New EU data protection law: Sanctions and liability

Under the new European General Data Protection Regulation (GDPR) sanctions shall enhancethe harmonisation of data protection and ensure an equal level of protection across the EU. Beyond penalizing the individual data breach sanctions shall in the future also serve as a deterrent for other companies.

Administrative Sanctions

The administrative sanctions may be fines or corrective measures, such as limitation or ban on processing; rectification or erasure of personal data; or suspension of data transfer into a non-EU/EEA country. Fines may be imposed in addition to or instead of corrective measures. When deciding whether to impose a fine and on the amount of the fine the supervisory authorities shall in each case take account of the nature, gravity and duration of the breach, the purpose of the processing, the number of people affected, the level of damage, the intentional or negligent nature of the breach, the measures for prevention or mitigation adopted, responsibility of the controller, technical and organisational measures implemented and other relevant aggravating or mitigating factors.

For cases of minor gravity and no significant risk for the data subjects, the sanction may be a mere warning or reprimand without imposing a fine.

Severe infringements are classified into two categories: those in the first category may be subject to a fine up to EUR 10,000.000.00 or up to 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher), those in the second category up to EUR 20,000,000.00 or up to 4% of the total annual worldwide turnover in the preceding financial year (whichever is higher). The first category comprises among others: non-compliance with the principles of privacy by design and by default, non-compliance with the duty to record processing activities, non-cooperation with the supervisory authority, failure to comply with rules on the safety of processing, failure to notify data breaches or failure to conduct impact assessments. The second category includes: violations regarding consent, sensitive data, the information requirements, transfer of personal data to non-EU/EEA countries, processing in the context of employment or non-compliance with orders of the supervisory authority.

It is not intended under the GDPR to consider the financial capabilities of the companies when imposing fines and the supervisory authorities are expected to align their practice and impose fines in similar volumes for similar breaches across the EU. Small businesses shall in particular be aware of this, since a heavy fine could cost them their business.

Civil and criminal law sanctions

Data subjects are entitled to civil law compensation for material and immaterial damages from the controllers and/or processors who may only escape liability if they can prove that they were in no way responsible for the damage. According to Art. 80, also consumer protection associations may lodge a complaint on data breaches on behalf of the data subject(s). Furthermore, data breaches may also incur criminal liability. Art. 84 and Recital 149 namely enable member states to implement respective provisions at their own discretion under criminal law.

Who might be liable?

In addition to the controllers, also processors may be liable for the infringements, individually or jointly and severally together with the controller, as the case may be. Furthermore, Data Protection Officers cannot be subject to administrative sanctions, nevertheless they may also be liable for damages against the controller or processor if they are found responsible for giving inadequate advice.

Should you have any queries, please do not hesitate to contact one of our offices.