Article 83
General conditions for imposing administrative fines

Official
Texts
Guidelines Caselaw Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 83 keyboard_arrow_down Hide the recitals of the Regulation related to article 83 keyboard_arrow_up

(148) In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.

(149) Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.

(150)In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation..

(151) The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the supervisory authority initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.

Show the recitals of the Directive related to article 83 keyboard_arrow_down Hide the recitals of the Directive related to article 83 keyboard_arrow_up

(55) Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;

The GDPR

Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 and presented below:

These fines must be in all cases effective, proportionate and dissuasive.

Depending on the circumstances of each individual case, the fines shall be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58 (2) that may be imposed by the supervisory authority.

When deciding on the amount of the administrative fine in each individual case, the authority must give due regard to the following:

- the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them (a);

- the intentional or negligent character of the infringement (b);

- any action taken by the controller or processor to mitigate the damage suffered by data subjects (c);

- the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them pursuant to Articles 25 (protection by design and protection by default) and 32 (security of processing) (d);

- any relevant previous infringements by the controller or processor (e); the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement (f);

- the categories of personal data affected by the infringement (g); the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement (h).

Where measures have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures (i). Regard should also be given to the adherence to approved codes of conduct or approved certification mechanisms (j); any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement (k).

As to the amounts, a gradual system exists depending on the severity attributed to the infringement:

  1. Administrative fines up to EUR 10,000,000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (paragraph 4):

 

- the obligations of the controller and the processor (a):

  • relating to consent of children in connection with information society services (Art. 8);
  • relating to processing not requiring identification (Art. 11);
  • relating to data protection by design and data protection by default (Art. 25);
  • rules specific to the joint controllers (Art. 26);
  • relating to representatives of the controller not established in the Union (Art. 27);
  • imposed in the relationship between the controller and the processor (Art. 28);
  • relating to processing under the authority of the controller or processor (Art. 29);
  • relating to keeping a register of all categories of processing activities (Art. 30);
  • concerning the cooperation with the supervisory authority (Art. 31);
  • regarding to the security of processing (Art. 32);
  • relating to the notification of data breach to the supervisory authority (Art. 33);
  • relating to the notification of data breach to the data subjects (Art. 34);
  • concerning the impact assessment regarding the data protection (Art. 35) and prior consultation of the supervisory authority (Art. 36);
  • concerning the designation of a data protection officer (Art. 37), its functions (Art. 38), its missions (Art. 39);
  • relating to certification (Art. 42) and the certification procedure (Art. 43).

- obligations of the certification body in the meaning of Articles 42 and 43 (b);

- obligations of the body charged to monitor the adherence to the code of conduct in the meaning of Art. 41 (4) (c).

  1. Fines up to EUR 20,000,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringements to the following provisions (paragraph 5):

the basic principles for processing, including conditions for consent, pursuant to Articles 5 (Principles relating to processing of personal data), 6 (Lawfulness of processing), 7 (Conditions applicable to consent) and 9 (Processing of specific categories of personal data);

- the rights of data subjects within the meaning of Articles 12 to 22 of the Regulation;

- rules relating to the transfers of personal data to a recipient in a third country or an international organization (Articles 44 to 49;

- any obligations pursuant to Member State law adopted under Chapter IX; let’s remind that Chapter IX gives the Member States a certain discretion in view of processing of personal data and freedom of expression and information (see Art. 86); processing of a national identification number (Art. 87), etc.

- non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58 (2) or failure to provide access in violation of Article 58 (1);

In addition, non-compliance with an order by the supervisory authority shall be subject to administrative fines up to EUR 20,000,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (paragraph 6).

It should be noted that if a controller or processor intentionally or negligently, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement (paragraph 3).

Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58 (2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State (paragraph 7).

The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process (paragraph 8).

Finally, where the legal system of the Member State does not provide for administrative fines, Article 83 may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts (paragraph 9). In this case, those legal remedies must be effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In all cases, those fines must be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt not later than the day of entry of this Regulation into force pursuant to Article 99 (2) and also notify without delay any subsequent amendment law or amendment affecting them.

The Directive

Directive relied totally on Member States regarding the sanctions in case of violation of provisions adopted in application of the Directive (Article 24).

Potential issues

The most obvious difficulty will be for recognition by each Member States legal system of such new powers to be exercised by the supervisory authorities and to provide specific procedural safeguards to be implemented in addition to the general procedural rules.

