data Processors.
  • To advise Data Subjects on their rights under the GDPR (including liaising with other SAs in relation to these rights) and to handle complaints raised by Data Subjects and/or their representatives.
  • To co-operate with other SAs and the EDPB to ensure consistent application of the GDPR.
  • To carry out regulatory investigations in relation to application of the GDPR.
  • To monitor technical and commercial developments that may impact on data protection.
  • To authorise the use of the EC Standard Model Clauses and Binding Corporate Rules for International Data Transfer.
  • To comply with the requirements under the GDPR for Data Protection Impact Assessments (including liaising with organisations in relation to these).
  • To encourage the creation of Codes of Conduct and review data protection certifications.
  • To maintain records of sanctions and enforcement actions carried out.
  • To fulfil “any other tasks related to the protection of personal data”.
The tasks performed by each SA remain largely free of charge to Data Subjects and to Data Protection Officers (if any). Article 57(4) does, however, provide that where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the SA may charge a reasonable fee based on administrative costs, or indeed refuse to act on the request. The SA must be able to show that the request is manifestly unfounded or excessive.

In short, the duties of SAs are set out in a lot more detail under the GDPR than they were under the EU Directive. It seems, however, that this will make little practical difference to the way that SAs operate under the GDPR.






Recitals 122123.
Articles 55, 57
Powers of the Supervisory Authority

The main powers of SAs to sanction organisations who are not complying with the GDPR are as follows:
  • Investigative Powers.
  • Corrective Powers.
Using these powers, which are set out in more detail below, SAs are authorised to enforce the GDPR, to investigate GDPR breaches and to bring legal action against those breaching the GDPR where it is necessary to do that.

The powers available to the SAs are not hugely different to those that they already have under the EU Directive. It therefore seems likely that enforcement may continue to be approached in different ways by different Member State SAs.

It is, however, important to note that many of these powers can be applied to both Data Controllers and to Data Processors. This is a big change under the GDPR for Data Processors that were able to hide behind Data Controllers under the previous EU Directive.



Recital 129

Article 58
Activity Reports

As was previously required under the EU Directive and in order to maintain fairness, SAs must create and, to ensure transparency, make public, annual reports explaining their regulatory activities.



Article 59
Co-operation, Consistency, Assistance and Joint Operations
  • The European Union Article 29 Working Party (“WP29”) was formed from representatives from the national data protection authorities in each EU Member State and was established to try to provide consistent advice on the interpretation and application of the EU Directive. Although the WP29 guidance is not legally binding, national data protection authorities have usually followed the guidance when taking their own enforcement action and creating their own national guidance. Under the GDPR, the WP29 is to be replaced by the EDPB.
    The EDBP will be constituted similarly to the WP29 except that (as already discussed above in this Practice Note) in Member States where more than one SA has been appointed (for example, in Germany), that Member State will have to appoint only one SA as an EDPB representative. The EDPB is also intended to have a similar function to the WP29 except that its aim is to have more power than the WP29 because it is intended to play an active part in enforcing the GDPR. It remains to be seen how this will be carried out in practice.
  • As already discussed above, SAs are required under the GDPR to co-operate and assist one another where that is necessary. They also have authority under the GDPR to carry out joint operations where appropriate. Where it is believed that a particular matter may have an impact in more than one Member State, the issue may be referred to the EDPB and they may also have to co-operate with the European Commission.

    The co-operation, assistance and appropriate joint operations are intended to help maintain consistency in the way that the GDPR is operated and enforced by SAs across Europe. It is hoped that, in practical terms, it will also mean that regulatory investigations applying to organisations operating across borders should be easier both for SAs and for the organisations to manage. However, prior to the GDPR, most data protection authorities already work together in practice, so this may not lead to a lot of practical change to practices under the EU Directive.
  • Many organisations carry out cross-border data processing in a number of different Member States. Under the GDPR, if a particular SA wants to take enforcement action against a particular organisation, that SA is required to consult with other affected SAs in order to maintain a consistent approach to the application and enforcement of the GDPR. This has become known as the “Consistency Mechanism”. When interpreting and making decisions about the EU Directive, national data protection authorities have historically taken different approaches to the same issues, which has made it very hard for organisations working across borders. It is hoped that the new, more formal procedures required under the GDPR will help to harmonise the enforcement approaches of SAs across the EU.




