Article 84
Penalties

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 84 keyboard_arrow_down Hide the recitals of the Regulation related to article 84 keyboard_arrow_up

(148) In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.

(149) Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.

(150) In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.

(151) The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the supervisory authority initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.

Show the recitals of the Directive related to article 84 keyboard_arrow_down Hide the recitals of the Directive related to article 84 keyboard_arrow_up

(55) Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;

The GDPR

Article 84 of the Regulation does not bring anything new. It takes the principles already present in the Directive: Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. These penalties must be effective, proportionate and dissuasive.

The only real novelty is that each Member State shall notify the Commission of the measures it adopts under paragraph 1, no later than 2 years after the publication of the Regulation, and without delay of any subsequent amendment affecting them.

The Directive

The Directive contained only a general provision (Art. 24) requiring the states to take appropriate measures to ensure full implementation of its provisions and specify penalties in cases of infringement of the provisions adopted pursuant to this Directive.

Potential issues

The divergences with respect to penalties between the Member States could be damaging to a harmonized protection but the imposition of the system of administrative penalty provided for in Article 83 in each Member State should limit these consequences.

Group 29

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (3 October 2017)

(Endorsed by the EDPB)

The EU has completed a comprehensive reform of data protection regulation in Europe. The reform rests on several pillars (key components): coherent rules, simplified procedures, coordinated actions, user involvement, more effective information and stronger enforcement powers.

Data controllers and data processors have increased responsibilities to ensure that personal data of the individuals is protected effectively. Supervisory authorities have powers to ensure that the principles of the General Data Protection Regulation (hereafter ‘the Regulation’) as well as the rights of the individuals concerned are upheld according to the wording and the spirit of the Regulation.

Consistent enforcement of the data protection rules is central to a harmonized data protection regime. Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities together with the other measures provided by article 58.

This document is intended for use by the supervisory authorities to ensure better application and enforcement of the Regulation and expresses their common understanding of the provisions of article 83 of the Regulation as well as its interplay with articles 58 and 70 and their corresponding recitals.

In particular, according to article 70, (1) (e), the European Data Protection Board (hereafter ‘EDPB’) is empowered to issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation and article 70, (1), (k) specifies the provision for guidelines concerning the setting of administrative fines.

These guidelines are not exhaustive, neither will they provide explanations about the differences between administrative, civil or criminal law systems when imposing administrative sanctions in general.

In order to achieve a consistent approach to the imposition of the administrative fines, which adequately reflects all of the principles in these guidelines, the EDPB has agreed on a common understanding of the assessment criteria in article 83 (2) of the Regulation and therefore the EDPB and individual supervisory authorities agree on using this Guideline as a common approach.

Link

Regulation
1e 2e

Art. 84

1.   Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.

2.   Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

1st proposal close

Art. 78

1. Member States shall lay down the rules on penalties, applicable to infringements of the provisions of this Regulation and shall take all measures necessary to ensure that they are implemented, including where the controller did not comply with the obligation to designate a representative. The penalties provided for must be effective, proportionate and dissuasive.

2. Where the controller has established a representative, any penalties shall be applied to the representative, without prejudice to any penalties which could be initiated against the controller.

3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.

2nd proposal close

Art. 79b

 1. For infringements (…)of this Regulation in particular for infringements which are not subject to administrative fines pursuant to (…) Article 79a Member States shall lay down the rules on penalties applicable to such infringements and shall take all measures necessary to ensure that they are implemented (…). Such penalties shall be effective, proportionate and dissuasive.

2. (…).

3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.

Directive close

Art. 24

The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.

55A. Power of Commissioner to impose monetary penalty

(1) The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that—

(a) there has been a serious contravention of section 4(4) by the data controller,

(b) the contravention was of a kind likely to cause substantial damage or substantial distress, and

(c) subsection (2) or (3) applies.

(2) This subsection applies if the contravention was deliberate.

(3) This subsection applies if the data controller—

(a) knew or ought to have known —

(i) that there was a risk that the contravention would occur, and

(ii) that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

(b) failed to take reasonable steps to prevent the contravention.