In Belgium for example, the possible recognition of such a power to impose fines of such an amount would change completely the relationship of individuals to the Commission for Protection of Privacy. The latter, as we have said, was designed more as a conciliatory body than a controlling authority and previously had no power to impose any fines.

It should be noted that the power of the national authority could be limited to the initiation of the fine and only a court would have the competence to impose it. The questions are what the initiation power would cover and whether the court may or may not review or refuse to apply it in the context of its intervention.

Summary

European Union

European Union

European Data Protection Board

Guidelines 04/2022 on the calculation of administrative fines under the GDPR (24 May 2023)

The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine.

The calculation of the amount of the fine is at the discretion of the supervisory authority, subject to the rules provided for in the GDPR. In that context, the GDPR requires that the amount of the fine shall in each individual case be effective, proportionate and dissuasive (Article 83(1) GDPR). Moreover, when setting the amount of the fine, supervisory authorities shall give due regard to a list of circumstances that refer to features of the infringement (its seriousness) or of the character of the perpetrator (Article 83(2) GDPR). Lastly, the amount of the fine shall not exceed the maximum amounts provided for in Articles 83(4) (5) and (6) GDPR. The quantification of the amount of the fine is therefore based on a specific evaluation carried out in each case, within the parameters provided for by the GDPR. Taking the abovementioned into account, the EDPB has devised the following methodology, consisting of five steps, for calculating administrative fines for infringements of the GDPR.

Firstly, the processing operations in the case must be identified and the application of Article 83(3) GDPR needs to be evaluated (Chapter 3). Second, the starting point for further calculation of the amount of the fine needs to be identified (Chapter 4). This is done by evaluating the classification of the infringement in the GDPR, evaluating the seriousness of the infringementin light of the circumstances of the case, and evaluating the turnover of the undertaking. The third step is the evaluation of aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increasing or decreasing the fine accordingly (Chapter 5). The fourth step is identifying the relevant legal maximums for the different infringements. Increases applied in previous or next steps cannot exceed this maximum amount (Chapter 6). Lastly, it needs to be analysed whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality. The fine can still be adjusted accordingly (Chapter 7), however without exceeding the relevant legal maximum.

Throughout all abovementioned steps, it must be borne in mind that the calculation of a fine is no mere mathematical exercise. Rather, the circumstances of the specific case are the determining factors leading to the final amount, which can – in all cases – be any amount up to and including the legal maximum.

These Guidelines and its methodology will remain under constant review of the EDPB

Link

 

Retour au sommaire

Article 29 Working Party

Guidelines on the application and setting of administrative fines - wp253 (3 October 2017)

(Endorsed by the EDPB)

The EU has completed a comprehensive reform of data protection regulation in Europe. The reform rests on several pillars (key components): coherent rules, simplified procedures, coordinated actions, user involvement, more effective information and stronger enforcement powers.

Data controllers and data processors have increased responsibilities to ensure that personal data of the individuals is protected effectively. Supervisory authorities have powers to ensure that the principles of the General Data Protection Regulation (hereafter ‘the Regulation’) as well as the rights of the individuals concerned are upheld according to the wording and the spirit of the Regulation.

Consistent enforcement of the data protection rules is central to a harmonized data protection regime. Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities together with the other measures provided by article 58.

This document is intended for use by the supervisory authorities to ensure better application and enforcement of the Regulation and expresses their common understanding of the provisions of article 83 of the Regulation as well as its interplay with articles 58 and 70 and their corresponding recitals.

In particular, according to article 70, (1) (e), the European Data Protection Board (hereafter ‘EDPB’) is empowered to issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation and article 70, (1), (k) specifies the provision for guidelines concerning the setting of administrative fines.

These guidelines are not exhaustive, neither will they provide explanations about the differences between administrative, civil or criminal law systems when imposing administrative sanctions in general.

In order to achieve a consistent approach to the imposition of the administrative fines, which adequately reflects all of the principles in these guidelines, the EDPB has agreed on a common understanding of the assessment criteria in article 83 (2) of the Regulation and therefore the EDPB and individual supervisory authorities agree on using this Guideline as a common approach.