Articles 51(3), 6876



















Recitals 132134

Articles 6163, 64(2)














Recitals 135138

Articles 4, 56, 6367


European Data Protection Board: Establishment, Function & Reports
  • The EDPB is established as a body of the EU with its own legal personality. It must comply with the procedures set out under Articles 72–75.
  • It is represented by its Chair and consists of the head of one SA of each Member State and of the European Data Protection Supervisor, or their respective representatives.
  • As discussed above in this Practice Note, where a Member State has more than one SA, it must appoint one representative to the EDPB.
  • The European Commission has the right to send a representative to participate in the activities and meetings of the EDPB, but without voting rights.
  • The Chair of the EDPB must communicate EDPB activities to the European Commission.
  • The European Data Protection Supervisor shall have voting rights only on decisions that concern principles and rules applicable to the EU institutions, bodies, offices and agencies that correspond in substance to those of this Regulation.
  • The EDPB must act independently when performing its tasks and duties as set out in detail in Article 70.
  • The EDPB must issue Annual Reports in accordance with Article 71.
  • Under Article 76, discussions held by the EDPB may be kept confidential where the EDPB deems it necessary, acting in accordance with its own rules.



Articles 65 and 6876
European Data Protection Board: Disputes
  • Under the GDPR, SAs are required to submit a draft decision to the EDPB for approval before the SA does any of the following:
    • Specifies what data-processing measures should be subject to a Data Protection Impact Assessment.
    • Approves a Code of Conduct.
    • Approves accreditation criteria.
    • Determines the content of standard data protection clauses under Articles 46(2), 46(3) or 28(8).
    • Approves Binding Corporate Rules.
    • Makes decisions that may affect Data Subjects or organisations in a number of Member States.
The EDPB will consider any such decision to be made and will issue its opinion if the matter may affect multiple Member States. The relevant SA is then required to take “utmost account” of the EDPB’s opinion before proceeding with its decision. It is hoped that this process will ensure that SAs make consistent decisions, which in turn will help to ensure that the GDPR is applied consistently across the EU.
  • Where SAs cannot agree about significant matters under the GDPR, the EDPB will issue a binding decision, which involved SAs are required to adopt within one month of the EDPB notifying its decision. Again, it is hoped that dispute resolution by the EDPB will lead to a more consistent application of the GDPR.
  • There was no such requirement under the EU Directive for national data protection authorities to submit their decisions to a central authority for checking. It is therefore hoped that, although there are undoubtedly benefits to this new process, it does not cause decision-making processes to be unnecessarily delayed by bureaucracy. The GDPR has tried to include a check and balance in relation to this by including an “Urgency Procedure”. Under Article 66, if an SA believes that it needs to act urgently to protect a Data Subject’s rights, it is entitled to adopt provisional measures to do so for a three-month period. To do so, it must explain the reasons for this fully to the other affected SAs, to the EDPB and to the European Commission. It can also ask the EDPB to issue an urgent opinion in the circumstances.
  • Under the GDPR, the European Commission may ensure effective information exchange between affected SAs and the EDPB by specifying arrangements for electronic exchange of information.













Recital 136
Article 64























Recital 136
Article 65






Recital 137
Article 66








Recitals 116, 168 and Articles 47(3), 50, 60(1), 61(3), (9), 67, 70(c), (u)(w)

INVESTIGATIVE POWERS

The GDPR sets out certain investigative powers for SAs, which include the following powers:
  • To order the Data Controller and/or the Data Processor (or their applicable representatives) to provide any information that the SA requires for the proper performance of its tasks.
  • To carry out data protection audits.
  • To carry out a review of certifications issued.
  • To notify the Data Controller and/or the Data Processor of any alleged infringement of the GDPR.
  • To obtain access from the Data Controller and/or the Data Processor to all personal data and all information necessary to perform the SA’s tasks.
  • To obtain access to any premises of the Data Controller and/or the Data Processor including access, as required, to data-processing equipment/means.

Article 58(1)

CORRECTIVE POWERS

Warnings, Reprimands and SA Orders

The GDPR sets out certain corrective powers for SAs, which include the following powers:
  • To issue warnings to a Data Controller and/or Data Processor that intended processing operations are likely to infringe the GDPR.
  • To issue reprimands to a Data Controller and/or Data Processor where processing operations have infringed the GDPR. If there is a minor infringement of the GDPR, or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor.
     
