1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
(b) the obligations of the certification body pursuant to Articles 42 and 43;
(c) the obligations of the monitoring body pursuant to Article 41(4).
5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
(b) the data subjects' rights pursuant to Articles 12 to 22;
(c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
(d) any obligations pursuant to Member State law adopted under Chapter IX;
(e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
8. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.
9. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.
|
Art. 79
1. Each supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach.
3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where:
(a) a natural person is processing personal data without a commercial interest; or
(b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.
4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
(a) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to Articles 12(1) and (2);
(b) charges a fee for the information or for responses to the requests of data subjects in violation of Article 12(4).
5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
(a) does not provide the information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article 11, Article 12(3) and Article 14;
(b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 or does not communicate the relevant information to a recipient pursuant to Article 13;
(c) does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17;
(d) does not provide a copy of the personal data in electronic format or hinders the data subject to transmit the personal data to another application in violation of Article 18;
(e) does not or not sufficiently determine the respective responsibilities with co-controllers pursuant to Article 24;
(f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3);
(g) does not comply, in cases where special categories of data are not involved, pursuant to Articles 80, 82 and 83 with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes.
6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
(a) processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7 and 8;
(b) processes special categories of data in violation of Articles 9 and 81;
(c) does not comply with an objection or the requirement pursuant to Article 19;
(d) does not comply with the conditions in relation to measures based on profiling pursuant to Article 20;
(e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30;
(f) does not designate a representative pursuant to Article 25;
(g) processes or instructs the processing of personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26 and 27;
(h) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject pursuant to Articles 31 and 32;
(i) does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34;
(j) does not designate a data protection officer or does not ensure the conditions for fulfilling the tasks pursuant to Articles 35, 36 and 37;
(k) misuses a data protection seal or mark in the meaning of Article 39;
(l) carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation pursuant to Articles 40 to 44;
(m) does not comply with an order or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority pursuant to Article 53(1);
(n) does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority pursuant to Article 28(3), Article 29, Article 34(6) and Article 53(2);
(o) does not comply with the rules for safeguarding professional secrecy pursuant to Article 84.
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of updating the amounts of the administrative fines referred to in paragraphs 4, 5 and 6, taking into account the criteria referred to in paragraph 2.
|
Art. 79a
1. The supervisory authority (…) may impose a fine that shall not exceed 250 000 EUR, or in case of an undertaking 0,5 % of its total worldwide annual turnover of the preceding financial year, on a controller who, intentionally or negligently: (a) does not respond within the period referred to in Article 12(2) to requests of the data subject; (b) charges a fee in violation of the first sentence of paragraph 4 of Article 12.
2. The supervisory authority (…) may impose a fine that shall not exceed 500 000 EUR, or in case of an undertaking 1% of its total worldwide annual (…) turnover of the preceding financial year, on a controller or processor who, intentionally or negligently:
(a) does not provide the information, or (…) provides incomplete information, or does not provide the information [timely or] in a [sufficiently] transparent manner, to the data subject pursuant to Articles 12(3),14 and 14a;
(b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 (…);
(c) does not erase personal data in violation of the right to erasure and 'to be forgotten' pursuant to Article 17(1)(a), 17(1)(b), 17(1)(d) or 17(1)(e);
(d) (…)
(da) processes personal data in violation of the right to restriction of processing pursuant to Article 17a or does not inform the data subject before the restriction of processing is lifted pursuant to Article 17a(4);
(db) does not communicate any rectification, erasure or restriction of processing to each recipient to whom the controller has disclosed personal data, in violation of Article 17b;
(dc) does not provide the data subject’s personal data concerning him or her (…) in violation of Article 18;
(dd) processes personal data after the objection of the data subject pursuant to Article 19(1) and does not demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims;
(de) does not provide the data subject with information concerning the right to object processing for direct marketing purposes pursuant to Article 19(2) or continues to process data for direct marketing purposes after the objection of the data subject in violation of Article 19(2a);
(e) does not or not sufficiently determine the respective responsibilities with joint controllers pursuant to Article 24;
(f) does not or not sufficiently maintain the documentation pursuant to Article 28 and Article 31(4).
(g) (…)
3. The supervisory authority (…) may impose a fine that shall not exceed 1 000 000 EUR or, in case of an undertaking, 2 % of its total worldwide annual turnover of the preceding financial year, on a controller or processor who, intentionally or negligently:
(a) processes personal data without a (…) legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7, 8 and 9;
(b) (…);
(c) (…); (d) does not comply with the conditions in relation to (…)automated individual decision making, including profiling pursuant to Article 20;
(da) does not (…) implement appropriate measures or is not able to demonstrate compliance pursuant to Articles 22 (…) and 30;
(db) does not designate a representative in violation of Article 25;
(dc) processes or instructs the processing of personal data in violation of (…) Articles 26;
(dd) does not alert on or notify a personal data breach or does not [timely or] completely notify the data breach to the supervisory authority or to the data subject in violation of Articles 31 and 32;
(de) does not carry out a data protection impact assessment in violation of Article 33 or processes personal data without prior consultation of the supervisory authority in violation of Article 34(2);
(e) (…);
(f) misuses a data protection seal or mark in the meaning of Article 39 or does not comply with the conditions and procedures laid down in Articles 38a and 39a;
(g) carries out or instructs a data transfer to a recipient in a third country or an international organisation in violation of Articles 41 to 44;
(h) does not comply with an order or a temporary or definite limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 53 (1b) or does not provide access in violation of Article 53(1).
