Article 84
Penalties

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 84 keyboard_arrow_down Hide the recitals of the Regulation related to article 84 keyboard_arrow_up

(148) In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.

(149) Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.

(150) In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.

(151) The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the supervisory authority initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.

Show the recitals of the Directive related to article 84 keyboard_arrow_down Hide the recitals of the Directive related to article 84 keyboard_arrow_up

(55) Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;

The GDPR

Article 84 of the Regulation does not bring anything new. It takes the principles already present in the Directive: Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. These penalties must be effective, proportionate and dissuasive.

The only real novelty is that each Member State shall notify the Commission of the measures it adopts under paragraph 1, no later than 2 years after the publication of the Regulation, and without delay of any subsequent amendment affecting them.

The Directive

The Directive contained only a general provision (Art. 24) requiring the states to take appropriate measures to ensure full implementation of its provisions and specify penalties in cases of infringement of the provisions adopted pursuant to this Directive.

Potential issues

The divergences with respect to penalties between the Member States could be damaging to a harmonized protection but the imposition of the system of administrative penalty provided for in Article 83 in each Member State should limit these consequences.

Group 29

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (3 October 2017)

(Endorsed by the EDPB)

The EU has completed a comprehensive reform of data protection regulation in Europe. The reform rests on several pillars (key components): coherent rules, simplified procedures, coordinated actions, user involvement, more effective information and stronger enforcement powers.

Data controllers and data processors have increased responsibilities to ensure that personal data of the individuals is protected effectively. Supervisory authorities have powers to ensure that the principles of the General Data Protection Regulation (hereafter ‘the Regulation’) as well as the rights of the individuals concerned are upheld according to the wording and the spirit of the Regulation.

Consistent enforcement of the data protection rules is central to a harmonized data protection regime. Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities together with the other measures provided by article 58.

This document is intended for use by the supervisory authorities to ensure better application and enforcement of the Regulation and expresses their common understanding of the provisions of article 83 of the Regulation as well as its interplay with articles 58 and 70 and their corresponding recitals.

In particular, according to article 70, (1) (e), the European Data Protection Board (hereafter ‘EDPB’) is empowered to issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation and article 70, (1), (k) specifies the provision for guidelines concerning the setting of administrative fines.

These guidelines are not exhaustive, neither will they provide explanations about the differences between administrative, civil or criminal law systems when imposing administrative sanctions in general.

In order to achieve a consistent approach to the imposition of the administrative fines, which adequately reflects all of the principles in these guidelines, the EDPB has agreed on a common understanding of the assessment criteria in article 83 (2) of the Regulation and therefore the EDPB and individual supervisory authorities agree on using this Guideline as a common approach.

Link

Regulation
1e 2e

Art. 84

1.   Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.

2.   Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

1st proposal close

Art. 78

1. Member States shall lay down the rules on penalties, applicable to infringements of the provisions of this Regulation and shall take all measures necessary to ensure that they are implemented, including where the controller did not comply with the obligation to designate a representative. The penalties provided for must be effective, proportionate and dissuasive.

2. Where the controller has established a representative, any penalties shall be applied to the representative, without prejudice to any penalties which could be initiated against the controller.

3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.

2nd proposal close

Art. 79b

 1. For infringements (…)of this Regulation in particular for infringements which are not subject to administrative fines pursuant to (…) Article 79a Member States shall lay down the rules on penalties applicable to such infringements and shall take all measures necessary to ensure that they are implemented (…). Such penalties shall be effective, proportionate and dissuasive.

2. (…).

3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.

Directive close

Art. 24

The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.

Special penal provisions

Administrative penalties​

§ 62 DSG

(1) Unless the offence meets the elements of Article 83 of the General Data Protection Regulation or is subject to a more severe punishment according to other administrative penal provisions, an administrative offence punishable by a fine of up to €50,000 is committed by anyone who

  1.  intentionally and illegally gains access to data processing or maintains an obviously illegal means of access,
  2. transmits data intentionally in violation of the rules on confidentiality (§ 6), in particular intentionally uses data entrusted to him or her according to § 7 or § 8 for other prohibited purposes,
  3. by giving incorrect information intentionally obtains personal data according to § 10,
  4. processes images contrary to the provisions of Chapter 1, Part 3, or
  5. refuses inspection pursuant to § 22 para. 2.