  • To order the Data Controller and/or Data Processor to:
    • Comply with the Data Subject’s requests to exercise his or her rights pursuant to the GDPR.
    • Bring processing operations into compliance with the GDPR, where appropriate, in a specified manner and within a specified period.
  • To order:
    • The rectification or erasure of personal data or restriction of processing where appropriate.
    • A certification body to withdraw a certification or indeed for the SA to order withdrawal of a certification itself.
    • The suspension of data flows to a recipient in a third country or to an international organisation.
    • The Data Controller to communicate a personal data breach to affected Data Subjects.
    • A temporary or definitive limitation, including a ban on processing.
  • To impose an administrative fine in addition to, or instead of taking, other corrective measures, depending on the circumstances of each individual case (see below for further information).
Some of these corrective powers for SAs are likely to have a significant impact on the day-to-day operations of organisations, for example, powers to suspend data transfers to third countries. The potential impact of these risks should be considered by organisations and internal risk registers updated accordingly.

Recitals 148, 150

Articles 58(2)

Remedies: Complaints & Representation
  • Data Subjects have a right to complain to an SA about the handling of their personal data if they believe that their rights under the GDPR have been breached. They can complain to the SA either in the Member State where they live or work or in the Member State where the alleged infringement took place. The SA must inform the Data Subject about the progress and outcome of the complaint. This right to complain is very similar to the rights under the previous EU Directive, but it clarifies that individuals can claim not just in their own country but also to different SAs in other countries where the breach occurred. It is worth noting that under the “one-stop shop” approach (discussed above), the SA who receives the complaint may not be the SA who has responsibility to regulate that infringing Data Controller, so there will still be situations where the SAs have to work with Data Subjects to decide who is best placed to then handle the complaint.
  • Under the previous EU Directive, Data Subjects were allowed to appoint a third-party representative or association to lodge a complaint to an SA on their behalf. Under the GDPR, those rights have been clarified and expanded to state that Data Subjects can appoint as their representative any not-for-profit body, organisation or association that fulfils the necessary requirements under national law, has statutory objectives that are in the public interest and that are “active in the field of the protection of Data Subjects’ rights and freedoms” (for example, a works council or trade union). Those representatives will then have the right to complain to the SA on behalf of the Data Subject and also to exercise the right to a judicial remedy or to seek compensation on behalf of the Data Subject if provided for by national law (as discussed further below). It seems that these GDPR provisions will therefore enable representatives to bring actions on behalf of numerous Data Subjects at a time. Data Controllers will need to consider what steps they can take to prepare for such situations arising and have policies and procedures in place to manage these risks. It is also worth noting that, under Member State law, these representatives are also allowed under the GDPR to lodge a complaint with the SA on behalf of Data Subjects, without being mandated by those Data Subjects.