Link

Retour au sommaire

Summary

European Union

European Union

CJEU caselaw

C-807/21,  Deutsche Wohnen SE v. Staatsanwaltschaft Berlin (5 December 2023)

1.      Article 58(2)(i) and Article 83(1) to (6) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as precluding national legislation under which an administrative fine may be imposed on a legal person in its capacity as controller in respect of an infringement referred to in Article 83(4) to (6) only in so far as that infringement has previously been attributed to an identified natural person.

2.      Article 83 of Regulation 2016/679

must be interpreted as meaning that an administrative fine may be imposed pursuant to that provision only where it is established that the controller, which is both a legal person and an undertaking, intentionally or negligently committed an infringement referred to in Article 83(4) to (6) thereof.

Decision of the Court

Opinion of the advocate general

C-683/21, Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos v. Valstybinė duomenų apsaugos inspekcija, (5 December 2023)

1.      Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that an entity which has entrusted an undertaking with the development of a mobile IT application and which has, in that context, participated in the determination of the purposes and means of the processing of personal data carried out through that application may be regarded as a controller, within the meaning of that provision, even if that entity has not itself performed any processing operations in respect of such data, has not expressly agreed to the performance of specific operations for such processing or to that mobile application being made available to the public, and has not acquired the abovementioned mobile application, unless, prior to that application being made available to the public, that entity expressly objected to such making available and to the resulting processing of personal data.

2.      Article 4(7) and Article 26(1) of Regulation 2016/679

must be interpreted as meaning that the classification of two entities as joint controllers does not require that there be an arrangement between those entities regarding the determination of the purposes and means of the processing of personal data in question; nor does it require that there be an arrangement laying down the terms of the joint control.

3.      Article 4(2) of Regulation 2016/679

must be interpreted as meaning that the use of personal data for the purposes of the IT testing of a mobile application constitutes ‘processing’, within the meaning of that provision, unless such data have been rendered anonymous in such a manner that the subject of those data is not or is no longer identifiable, or unless it involves fictitious data which do not relate to an existing natural person.

4.      Article 83 of Regulation 2016/679

must be interpreted as meaning that (i) an administrative fine may be imposed pursuant to that provision only where it is established that the controller has intentionally or negligently committed an infringement referred to in paragraphs 4 to 6 of that article, and (ii) such a fine may be imposed on a controller in respect of personal data processing operations performed by a processor on behalf of that controller, unless, in the context of those operations, that processor has carried out processing for its own purposes or has processed such data in a manner incompatible with the framework of, or detailed arrangements for, the processing as determined by the controller, or in such a manner that it cannot reasonably be considered that that controller consented to such processing.

Opinion of Advocate general 

Judgment of the court

Retour au sommaire Retour au sommaire
Regulation
1e 2e

1.   Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

2.   Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b) the intentional or negligent character of the infringement;

(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;

(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

(e) any relevant previous infringements by the controller or processor;

(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

(g) the categories of personal data affected by the infringement;

(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

(b) the obligations of the certification body pursuant to Articles 42 and 43;

(c) the obligations of the monitoring body pursuant to Article 41(4).

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

(b) the data subjects' rights pursuant to Articles 12 to 22;

(c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;

(d) any obligations pursuant to Member State law adopted under Chapter IX;

(e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

8. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.

9. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.

1st proposal close

Art. 79 

1. Each supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.

2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach.

3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where:

(a) a natural person is processing personal data without a commercial interest; or

(b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.

4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently:

(a) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to Articles 12(1) and (2);

(b) charges a fee for the information or for responses to the requests of data subjects in violation of Article 12(4).

5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently:

(a) does not provide the information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article 11, Article 12(3) and Article 14;

(b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 or does not communicate the relevant information to a recipient pursuant to Article 13;

(c) does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17;

(d) does not provide a copy of the personal data in electronic format or hinders the data subject to transmit the personal data to another application in violation of Article 18;

(e) does not or not sufficiently determine the respective responsibilities with co-controllers pursuant to Article 24;

(f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3);

(g) does not comply, in cases where special categories of data are not involved, pursuant to Articles 80, 82 and 83 with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes.

