Our blog series “Exploring the GDPR” we conclude with an episode on the enforcement of the GDPR and sanctions on violation of it. In the period until the entry into force of the GDPR, much emphasis was placed on the possibility that huge fines will imposed if companies and institutions do not meet the applicable requirements under the GDPR. In itself, it is a good thing that under the GDPR penalties up to € 20 million or 4% of the worldwide annual turnover may be imposed as sanctions for violation. However, these are the highest possible fines that the national authorities can impose and the chance that an average company is directly confronted with such fines is moderate. In other words, there is more at stake than just those hefty fines when we take a look at the duties and powers of and enforcement by the GDPR, including imposing sanctions.
Who will enforce compliance?
The Dutch Data Protection Authority (AP) is the authority that monitors compliance with the GDPR in the Netherlands. The duties of the AP have been included in the GDPR. Art. 57 GDPR mentions the following duties in this regard, inter alia:
- Monitoring and enforcing the regulation;
- Promoting awareness and understanding among the general public regarding the risks, rules, safeguards and rights associated with processing;
- Advising parliament, government and other institutions and bodies on legislative initiatives and administrative measures for the protection of fundamental rights of natural persons regarding processing;
- Informing controllers and processors with respect to their obligations under the Regulation;
- Providing information to data subjects on rights under the Regulation;
- Handling of complaints;
- Collaboration with other supervisory authorities; and
- Keeping track of internal records of Regulation breaches;
In addition to the more general duties, the authority has various powers under the GDPR. Art. 58 GDPR mentions in this respect, inter alia:
- Instructing the controller and processor to provide information to carry out the duties of the AP;
- Informing the controller and processor of an alleged breach of the Regulation;
- Obtaining access to personal data and information, as well as to the business premises of the controller and processor;
What does enforcement consist of?
Here it is clear that the AP has a monitoring and investigative power to establish a breach of the GDPR and to subsequently take action. In this respect, the AP can take corrective measures, including issuing a warning or reprimand, ordering the controller and processor to comply with the requests of the data subjects, ordering that the processing be brought in accordance with the GDPR, imposing a temporary or final ban on processing, and imposing an administrative fine. The fine may be imposed in addition to or instead of other aforementioned sanctions.
When deciding whether or not to impose an administrative fine and how high the fine should be, the AP must take into account various factors, including seriousness, nature and duration of the breach, whether the breach was deliberate or negligent by nature, which technical and organizational measures were taken, any previous relevant breaches, which categories of personal data were affected, et cetera.
It is also important to note that the Dutch General Administrative Law Act (“Awb”) is applicable and provides rules for the proceedings arising from the decisions and measures of the AP. For example, if the AP imposed an administrative fine, this is a decision subject to objections and appeals within the scope of the Awb.
Legal protection in GDPR operations
Incidentally, a decision by a governmental body on a request from a data subject (e.g. a request to inspect the processed personal data) may also be regarded as a decision within the meaning of the Awb (with the risk of misuse and/or abuse). If such a decision is made by an institution or enterprise that is not a governmental body, the data subjects may bring their case before the civil court if they cannot agree to the response to their request. Alternatively, all data subjects may also turn to the AP for mediation or an expert opinion in the dispute that has arisen with the controller or processor, within the meaning of Article 40 GDPR.
Enforcement? Administrative-law knowledge is required!
Enforcement of the GDPR and imposing sanctions by the AP are governed by various rules. Imposing a fine of € 20 million for a first and relatively limited breach of the GDPR will not be very likely. Nevertheless, it cannot be excluded that the AP will actively enforce the GDPR. All data subjects are aware that the AP will get quite busy, but politicians seem to be rather in favour of more resources than more restraint when it comes to enforcement, even though it seems likely that enforcement action must be taken in particular in case of a deliberate violation of rights, and the information duty of the AP is also considered to be of great importance.
Whatever the case, if enforcement action is taken (or the intention to enforce is expressed), it is advisable to obtain administrative-law advice on how to respond to this. For example, the terms set by the Awb for lodging an objection and/or appeal are relatively short (6 weeks).