Recital 141

Article 77















Recital 142

Article 80
Remedies: Compensation, Concept of Damage and Liability of Data Controllers & Data Processors
  • Under the GDPR, all Data Subjects have the right to claim compensation through the courts from the appropriate Data Controller and/or the Data Processor, for material or immaterial damage suffered as a result of any processing of their personal data carried out in breach of the GDPR.
  • The rights to compensation have been expanded under the GDPR because under the previous EU Directive, Data Subjects suffering any such harm were only entitled to claim such compensation from Data Controllers. By contrast, under the GDPR:
    • Any Data Controllers involved in the unlawful processing shall be liable for the damage caused by the processing that is in breach.
    • The Data Processor shall only be liable for the damage caused where it (or its sub-processor) hasn’t complied with the GDPR obligations specifically directed at Data Processors or where it has acted outside or contrary to lawful instructions from the relevant Data Controller.
    • Each Data Controller or Data Processor will be held liable for the entire harm caused if they are involved in the same infringing data processing and will be held responsible for that harm in order to ensure effective compensation.
  • Under the GDPR:
    • Data Subjects’ rights have been clarified to state that they may enforce their rights to compensation against any Joint Data Controllers involved. This is to ensure that the Data Subjects’ rights are always protected where information is being shared or used by multiple Data Controllers.
    • Each Joint Data Controller involved will be liable for the entirety of the damage unless national Member State law apportions liability between the controllers.
    • If one of the Joint Data Controllers pays the full compensation to the Data Subject, that Joint Data Controller is then entitled to bring proceedings against the other Joint Data Controllers involved in order to recover their portions of the relevant damages that have been payable. This apportionment of liability is something that will need to be carefully considered between Joint Data Controllers, particularly in data-processing situations in group companies, for example, and also where data-sharing projects are entered into (for example, public sector data sharing). It may lead to more protracted negotiations between Data Controllers in advance of entering into joint data-processing or data-sharing arrangements.
    • Both Data Controllers and/or Data Processors can argue against whole or partial liability where they can prove that they were not responsible for the situation that led to the damage suffered.
  • It is worth noting that under the previous EU Directive, there was also a defence to show that the liability arose in whole or in part from force majeure, but under the GDPR, there is no mention of force majeure events. This should be considered carefully in relation to contractual arrangements where Data Controllers may bear the risk in force majeure situations. Thought should therefore be given as to whether existing force majeure clauses need to be altered or strengthened to take account of this.
  • The rights to compensation under the GDPR are strengthened, clarified and expanded on from the previous EU Directive, which should make these rights easier for Data Subjects to enforce. The scope of liability for both Data Controllers and Data Processors infringing the GDPR has increased risks for both in terms of compensation that could be payable. Some Joint Data Controllers may, for example, find that they face much higher liability for claims under the GDPR. Data Processors take on this direct liability for the first time. It would therefore be prudent for each kind of organisation to ensure that their relevant Board of Directors or management are briefed on these increased liability risks and also to update any internal risk registers to reflect this risk.



Recitals 79, 146147

Articles 26(3), 82(1)(5)


Opinions to Parliament

Under Article 58(3)(b) of the GDPR, each SA has the power to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or in accordance with Member State law.

Article 58(3)(b)

CRIMINAL SANCTIONS



  • Under the GDPR, Member States may lay down their own rules on criminal sanctions for infringements of the GDPR and any national rules adopted pursuant to the GDPR.
     
  • These criminal sanctions may also allow for the deprivation of the profits obtained through infringements of the GDPR.
  • Where criminal sanctions are introduced for unlawful processing of personal data, there may be a significant risk for organisations, depending on how Member States decide in due course to interpret and apply this power.
Recitals 149 & 152

Article 84

ADMINISTRATIVE FINES

Power of the SA to Impose Fines
  • Each supervisory authority has the power to impose administrative fines, which should be “effective, proportionate and dissuasive”, just like other regulatory sanctions imposed by the SA and discussed above. These fines are intended to help ensure compliance with the GDPR.
  • Although it will, of course, be dependent on the circumstances of each particular case, penalties should only be imposed by SAs in addition to or instead of using their corrective powers under Article 58, as discussed above.
  • The GDPR sets out offences, the maximum limit and also the criteria for deciding upon the appropriate administrative fines to be issued. The fines should then be determined by the relevant SA in each individual case, taking into account all relevant circumstances of the specific situation and the other factors set out in more detail below.
  • Where fines are to be imposed on individuals, the SA should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of fine. The new GDPR “Consistency Mechanism” may also be used to promote a consistent application of administrative fines.
  • Where a Member State’s legal system does not provide for administrative fines to be issued, fines may be initiated by the SA and imposed by the national courts.

  • Under the previous EU Directive, Member States are entitled to set their own rules for determining and applying administrative fines. In practice, this has meant that there have been big differences in the systems and maximum fines in place in different EU countries. The GDPR harmonises the system of fining, particularly in relation to the amounts of fines to be issued and the factors to be considered when determining what the level of fine should be.