(2) Attempts shall be punishable.

(3) In the case of an administrative offence pursuant to paras. 1 and 2, administrative fines can be imposed on legal persons in accordance with § 30.

(4) Data media and programs as well as apparatus for the transmission and recording of images can be forfeited (§ 10, § 17 and § 18 of the Administrative Penal Act) if they are linked to an administrative offence according to para. 1.

(5) The Data Protection Authority shall be the competent authority for decisions pursuant to paras. 1 to 4.


Processing with the intention to make a profit or to cause harm

§ 63 DSG

Whoever, with the intention to enrich himself or a third person unlawfully or to harm someone regarding that person’s entitlement guaranteed according to § 1 para. 1, deliberately uses personal data that have been entrusted to or have become accessible to him solely because of his professional occupation, or that he has acquired illegally, for himself or makes such data available to another person or publishes such data despite the data subject’s interest in confidentiality which deserves protection, shall be punished by a court with imprisonment of up to one year or with a fine of up to €720, unless the offence is subject to a more severe punishment pursuant to another provision.

Old law close

All of the following in force until May 25, 2018:


Penal Provisions

Use of Data with the Intention to make a Profit or to Cause Harm

§ 51 DSG 2000

(1) Whoever with the intention to enrich himself or a third person unlawfully or to harm someone in his entitlement guaranteed according to § 1 para 1 deliberately uses personal data that have been entrusted to or made accessible to him solely because of professional reasons, or that he has acquired illegally, for himself or makes such data available to others or publishes such data with the intention to make a profit or to harm others, despite the data subject’s interest in secrecy deserving protection, shall be punished by a court with imprisonment up to a year, unless the offence shall be subject to a more severe punishment pursuant to another provision.


Administrative Penalties

§ 52 DSG 2000

(1) Insofar as the act does not realize the legal elements of a criminal offence subject to the jurisdiction of the courts of law and is not subject to more severe penalties according to another administrative provision, an administrative offence punishable by a fine of up to 25 000 Euro is committed by anyone who

1. intentionally and illegally gains access to a data application or maintains an obviously illegal means of access or

2. transmits data intentionally in violation of the rules on confidentiality (§ 15), and in particular anybody who uses data entrusted to him according to § 46 and 47 for other purposes or

3. uses or fails to grant information, to rectify or erase data in violation of a final judicial decision or ruling,

4. intentional erases data in violation of § 26 para. 7;

5. by pretending incorrect facts intentionally obtains data according to § 48a.

(2) Insofar as the act does not realize the legal elements of a criminal offence subject to the jurisdiction of the courts of law, an administrative offence punishable by a fine of up to 10 000 Euro is committed by anyone who

1. collects, processes and transmits data without having fulfilled his obligation to notification according to §§ 17 or 50c or operates a data application in a manner deviating from the notification.

2. engages in data transmissions or abandonments without the necessary permit of the Data Protection Authority according to § 13 para 1or

3. violates declarations given according to § 13 para 2 sub-para. 2, § 19 or 50c para 1 or conditions imposed by the Data Protection Authority according to § 13 para 1 or § 21 para 2 or

4. violates his obligations of disclosure and information according to §§ 23, 24, 25 and 50d or

5. grossly neglects the required data security measures according to § 14 or

6. disregards the safety measures required according to § 50a para 7 and § 50b para 1 or

7. does not delete data after expiring of the period provided for in § 50b para 2 for deletion.

(2a) To the extent the act does not constitute a criminal offence within the jurisdiction of the courts or is punishable under other administrative penal regulations, who, contrary to §§ 26, 27 or 28, does not in time give information on, corrects or deletes data, commits an administrative offence to be punished with a fine up to € 500.

(3) Attempts shall be punished.

(4) Data media or programs as well as picture transmitting or -recording devices can be confiscated (§§ 10, 17 and 18 of the Administrative Penal Act 1991 [VStG]), if they are linked to an administrative offence according to para. 1 and 2.

(5) The district administrative authority at the controller´s (processor´s) domicile or seat shall be the competent authority for decisions according to para. 1 to 4. If there is no domicile or seat in Austria, the district administrative authority at the seat of the Data Protection Authority shall be competent.

close