The GDPR
Article 84 of the Regulation does not bring anything new. It takes the principles already present in the Directive: Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. These penalties must be effective, proportionate and dissuasive.
The only real novelty is that each Member State shall notify the Commission of the measures it adopts under paragraph 1, no later than 2 years after the publication of the Regulation, and without delay of any subsequent amendment affecting them.
The Directive
The Directive contained only a general provision (Art. 24) requiring the states to take appropriate measures to ensure full implementation of its provisions and specify penalties in cases of infringement of the provisions adopted pursuant to this Directive.
Potential issues
The divergences with respect to penalties between the Member States could be damaging to a harmonized protection but the imposition of the system of administrative penalty provided for in Article 83 in each Member State should limit these consequences.
Group 29
Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (3 October 2017)
(Endorsed by the EDPB)
The EU has completed a comprehensive reform of data protection regulation in Europe. The reform rests on several pillars (key components): coherent rules, simplified procedures, coordinated actions, user involvement, more effective information and stronger enforcement powers.
Data controllers and data processors have increased responsibilities to ensure that personal data of the individuals is protected effectively. Supervisory authorities have powers to ensure that the principles of the General Data Protection Regulation (hereafter ‘the Regulation’) as well as the rights of the individuals concerned are upheld according to the wording and the spirit of the Regulation.
Consistent enforcement of the data protection rules is central to a harmonized data protection regime. Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities together with the other measures provided by article 58.
This document is intended for use by the supervisory authorities to ensure better application and enforcement of the Regulation and expresses their common understanding of the provisions of article 83 of the Regulation as well as its interplay with articles 58 and 70 and their corresponding recitals.
In particular, according to article 70, (1) (e), the European Data Protection Board (hereafter ‘EDPB’) is empowered to issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation and article 70, (1), (k) specifies the provision for guidelines concerning the setting of administrative fines.
These guidelines are not exhaustive, neither will they provide explanations about the differences between administrative, civil or criminal law systems when imposing administrative sanctions in general.
In order to achieve a consistent approach to the imposition of the administrative fines, which adequately reflects all of the principles in these guidelines, the EDPB has agreed on a common understanding of the assessment criteria in article 83 (2) of the Regulation and therefore the EDPB and individual supervisory authorities agree on using this Guideline as a common approach.
Link