(3A) The Commissioner may not be satisfied as mentioned in subsection (1) by virtue of any matter which comes to the Commissioner's attention as a result of anything done in pursuance of—

(a) an assessment notice;

(b) an assessment under section 51(7).

(4) A monetary penalty notice is a notice requiring the data controller to pay to the Commissioner a monetary penalty of an amount determined by the Commissioner and specified in the notice.

(5) The amount determined by the Commissioner must not exceed the prescribed amount.

(6) The monetary penalty must be paid to the Commissioner within the period specified in the notice.

(7) The notice must contain such information as may be prescribed.

(8) Any sum received by the Commissioner by virtue of this section must be paid into the Consolidated Fund.

(9) In this section—

“data controller” does not include the Crown Estate Commissioners, a relevant person or a person who is a data controller by virtue of section 63(3);

“prescribed” means prescribed by regulations made by the Secretary of State; and

“relevant person” means a person who is discharging functions in relation to the management of any property, rights or interests to which section 90B(5) of the Scotland Act 1998 applies.

55B. Monetary penalty notices: procedural rights

(1) Before serving a monetary penalty notice, the Commissioner must serve the data controller with a notice of intent.

(2) A notice of intent is a notice that the Commissioner proposes to serve a monetary penalty notice.

(3) A notice of intent must—

(a) inform the data controller that he may make written representations in relation to the Commissioner's proposal within a period specified in the notice, and

(b) contain such other information as may be prescribed.

(4) The Commissioner may not serve a monetary penalty notice until the time within which the data controller may make representations has expired.

(5) A person on whom a monetary penalty notice is served may appeal to the Tribunal against—

(a) the issue of the monetary penalty notice;

(b) the amount of the penalty specified in the notice.

(6) In this section, “prescribed” means prescribed by regulations made by the Secretary of State.

55C. Guidance about monetary penalty notices

(1) The Commissioner must prepare and issue guidance on how he proposes to exercise his functions under sections 55A and 55B.

(2) The guidance must, in particular, deal with—

(a) the circumstances in which he would consider it appropriate to issue a monetary penalty notice, and

(b) how he will determine the amount of the penalty.

(3) The Commissioner may alter or replace the guidance.

(4) If the guidance is altered or replaced, the Commissioner must issue the altered or replacement guidance.

(5) The Commissioner must consult the Secretary of State before issuing any guidance under this section.

(6) The Commissioner must lay any guidance issued under this section before each House of Parliament.

(7) The Commissioner must arrange for the publication of any guidance issued under this section in such form and manner as he considers appropriate.

(8) In subsections (5) to (7), “guidance” includes altered or replacement guidance.

55D. Monetary penalty notices: enforcement

(1) This section applies in relation to any penalty payable to the Commissioner by virtue of section 55A.

(2) In England and Wales, the penalty is recoverable—

(a) if the county court so orders, as if it were payable under an order of that court;

(b) if the High Court so orders, as if it were payable under an order of that court.

(3) In Scotland, the penalty may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland.

(4) In Northern Ireland, the penalty is recoverable—

(a) if a county court so orders, as if it were payable under an order of that court;

(b) if the High Court so orders, as if it were payable under an order of that court.

55E. Notices under sections 55A and 55B: supplemental

(1) The Secretary of State may by order make further provision in connection with monetary penalty notices and notices of intent.

(2) An order under this section may in particular—

(a) provide that a monetary penalty notice may not be served on a data controller with respect to the processing of personal data for the special purposes except in circumstances specified in the order;

(b) make provision for the cancellation or variation of monetary penalty notices;

(c) confer rights of appeal to the Tribunal against decisions of the Commissioner in relation to the cancellation or variation of such notices;

(d) F12. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(e) make provision for the determination of [F13appeals made by virtue of paragraph (c)];

(f) F14. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(3) An order under this section may apply any provision of this Act with such modifications as may be specified in the order.

(4) An order under this section may amend this Act.

close