General Data Protection Regulation - GDPR
The General Data Protection Regulation (GDPR) came into force in May of 2018 with the goal of ensuring that personal data is effectively protected. Violations of the GDPR can lead to heavy fines. For businesses, this means stricter requirements for data protection compliance.
- Fending off administrative fines
- Noncompliance and claims for damages
- Implementing data protection guidelines
The aim of the General Data Protection Regulation, which entered into full force on May 25, 2018, is to standardize data protection within the European Union and to better safeguard sensitive personal data. Businesses that collect, store, and process data now face new challenges when it comes to dealing with the personal data of their clients, customers, and employees. In order to achieve higher standards of protection for personal data, the supervisory authorities are able to impose hefty administrative fines in response to GDPR violations.
Fines for noncompliance
The national supervisory authorities have the power – or rather, the obligation – to respond to GDPR violations by issuing orders to put an end to the noncompliance and ensure the processing of sensitive personal data conforms to legal requirements. The authorities are also able to impose significant fines, the value of which depends on various factors such as the severity of the offense and whether the underlying behavior was intentional or negligent. These should be proportionate but also serve as a deterrent, with offenders potentially incurring fines of up to 20 million euros or up to 4 percent of annual worldwide turnover.
The supervisory authorities must decide on a case-by-case basis what level of fine to impose. Fines may be higher if the violation was intentional or if appropriate measures were not taken to mitigate the damage caused. Likewise, companies are expected to cooperate with the supervisory authorities in order to avoid a more severe penalty.
Particularly egregious violations within the meaning of Art. 83(5) of the GDPR can see companies facing fines of up to 20 million euros or up to 4 percent of their worldwide annual turnover. Even less serious violations as defined in Art. 83(4) of the GDPR can result in fines of up to 10 million euros or up to 2 percent of global annual turnover being imposed.
Claims for damages due to noncompliance
In addition to fines, failure to comply with the GDPR can also give rise to claims for damages brought by those affected by the data protection breaches. The value of the claim for damages should also be significant. Companies are especially likely to be faced with large claims if several persons are affected by the violation. At the same time, the company may be entitled to claim damages against its managing director or other persons in positions of responsibility.
The potential extent of the fines shows that violations of the GDPR are not a trivial offense. They are intended to act as a deterrent and may even threaten the company's ongoing existence. It is essential for companies that find themselves accused of having breached data protection laws to seek expert legal advice. Doing so could possibly see the accusation refuted or at least the penalty reduced.
The risk of GDPR violations can be kept to a minimum through comprehensive data protection compliance and/or with the help of a data protection officer.