Recitals 130, 148, 150 & 152

Articles 83 & 84

Administrative Fines – Deciding What Is Appropriate
  • The SA shall have the power to fine and, as discussed above, shall be responsible for ensuring that the actual fines imposed are effective, proportionate and dissuasive.
  • When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, due regard should be given by the SA to the following:
    • The nature, gravity and duration of the infringement, having regard to the nature, scope or purpose of the processing concerned as well as the number of Data Subjects affected and the level of damage suffered by them.
    • The intentional or negligent character of the infringement.
    • Any action taken by the Data Controller or the Data Processor to mitigate the damage suffered by Data Subjects.
    • The degree of responsibility of the Data Controller or the Data Processor having regard to technical and organisational measures implemented by them.
    • Any relevant previous infringements by the Data Controller or the Data Processor.
    • The degree of co-operation with the SA, in order to remedy the infringement and mitigate the possible adverse effects of the infringement.
    • The categories of personal data affected by the infringement.
    • The manner in which the infringement became known to the SA, in particular whether, and if so to what extent, the Data Controller or the Data Processor notified the infringement.
    • In case corrective measures referred to in Article 58 (2) have previously been ordered against the Data Controller or the Data Processor concerned with regard to the same subject-matter, compliance with those measures.
    • Adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42.
    • Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
  • For any infringement of the GDPR that is not subject to administrative fines, Member States are allowed to specify additional penalties.
  • The previous EU Directive was silent on the question of how SAs should determine whether to issue an administrative fine and if so, what the amount of that fine should be. Introducing the factors to be considered under the GDPR should help to ensure that more consistent approaches are taken across the EU and should give organisations much more certainty regarding the risks of fines. However, it is worth noting that at a practical level, there are likely to be continued differences in the way SAs apply penalties, due to variations in the national laws of Member States.


Articles 83 & 84

Can a Data Controller and a Data Processor Both Be Fined?

If a Data Controller or a Data Processor intentionally or negligently, for the same or linked data-processing operations, violates several provisions of the GDPR, the total amount of the fine may not exceed the amount specified for the gravest violation.



Article 83 (3)

Lower-Level Fines up to 10 Million Euro, or in Case of an Undertaking, up to 2% of the Total Worldwide Annual Turnover of the Preceding Financial Year (Whichever Is Higher)
Administrative fines of up to 10 million euro, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, may be issued when the requirements of the GDPR have not been complied with in the following situations:
  • Obtaining of parental consent verification where personal data is being processed about a child (below the applicable age decided by each Member State, which shall not be below 13 years).
  • Informing a Data Subject that the organisation is not in a position to identify the Data Subject if such processing does not identify Data Subjects.
  • Implementing appropriate technical and organisational measures to ensure data protection by design and default (for example, carrying out pseudonymisation and ensuring that data is collected only for specified purposes).
  • Where Data Controllers jointly determine the purposes and means of the processing, each must determine their respective responsibilities for compliance with their obligations under the GDPR.
  • Where Data Controllers or Data Processors are not established in the EU, but offer goods and services to Data Subjects in the EU or monitor behaviours of Data Subjects in the EU, the Data Controller shall designate in writing a representative in the EU.
  • If a Data Processor is engaged, the Data Controller shall only use Data Processors providing sufficient guarantees to implement appropriate technical and organisational measures. Such Data Processors cannot enlist another Data Processor without prior specific or general written consent.
  • Processing must only occur under the instructions of the Data Controller.
  • Each Data Controller (or their representative) shall maintain a record of data-processing activities under its responsibility.
  • Data Controllers and Data Processors (and each of their respective representatives) shall co-operate on request with the SA in the performance of its tasks.
  • Each Data Controller and Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
  • Data Controllers shall notify personal data breaches to the competent SA without undue delay and where possible no later than 72 hours after becoming aware of it.
  • Where a data breach is likely to result in a high risk to the rights and freedoms of individuals, the Data Controller shall communicate the personal data breach to the Data Subject without undue delay.
  • Data Protection Impact Assessments must be carried out before performing any data processing that is likely to result in high risk for the rights and freedoms of individuals.
  • Data Controllers shall consult the SA before processing personal data where a Data Protection Impact Assessment indicates that the processing would result in a high risk and protective measures are not being taken by the Data Controller.
  • The Data Controller and the Data Processor shall designate a Data Protection Officer as required under the GDPR and shall ensure that the Officer complies with his or her tasks and is properly and without delay involved with all issues that relate to personal data protection.
  • The Data Controller and the Data Processor shall comply with the approved code of conduct of the SA.
  • The Data Controller and the Data Processor shall comply with certification requirements.
It is worth noting that the term “undertaking” originates from EU competition law and is very broad. The Court of Justice of the European Union has stated that this concept “encompasses every entity engaged in an economic activity, regardless of the legal status of the entity and the way in which it is financed” (Joined Cases C-159/91 and C-160/91).

