On 1 September 2016, the Bavarian Data Protection Authority
("DPA") issued a new guidance paper on sanctions under the new EU
General Data Protection Regulation
("GDPR") in the course of a series of
non-binding guidance papers on selected topics in relation
to the GDPR, which the DPA publishes periodically, and which can be
found on the DPA's official website.
Starting Point: Article 83 GDPR
The DPA's first finding is that, compared to the current
legal framework under the German Federal Data Protection Act
(Bundesdatenschutzgesetz – BDSG), the GDPR, i.e.
Article 83, does provide for a much wider array of infringements
that are subject to sanctions. Most breaches might result in
administrative finds, whereas exceptions shall apply only in cases
of minor infringements or if the fine likely to be imposed would
constitute a disproportionate burden (recital 148 of the GDPR).
Technical and Organisational Measures
The DPA also expressly notes that under the GDPR, infringements
regarding technical and organisational measures can result in
administrative fines, which the DPA deems to be an important
innovation as compared to the current legal situation in Germany.
Another key change is that the GDPR also provides for
administrative fines concerning infringements of the obligation to
implement the legal principles of privacy by design and privacy by
default; the DPA takes the view that this evidences the grate value
attributed to these items.
Potential Addressees of Administrative Fines
The DPA emphasizes that administrative fines can be imposed upon
both data controllers and data processors. Further, certification
bodies and bodies accredited to monitor compliance with a code of
conduct might be subject to administrative fines.
The DPA assumes that undertakings shall be liable for
infringements which are committed by the undertaking's
employees. The question whether administrative fines can also be
imposed upon employees is not regulated by the GDPR. The DPA
concludes that it remains to be seen whether the implementations on
a national level will address this open issue.
Increased Amount of Fines
Article 83(1) GDPR sets forth that administrative fines
"shall in each individual case be effective, proportioned
and dissuasive". The DPA highlights that under the GDPR
certain infringements might result in fines up to EUR 20 million,
or in the case of an undertaking, up to 4% of the total worldwide
annual turnover of the preceding financial year, whichever is
The DPA states that, when determining the relevant worldwide
annual turnover, not only the individual company, but the whole
group of companies, shall be taken into account. In the view of the
DPA this shall result from recital 150 of the GDPR, which expressly
makes reference to the "economic concept of
undertakings" contained in Articles 101 and 102 of the
Treaty on the Functioning of the European Union.
Relevant Factors for Determining the Amount of Finds
A number of criteria need to be considered when determining the
amount of the relevant administrative fine, in particular previous
infringements, and / or the scope of collaboration with the
competent supervisory authority. If an undertaking provides, in the
course of pending investigations, the supervisory authority with
incorrect or incomplete information, this shall be regarded as an
aggravating factor. The DPA takes the position that this is a
general rule which has also been acknowledged by the Court of
Justice of the European Union regarding violations of competition
Since the GDPR's aim is to create a uniform level of fines
across the European Union, the DPA calls on the European Data
Protection Board, as established by the GDPR, to develop guidelines
for determination of the amount of administrative fines.
The DPA concludes that the relevant provisions of the GDPR on
sanctions are an expression of the legislator's intention to
consequently and seriously sanction infringements. This shall be a
clear message for enterprises which should take data protection
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.
The market of the so-called "connected vehicles" has been considerably growing since 2015. According to a recent study by AlixPartners, 78 million of connected vehicles will be commercialized in 2018, generating a EUR40 billion turnover.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).