Article 84
Penalties

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 84 keyboard_arrow_down Hide the recitals of the Regulation related to article 84 keyboard_arrow_up

(148) In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.

(149) Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.

(150) In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.

(151) The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the supervisory authority initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.

Show the recitals of the Directive related to article 84 keyboard_arrow_down Hide the recitals of the Directive related to article 84 keyboard_arrow_up

(55) Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;

The GDPR

Article 84 of the Regulation does not bring anything new. It takes the principles already present in the Directive: Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. These penalties must be effective, proportionate and dissuasive.

The only real novelty is that each Member State shall notify the Commission of the measures it adopts under paragraph 1, no later than 2 years after the publication of the Regulation, and without delay of any subsequent amendment affecting them.

The Directive

The Directive contained only a general provision (Art. 24) requiring the states to take appropriate measures to ensure full implementation of its provisions and specify penalties in cases of infringement of the provisions adopted pursuant to this Directive.

Potential issues

The divergences with respect to penalties between the Member States could be damaging to a harmonized protection but the imposition of the system of administrative penalty provided for in Article 83 in each Member State should limit these consequences.

Group 29

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (3 October 2017)

(Endorsed by the EDPB)

The EU has completed a comprehensive reform of data protection regulation in Europe. The reform rests on several pillars (key components): coherent rules, simplified procedures, coordinated actions, user involvement, more effective information and stronger enforcement powers.

Data controllers and data processors have increased responsibilities to ensure that personal data of the individuals is protected effectively. Supervisory authorities have powers to ensure that the principles of the General Data Protection Regulation (hereafter ‘the Regulation’) as well as the rights of the individuals concerned are upheld according to the wording and the spirit of the Regulation.

Consistent enforcement of the data protection rules is central to a harmonized data protection regime. Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities together with the other measures provided by article 58.

This document is intended for use by the supervisory authorities to ensure better application and enforcement of the Regulation and expresses their common understanding of the provisions of article 83 of the Regulation as well as its interplay with articles 58 and 70 and their corresponding recitals.

In particular, according to article 70, (1) (e), the European Data Protection Board (hereafter ‘EDPB’) is empowered to issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation and article 70, (1), (k) specifies the provision for guidelines concerning the setting of administrative fines.

These guidelines are not exhaustive, neither will they provide explanations about the differences between administrative, civil or criminal law systems when imposing administrative sanctions in general.

In order to achieve a consistent approach to the imposition of the administrative fines, which adequately reflects all of the principles in these guidelines, the EDPB has agreed on a common understanding of the assessment criteria in article 83 (2) of the Regulation and therefore the EDPB and individual supervisory authorities agree on using this Guideline as a common approach.

Link

Regulation
1e 2e

Art. 84

1.   Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.

2.   Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

1st proposal close

Art. 78

1. Member States shall lay down the rules on penalties, applicable to infringements of the provisions of this Regulation and shall take all measures necessary to ensure that they are implemented, including where the controller did not comply with the obligation to designate a representative. The penalties provided for must be effective, proportionate and dissuasive.

2. Where the controller has established a representative, any penalties shall be applied to the representative, without prejudice to any penalties which could be initiated against the controller.

3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.

2nd proposal close

Art. 79b

 1. For infringements (…)of this Regulation in particular for infringements which are not subject to administrative fines pursuant to (…) Article 79a Member States shall lay down the rules on penalties applicable to such infringements and shall take all measures necessary to ensure that they are implemented (…). Such penalties shall be effective, proportionate and dissuasive.

2. (…).

3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.

Directive close

Art. 24

The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.