Until we receive further clarification, we have to assume that the same meaning will be applied to the GDPR.




 
Article 83 (4)

Maximum Fines up to 20 Million Euro, or in Case of an Undertaking, up to 4% of the Total Worldwide Annual Turnover of the Preceding Financial Year (Whichever is Higher)
The GDPR has introduced a concept of a maximum administrative fine, to help make sure that fines are applied on a broadly consistent and proportionate scale across the EU.
Administrative fines of up to 20 million euro, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, may be issued when the requirements of the GDPR have not been complied with in the following situations:
  • The basic principles for fair processing (including conditions for consent) must be complied with further to Articles 5, 6, 7 and 9 of the GDPR. This means that, for example:
    • Personal data must therefore be processed in a manner that is lawful and fair, transparent, not considered incompatible with the initial purposes, accurate and kept in a form that permits identification of Data Subjects.
    • The Data Controller must also be able to prove that consent was given by the Data Subject to the processing of his or her personal data where consent is used as the basis for processing.
    • Sensitive personal data processing must not be carried out unless this is in compliance with the GDPR.
    • The Data Controller must provide transparent information as well as good communication and methods for Data Subjects to exercise their rights.

    • The Data Controller must provide fair processing information to Data Subjects at the time when information is collected from the Data Subject and/or from any other data source.
  • Data Subjects’ rights must be complied with further to Articles 12 to 22 of the GDPR. This means that, for example:
    • Data Subjects shall have the right to obtain from Data Controllers:
      • Confirmation as to whether their personal data is being processed, where it is being processed and to have access to that data.

      • The rectification of personal data where it is inaccurate.
      • Erasure of personal data (the “right to be forgotten”).
      • The restriction of processing of personal data under certain circumstances.
      • Personal data concerning him or her that has been provided to a Data Controller in a structured, commonly used and machine readable format (the right to “data portability”).

    • Data Controllers must communicate any rectification, erasure or restriction of processing to each recipient of such data.
    • Data Subjects shall have the right to object to processing based on certain provisions under the GDPR (that is, direct marketing or processing carried out in the public interest or in the legitimate interests of the Data Controller or a third party (which are not overridden by the rights of the Data Subject), and so on).

    • Data Subjects shall have the right not to be subject to a decision based solely on automated processing (including profiling) that has legal effects or similar significant effects on the Data Subject.
  • Transfers of personal data to recipients in a third country or an international organisation must be made in compliance with Articles 44 to 49 of the GDPR.
  • There must be compliance with an order or a temporary or definite limitation on processing or the suspension of data flows by the SA pursuant to their investigatory or corrective powers under Article 58 of the GDPR (as discussed above).

  • There must be compliance with any obligations created pursuant to Member State law and adopted under Chapter IX of the GDPR.
As discussed above:
  • It is worth noting that the term “undertaking” originates from EU competition law and is very broad. The Court of Justice of the European Union has stated that this concept “encompasses every entity engaged in an economic activity, regardless of the legal status of the entity and the way in which it is financed” (Joined Cases C-159/91 and C-160/91).
  • Until we receive further clarification, we have to assume that the same meaning will be applied to the GDPR.
Article 83 (5) & (6)

Fines for Public Authorities & Bodies
  • The GDPR essentially provides that Member States should determine whether and to what extent public authorities should be subject to administrative fines.
  • Without prejudice to the corrective powers of SAs under Article 58(2) (discussed above), each Member State is entitled under Article 83(7) to lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
Article 83 (7)


SAFEGUARDS & PROCEDURES

Safeguards
  • Under the GDPR, each SA imposing sanctions and penalties must do so in a manner that is “effective, proportionate and dissuasive”.
  • The exercising by an SA of its powers under Article 83 (relating to the imposition of administrative fines) shall also be subject to appropriate procedural safeguards set out in accordance with EU and national Member State law, including effective judicial remedy and due process (discussed below).
Recitals 150 & 152

Article 83 (8)

Extended Territorial Reach

It is worth noting that the GDPR applies to Data Controllers and Data Processors outside the EU whose data-processing activities relate to the offering of goods or services (including those free of charge) to, or monitoring the behaviour (within the EU) of, EU Data Subjects. Many Data Controllers and Data Processors will need to appoint a representative in the EU.