(i) (…)
(j) (…).
3a. If a controller or processor intentionally or negligently violates several provisions of this Regulation listed in paragraphs 1, 2 or 3, the total amount of the fine may not exceed the amount specified for the gravest violation.
4. (…)
|
Art. 24
The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.
|
Section 43
Administrative offences
(1) An administrative offence shall be deemed to have been committed by anyone who, whether intentionally or through negligence,
1. contrary to Section 4d (1), also in conjunction with Section 4e second sentence of this Act, fails to submit a notification, fails to do so within the prescribed time limit or fails to provide complete particulars,
2. contrary to Section 4f (1) first or second sentence of this Act, fails to appoint a data protection official or fails to do so within the prescribed time limit or in the prescribed manner,
2a. contrary to Section 10 (4) third sentence fails to ensure that data transfer can be ascertained and checked,
2b. contrary to Section 11 (2) second sentence fails to give the commission correctly, completely or in accordance with the rules, or contrary to Section 11 (2) fourth sentence fails to ensure prior to the processing of the data that technical and organizational measures taken by the agent are being complied with,
3. contrary to Section 28 (4) second sentence of this Act, fails to notify the data subject, or fails to do so within the prescribed time limit or in the prescribed manner, or fails to ensure that the data subject is able to obtain due knowledge,
3a. contrary to Section 28 (4) fourth sentence requires a stricter form,
4. transfers or uses personal data contrary to Section 28 (5) second sentence of this Act,
4a. contrary to Section 28a (3) first sentence fails to inform or fails to do so correctly, completely or within the prescribed time limits,
5. contrary to Section 29 (2) third or fourth sentence of this Act, fails to record the reasons described there or the means of credibly presenting them,
6. incorporates personal data into electronic or printed address, telephone, classified or similar directories contrary to Section 29 (3) first sentence of this Act,
7. contrary to Section 29 (3) second sentence of this Act, fails to ensure the adoption of labels,
7a. contrary to Section 29 (6) fails to handle an information request properly,
7b. contrary to Section 29 (7) first sentence fails to inform a consumer or fails to do so correctly, completely or within the prescribed time limits,
8. contrary to Section 33 (1) of this Act, fails to notify the data subject or fails to do so correctly or completely,
8a. contrary to Section 34 (1) first sentence, also in conjunction with sentence 3, contrary to Section 34 (1a), contrary to Section 34 (2) first sentence, also in conjunction with sentence 2, or contrary to Section 34 (2) fifth sentence, (3) first or second sentence, or (4) first sentence, also in conjunction with sentence 2 fails to provide information or fails to do so correctly, completely or within the prescribed time limits, or contrary to Section 34 (1a) fails to store data,
8b. contrary to Section 34 (2) third sentence fails to transmit information or fails to do so correctly, completely or within the prescribed time limits,
8c. contrary to Section 34 (2) fourth sentence fails to refer the data subject to the other body, or fails to do so within the prescribed time limits,
9. contrary to Section 35 (6) third sentence of this Act, transfers data without a counter-statement,
10. contrary to Section 38 (3) first sentence of this Act, fails to provide information or fails to do so correctly, completely or within the prescribed time limit or fails to permit a measure
11. fails to comply with an executable instruction under Section 38 (5) first sentence of this Act.
(2) An administrative offence shall be deemed to have been committed by anyone who, whether intentionally or through negligence,
1. collects or processes personal data which are not generally accessible without authorization,
2. holds personal data which are not generally accessible ready for retrieval by means of an automated procedure without authorization,
3. retrieves personal data which are not generally accessible or obtains such data for themselves or another from automated processing operations without authorization,
4. obtains by means of incorrect information the transfer of personal data which are not generally accessible,
5. contrary to Section 16 (4) first sentence, Section 28 (5) first sentence of this Act, also in conjunction with Section 29 (4), Section 39 (1) first sentence or Section 40 (1) of this Act, uses data for other purposes by transmitted them to third parties, or
5a. contrary to Section 28 (3b) makes concluding a contract dependent on the consent of the data subject,
5b. contrary to Section 28 (4) first sentence processes or uses data for purposes of advertising or market or opinion research,
6. contrary to Section 30 (1) second sentence, Section 30a (3) third sentence, Section 40 (2) third sentence of this Act, combines a characteristic mentioned there with specific information, or
7a. contrary to Section 42a first sentence fails to notify or fails to do so correctly, completely or within the prescribed time limit.