6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:

(a) processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7 and 8;

(b) processes special categories of data in violation of Articles 9 and 81;

(c) does not comply with an objection or the requirement pursuant to Article 19;

(d) does not comply with the conditions in relation to measures based on profiling pursuant to Article 20;

(e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30;

(f) does not designate a representative pursuant to Article 25;

(g) processes or instructs the processing of personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26 and 27;

(h) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject pursuant to Articles 31 and 32;

(i) does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34;

(j) does not designate a data protection officer or does not ensure the conditions for fulfilling the tasks pursuant to Articles 35, 36 and 37;

(k) misuses a data protection seal or mark in the meaning of Article 39;

(l) carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation pursuant to Articles 40 to 44;

(m) does not comply with an order or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority pursuant to Article 53(1);

(n) does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority pursuant to Article 28(3), Article 29, Article 34(6) and Article 53(2);

(o) does not comply with the rules for safeguarding professional secrecy pursuant to Article 84.

7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of updating the amounts of the administrative fines referred to in paragraphs 4, 5 and 6, taking into account the criteria referred to in paragraph 2.

 

2nd proposal close

Art. 79a

 1. The supervisory authority (…) may impose a fine that shall not exceed 250 000 EUR, or in case of an undertaking 0,5 % of its total worldwide annual turnover of the preceding financial year, on a controller who, intentionally or negligently: (a) does not respond within the period referred to in Article 12(2) to requests of the data subject; (b) charges a fee in violation of the first sentence of paragraph 4 of Article 12.

2. The supervisory authority (…) may impose a fine that shall not exceed 500 000 EUR, or in case of an undertaking 1% of its total worldwide annual (…) turnover of the preceding financial year, on a controller or processor who, intentionally or negligently:

(a) does not provide the information, or (…) provides incomplete information, or does not provide the information [timely or] in a [sufficiently] transparent manner, to the data subject pursuant to Articles 12(3),14 and 14a;

(b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 (…);

(c) does not erase personal data in violation of the right to erasure and 'to be forgotten' pursuant to Article 17(1)(a), 17(1)(b), 17(1)(d) or 17(1)(e);

(d) (…)

(da) processes personal data in violation of the right to restriction of processing pursuant to Article 17a or does not inform the data subject before the restriction of processing is lifted pursuant to Article 17a(4);

(db) does not communicate any rectification, erasure or restriction of processing to each recipient to whom the controller has disclosed personal data, in violation of Article 17b;

(dc) does not provide the data subject’s personal data concerning him or her (…) in violation of Article 18;

(dd) processes personal data after the objection of the data subject pursuant to Article 19(1) and does not demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims;

(de) does not provide the data subject with information concerning the right to object processing for direct marketing purposes pursuant to Article 19(2) or continues to process data for direct marketing purposes after the objection of the data subject in violation of Article 19(2a);

(e) does not or not sufficiently determine the respective responsibilities with joint controllers pursuant to Article 24;

(f) does not or not sufficiently maintain the documentation pursuant to Article 28 and Article 31(4).

(g) (…)

3. The supervisory authority (…) may impose a fine that shall not exceed 1 000 000 EUR or, in case of an undertaking, 2 % of its total worldwide annual turnover of the preceding financial year, on a controller or processor who, intentionally or negligently:

(a) processes personal data without a (…) legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7, 8 and 9;

(b) (…);

(c) (…); (d) does not comply with the conditions in relation to (…)automated individual decision making, including profiling pursuant to Article 20;

(da) does not (…) implement appropriate measures or is not able to demonstrate compliance pursuant to Articles 22 (…) and 30;

(db) does not designate a representative in violation of Article 25;

(dc) processes or instructs the processing of personal data in violation of (…) Articles 26;

(dd) does not alert on or notify a personal data breach or does not [timely or] completely notify the data breach to the supervisory authority or to the data subject in violation of Articles 31 and 32;

(de) does not carry out a data protection impact assessment in violation of Article 33 or processes personal data without prior consultation of the supervisory authority in violation of Article 34(2);

(e) (…);

(f) misuses a data protection seal or mark in the meaning of Article 39 or does not comply with the conditions and procedures laid down in Articles 38a and 39a;

(g) carries out or instructs a data transfer to a recipient in a third country or an international organisation in violation of Articles 41 to 44;

(h) does not comply with an order or a temporary or definite limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 53 (1b) or does not provide access in violation of Article 53(1).

(i) (…)

(j) (…).

3a. If a controller or processor intentionally or negligently violates several provisions of this Regulation listed in paragraphs 1, 2 or 3, the total amount of the fine may not exceed the amount specified for the gravest violation.

4. (…)

Directive close

Art. 24

The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.

close