Data processing that is caught by this extension of territorial reach will then entitle SAs in the relevant Member States to take enforcement action and issue administrative fines (as described in more detail above) to those Data Controllers and Data Processors.


Recital 22
Article 3(1)
Venue for Proceedings

  • Under the GDPR, proceedings against:
    • An SA must be brought in the Member State in which that SA is established.
    • A Data Controller or a Data Processor may be brought in either the Member State in which:
      • The Data Controller or the Data Processor has an establishment; or
      • The Data Subject resides (except to the extent that the Data Controller or Data Processor is an SA or a public authority).

  • Under EU data protection law, a Data Subject in one Member State might be affected by data-processing activities taking place in another Member State. It has been really difficult deciding which national courts should therefore have authority to hear a particular claim. The GDPR has tried to help provide some consistency around this.
  • The changes under the GDPR do, however, mean that organisations might end up having legal proceedings brought against them in jurisdictions that they are not familiar with (that is, outside the Member State(s) in which they are established). This may require organisations to seek specialist legal advice in those jurisdictions and the costs of litigation could increase substantially. Organisations should make their Board of Directors or management aware of these risks.

Recital 143
Articles 78(3) and 79(2)
Situations Where Proceedings Will Be Suspended

Where proceedings were brought under the previous EU Directive, increasingly judicial proceedings have been brought in multiple jurisdictions regarding the same subject matter. The EU Directive did not address how this should be dealt with.

Under the GDPR:

  • A new system has been introduced whereby national Member State courts can in some appropriate situations suspend proceedings so that organisations are not faced with parallel proceedings in multiple Member States where that is not necessary.
  • If a court in one national Member State discovers that proceedings are pending in another Member State and that they concern the same Data Controller or Data Processor and the same subject matter, that court is entitled to:
    • Contact the relevant court in the other Member State to confirm the existence of such proceedings; and to
    • Suspend its own proceedings if appropriate.

  • Where the proceedings are pending at first instance, any other court may also, on the application of one of the parties, decline jurisdiction, if the court first seized has jurisdiction.
These new provisions under the GDPR are intended to assist organisations as set out above. It is, however, possible that a Member State court could decide to suspend proceedings pending the outcome of a case in another Member State, meaning that claims are simply delayed or indeed that decisions in cases are influenced by proceedings in another Member State, which may not be in the organisation’s favour.

 
Recital 144
Article 81

APPEALS

Right to Judicial Remedy
  • Data Subjects have the right to seek an effective judicial remedy before a national court:
    • Against legally binding decisions of an SA concerning them.
    • Where the SA does not deal with a complaint or does not inform the Data Subject within three months on the progress or outcome of a complaint lodged by the Data Subject to the SA.
  • Data Subjects also have a right to a judicial remedy against a Data Controller or a Data Processor in respect of any processing of their personal data that breaches the GDPR.
  • The GDPR provides more clarity and certainty in relation to the claims that can be brought against organisations.

Recital 48, 143

Articles 17(3), 58(4), 7779

Rights and Process to Appeal Decisions/Actions of the European Data Protection Board

Under Article 70 of the GDPR, the EDPB is required to ensure consistent application of the GDPR. To do so, the EDPB must, either on its own initiative or, where relevant, at the request of the European Commission, in particular:
  • Monitor and ensure the correct application of the GDPR in the cases provided for in Articles 64 (Opinion of the Board) and Article 65 (Dispute Resolution by the Board) without prejudice to the tasks of national SAs. This includes, for example:
    • Where any SA, the Chair of the EDPB or the European Commission requests that any matter of general application or producing effects in more than one Member State be examined by the EDPB with a view to obtaining an opinion, in particular where a competent SA does not comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations in accordance with Article 62 (as discussed above).
    • Where the EDPB is involved in dispute resolution as set out under Article 65 (as discussed above).
  • Forward its opinions, guidelines, recommendations and best practices to the European Commission and make them public.
  • Where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The EDPB shall make the results of the consultation procedure publicly available.


Articles 64, 65, 70(1)(a)and (t), 70(3)(4)




No comments:

Post a Comment