Article 83
General conditions for imposing administrative fines
(55) Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;
Regulation
1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive. 2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following: (a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; (b) the intentional or negligent character of the infringement; (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; (e) any relevant previous infringements by the controller or processor; (f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures; (j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement. 3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement. 4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43; (b) the obligations of the certification body pursuant to Articles 42 and 43; (c) the obligations of the monitoring body pursuant to Article 41(4). 5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; (b) the data subjects' rights pursuant to Articles 12 to 22; (c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49; (d) any obligations pursuant to Member State law adopted under Chapter IX; (e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1). 6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. 7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State. 8. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process. 9. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them. |
Directive
Art. 24 The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive. |
Serbia
|
Austria
All of the following inforce until May 25, 2018: Penal Provisions Use of Data with the Intention to make a Profit or to Cause Harm § 51 DSG 2000 (1) Whoever with the intention to enrich himself or a third person unlawfully or to harm someone in his entitlement guaranteed according to § 1 para 1 deliberately uses personal data that have been entrusted to or made accessible to him solely because of professional reasons, or that he has acquired illegally, for himself or makes such data available to others or publishes such data with the intention to make a profit or to harm others, despite the data subject’s interest in secrecy deserving protection, shall be punished by a court with imprisonment up to a year, unless the offence shall be subject to a more severe punishment pursuant to another provision. Administrative Penalties § 52 DSG 2000 (1) Insofar as the act does not realize the legal elements of a criminal offence subject to the jurisdiction of the courts of law and is not subject to more severe penalties according to another administrative provision, an administrative offence punishable by a fine of up to 25 000 Euro is committed by anyone who 1. intentionally and illegally gains access to a data application or maintains an obviously illegal means of access or 2. transmits data intentionally in violation of the rules on confidentiality (§ 15), and in particular anybody who uses data entrusted to him according to § 46 and 47 for other purposes or 3. uses or fails to grant information, to rectify or erase data in violation of a final judicial decision or ruling, 4. intentional erases data in violation of § 26 para. 7; 5. by pretending incorrect facts intentionally obtains data according to § 48a. (2) Insofar as the act does not realize the legal elements of a criminal offence subject to the jurisdiction of the courts of law, an administrative offence punishable by a fine of up to 10 000 Euro is committed by anyone who 1. collects, processes and transmits data without having fulfilled his obligation to notification according to §§ 17 or 50c or operates a data application in a manner deviating from the notification. 2. engages in data transmissions or abandonments without the necessary permit of the Data Protection Authority according to § 13 para 1or 3. violates declarations given according to § 13 para 2 sub-para. 2, § 19 or 50c para 1 or conditions imposed by the Data Protection Authority according to § 13 para 1 or § 21 para 2 or 4. violates his obligations of disclosure and information according to §§ 23, 24, 25 and 50d or 5. grossly neglects the required data security measures according to § 14 or 6. disregards the safety measures required according to § 50a para 7 and § 50b para 1 or 7. does not delete data after expiring of the period provided for in § 50b para 2 for deletion. (2a) To the extent the act does not constitute a criminal offence within the jurisdiction of the courts or is punishable under other administrative penal regulations, who, contrary to §§ 26, 27 or 28, does not in time give information on, corrects or deletes data, commits an administrative offence to be punished with a fine up to € 500. (3) Attempts shall be punished. (4) Data media or programs as well as picture transmitting or -recording devices can be confiscated (§§ 10, 17 and 18 of the Administrative Penal Act 1991 [VStG]), if they are linked to an administrative offence according to para. 1 and 2. (5) The district administrative authority at the controller´s (processor´s) domicile or seat shall be the competent authority for decisions according to para. 1 to 4. If there is no domicile or seat in Austria, the district administrative authority at the seat of the Data Protection Authority shall be competent. |