(3) Administrative offences shall be punishable by a fine of up to € 50,000 in case of sub-Section 1 above, and by a fine of up to € 300,000 in the cases under sub-Section 2 above. The fine shall exceed the financial benefit to the perpetrator derived from the administrative offence. If the amounts mentioned in the first sentence are not sufficient to do so, they may be increased.
|
Article 44
(1) Natural person who
(a) is in a labour or similar relationship to the controller or processor;
(b) carries out activities for the controller or processor on the basis of an agreement, or who
(c) in the framework of fulfilling powers and obligations imposed by a special Act comes into contact with personal data at the controller or processor,
commits an offence by breaching the obligation to maintain confidentiality (Article 15).
(2) Natural person in the position of the controller or processor commits an offence in the course of personal data processing if he:
(a) fails to specify the purpose, means or manner of processing (Article 5(1)(a) and (b)) or breaches an obligation by the specified purpose of processing or exceeds his authority ensuing from a special Act,
(b) processes inaccurate personal data (Article 5(1)(c))
(c) collects or processes personal data in an extent or manner which does not correspond to the specified purpose (Article 5(1)(d),(f) thru (h))
(d) retains personal data for a period longer than necessary for the purpose of processing (Article 5(1)(e))
(e) processes personal data without the consent of data subject except for the cases provided by law (Article 5(2) and Article 9)
(f) fails to provide the data subject with information in the scope or in the manner provided by law (Article 11)
(g) refuses to provide the data subject with the requested information (Articles 12 and 21)
(h) fails to adopt or implement measures for ensuring security of personal data processing (Article 13)
(i) fails to fulfil the notification obligation pursuant to this Act (Articles 16 and 27)
(j) fails to implement imposed remedial measures in the fixed period.
(3) Natural person in the position of the controller or processor commits an offence if he in the course of personal data processing:
(a) jeopardises a substantial number of persons by unauthorized interference in the private and personal lives, or
(b) fails to fulfil obligations related to the processing of sensitive data (Article 9)
by some of the courses of action pursuant to paragraph 2.
(4) A fine up to CZK 100,000 may be imposed for an offence pursuant to paragraph 1.
(5) A fine up to CZK 1,000,000 may be imposed for an offence pursuant to paragraph 2.
(6) A fine up to CZK 5,000,000 may be imposed for an offence pursuant to paragraph 3.
Article 44a
(1) Natural person commits an offence by breaching prohibition to publish personal data provided by other legal regulation.
(2) A fine up to CZK 1,000,000 may be imposed for an offence pursuant to paragraph 1.
(3) A fine up to CZK 5,000,000 may be imposed for an offence pursuant to paragraph 1 committed by press, film, radio, television, publicly accessible computer network or by other equally effective way.
Article 45
(1) Legal or natural person doing business according to special regulations when processing personal data in the position of the controller or processor commits an administrative delict if he:
(a) fails to specify the purpose, means or manner of processing (Article 5(1)(a) and (b)) or breaches an obligation by the specified purpose of processing or exceeds his authority ensuing from a special Act;
(b) processes inaccurate personal data (Article 5(1)(c));
(c) collects or processes personal data in a scope or manner which does not correspond to the specified purpose (Article 5(1)(d), (f) thru (h));
(d) retains personal data for a period longer than necessary for the purpose of processing (Article 5(1)(e));
(e) processes personal data without the consent of data subject except for the cases provided by law (Article 5(2) and Article 9);
(f) fails to provide the data subject with information in the scope or in the manner provided by law (Article 11);
(g) refuses to provide the data subject with the requested information (Article 12 and Article 21);
(h) fails to adopt or implement measures for ensuring security of personal data processing (Article 13);
(i) fails to fulfil the notification obligation pursuant to this Act (Articles 16 and 27);
(j) don’t maintain an inventory of personal data breaches pursuant to Article 88 (7) of the Electronic Communications Act.
(k) fails to implement imposed remedial measures in the fiwed period.
(2) Legal person in the position of the controller or processor commits an administrative delict if he in the course of personal data processing:
(a) jeopardises a substantial number of persons by unauthorized interference in the private and personal lives, or
(b) fails to fulfil obligations related to the processing of sensitive data (Article 9)
by some of the courses of action pursuant to paragraph 1.
(3) A fine up to CZK 5,000,000 shall be imposed for an administrative offence pursuant to paragraph 1.
(4) A fine up to CZK 10,000,000 shall be imposed for an administrative offence pursuant to paragraph 2.
Article 45a
(1) Legal person or natural person doing business commits an administrative delict by breaching prohibition to publish of personal data provided by other legal regulation.
(2) A fine up to CZK 1,000,000 shall be imposed for an administrative delict pursuant to paragraph 1.
(3) A fine up to CZK 5,000,000 shall be imposed for an offence pursuant to paragraph 1 committed by press, film, radio, television, publicly accessible computer network or by other equally effective way.
|