Article 83
General conditions for imposing administrative fines
(55) Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;
Regulation
1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive. 2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following: (a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; (b) the intentional or negligent character of the infringement; (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; (e) any relevant previous infringements by the controller or processor; (f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures; (j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement. 3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement. 4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43; (b) the obligations of the certification body pursuant to Articles 42 and 43; (c) the obligations of the monitoring body pursuant to Article 41(4). 5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; (b) the data subjects' rights pursuant to Articles 12 to 22; (c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49; (d) any obligations pursuant to Member State law adopted under Chapter IX; (e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1). 6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. 7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State. 8. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process. 9. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them. |
Directive
Art. 24 The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive. |
Hungary
61. § * (1) Az adatvédelmi hatósági eljárásban hozott határozatában a Hatóság a) a 2. § (2) és (4) bekezdésében meghatározott adatkezelési műveletekkel összefüggésben az általános adatvédelmi rendeletben meghatározott jogkövetkezményeket alkalmazhatja, c) az általános adatvédelmi rendelet 41. cikk (1) bekezdésében meghatározott ellenőrzési tevékenységet végző szervezettel szemben az általános adatvédelmi rendelet 41. cikk (5) bekezdésében meghatározott jogkövetkezményeket alkalmazhatja. (2) A Hatóság elrendelheti határozatának - az adatkezelő, illetve az adatfeldolgozó azonosító adatainak közzétételével történő - nyilvánosságra hozatalát, ha a) a határozat személyek széles körét érinti, b) azt közfeladatot ellátó szerv tevékenységével összefüggésben hozta, vagy c) a bekövetkezett jogsérelem súlya a nyilvánosságra hozatalt indokolja. (3) A Hatóság eljárásában figyelmeztetés és óvadék alkalmazása kizárt, ha a Hatóság a mérlegelésére vonatkozó előírások alapján bírság kiszabásának szükségességét állapítja meg. (4) A bírság mértéke százezertől húszmillió forintig terjedhet b) ha az adatvédelmi hatósági eljárásban hozott határozatban kiszabott bírság megfizetésére kötelezett költségvetési szerv, az általános adatvédelmi rendelet 83. cikke szerint kiszabott bírság esetén. (6) A határozat megtámadására nyitva álló keresetindítási határidő lejártáig, illetve közigazgatási per indítása esetén a bíróság jogerős határozatáig a vitatott adatkezeléssel érintett adatok nem törölhetők, illetve nem semmisíthetők meg. (7) A Hatóság döntésének végrehajtását a döntésben foglalt, meghatározott cselekmény elvégzésére, meghatározott magatartásra, tűrésre vagy abbahagyásra irányuló kötelezés vonatkozásában a Hatóság foganatosítja. (8) A Hatóság döntésében megállapított fizetési kötelezettség mérséklésének (a továbbiakban: mérséklés) a kötelezett kérelmére nincs helye. A kötelezett kérheti a fizetési kötelezettség, valamint a (7) bekezdésben meghatározott kötelezettség teljesítésére halasztás vagy részletekben történő teljesítés (a továbbiakban együtt: teljesítési kedvezmény) engedélyezését. A kérelemben a kötelezett igazolja, hogy rajta kívül álló ok lehetetlenné teszi a határidőben való teljesítést vagy az számára aránytalan nehézséget jelentene. (9) Ha a (8) bekezdés szerinti kérelmet a kötelezett a Hatóság döntése végrehajtásának elrendelését követően terjeszti elő, a Hatóság teljesítési kedvezményt csak akkor engedélyezhet, ha a kötelezettség határidőben való teljesítését a kötelezetten kívül álló ok tette lehetetlenné. (10) A Hatóság döntésében megállapított fizetési kötelezettség tekintetében benyújtott mérséklés, továbbá teljesítési kedvezmény iránti kérelem elbírálása során az állami adó- és vámhatóság az adóhatóság által foganatosítandó végrehajtási eljárásokról szóló 2017. évi CLIII. törvény 110. §-ának alkalmazásával jár el. |
Poland
In force until May 25, 2018: As regards financial penalties no special provisions in Poland. The Inspector General may impose a financial fine pursuant to general administrative rules to enforce the performance of obligations as set out in the relevant decision. The fine cannot exceed PLN 10,000 in relation to individual persons and PLN 50,000 in relation to legal persons and units. The total value of the fine cannot exceed PLN 50,000 for individuals and PLN 200,000 for legal persons and units.
The Act on Personal Data Protection
Article 49 1. A person, who processes personal data in a data filing system where such processing is forbidden or where he/she is not authorized to carry out such processing, shall be liable to a fine, a partial restriction of freedom or a prison sentence of up to two years. 2. Where the offence mentioned in paragraph 1 of this article relates to information on racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade union membership, health records, genetic code, addictions or sexual life, the person who processes the data shall be liable to a fine, a partial restriction of freedom or a prison sentence of up to three years.
Article 51 1. A person who, being the controller of a data filing system or being obliged to protect the personal data, discloses them or provides access to unauthorized persons, shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to two years. 2. In case of unintentional character of the above offence, the offender shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to one year. Article 52 A person who, being the controller of a data filing system violates, whether intentionally or unintentionally, the obligation to protect the data against unauthorized takeover, damage or destruction, shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to one year. Article 53 A person who, regardless of the obligation, fails to notify the data filing system for registration, shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to one year. Article 54 A person who, being the controller, fails to inform the data subject of its rights or to provide him/her with the information which would enable that person to benefit from the provisions of this Act, shall be liable to a fine, partial restriction of freedom or prison sentence of up to one year. Article 54a Preventing or hindering the performance of inspection activities by the inspector shall be punishable by a fine and restriction or deprivation of liberty of up to 2 years. |