Article 44
(1) Natural person who
(a) is in a labour or similar relationship to the controller or processor;
(b) carries out activities for the controller or processor on the basis of an agreement, or who
(c) in the framework of fulfilling powers and obligations imposed by a special Act comes into contact with personal data at the controller or processor,
commits an offence by breaching the obligation to maintain confidentiality (Article 15).
(2) Natural person in the position of the controller or processor commits an offence in the course of personal data processing if he:
(a) fails to specify the purpose, means or manner of processing (Article 5(1)(a) and (b)) or breaches an obligation by the specified purpose of processing or exceeds his authority ensuing from a special Act,
(b) processes inaccurate personal data (Article 5(1)(c))
(c) collects or processes personal data in an extent or manner which does not correspond to the specified purpose (Article 5(1)(d),(f) thru (h))
(d) retains personal data for a period longer than necessary for the purpose of processing (Article 5(1)(e))
(e) processes personal data without the consent of data subject except for the cases provided by law (Article 5(2) and Article 9)
(f) fails to provide the data subject with information in the scope or in the manner provided by law (Article 11)
(g) refuses to provide the data subject with the requested information (Articles 12 and 21)
(h) fails to adopt or implement measures for ensuring security of personal data processing (Article 13)
(i) fails to fulfil the notification obligation pursuant to this Act (Articles 16 and 27)
(j) fails to implement imposed remedial measures in the fixed period.
(3) Natural person in the position of the controller or processor commits an offence if he in the course of personal data processing:
(a) jeopardises a substantial number of persons by unauthorized interference in the private and personal lives, or
(b) fails to fulfil obligations related to the processing of sensitive data (Article 9)
by some of the courses of action pursuant to paragraph 2.
(4) A fine up to CZK 100,000 may be imposed for an offence pursuant to paragraph 1.
(5) A fine up to CZK 1,000,000 may be imposed for an offence pursuant to paragraph 2.
(6) A fine up to CZK 5,000,000 may be imposed for an offence pursuant to paragraph 3.

Article 44a
(1) Natural person commits an offence by breaching prohibition to publish personal data provided by other legal regulation.
(2) A fine up to CZK 1,000,000 may be imposed for an offence pursuant to paragraph 1.
(3) A fine up to CZK 5,000,000 may be imposed for an offence pursuant to paragraph 1 committed by press, film, radio, television, publicly accessible computer network or by other equally effective way.

Article 45
(1) Legal or natural person doing business according to special regulations when processing personal data in the position of the controller or processor commits an administrative delict if he:
(a) fails to specify the purpose, means or manner of processing (Article 5(1)(a) and (b)) or breaches an obligation by the specified purpose of processing or exceeds his authority ensuing from a special Act;
(b) processes inaccurate personal data (Article 5(1)(c));
(c) collects or processes personal data in a scope or manner which does not correspond to the specified purpose (Article 5(1)(d), (f) thru (h));
(d) retains personal data for a period longer than necessary for the purpose of processing (Article 5(1)(e));
(e) processes personal data without the consent of data subject except for the cases provided by law (Article 5(2) and Article 9);
(f) fails to provide the data subject with information in the scope or in the manner provided by law (Article 11);
(g) refuses to provide the data subject with the requested information (Article 12 and Article 21);
(h) fails to adopt or implement measures for ensuring security of personal data processing (Article 13);
(i) fails to fulfil the notification obligation pursuant to this Act (Articles 16 and 27);
(j) don’t maintain an inventory of personal data breaches pursuant to Article 88 (7) of the Electronic Communications Act.
(k) fails to implement imposed remedial measures in the fiwed period.
(2) Legal person in the position of the controller or processor commits an administrative delict if he in the course of personal data processing:
(a) jeopardises a substantial number of persons by unauthorized interference in the private and personal lives, or
(b) fails to fulfil obligations related to the processing of sensitive data (Article 9)
by some of the courses of action pursuant to paragraph 1.
(3) A fine up to CZK 5,000,000 shall be imposed for an administrative offence pursuant to paragraph 1.
(4) A fine up to CZK 10,000,000 shall be imposed for an administrative offence pursuant to paragraph 2.

Article 45a
(1) Legal person or natural person doing business commits an administrative delict by breaching prohibition to publish of personal data provided by other legal regulation.
(2) A fine up to CZK 1,000,000 shall be imposed for an administrative delict pursuant to paragraph 1.
(3) A fine up to CZK 5,000,000 shall be imposed for an offence pursuant to paragraph 1 committed by press, film, radio, television, publicly accessible computer network or by other equally effective way.

Article 46
(1) Legal person shall not be liable for an administrative delict if he proves that he has made all reasonable effort to prevent the breach of a legal obligation.
(2) When deciding on the amount of the fine, especially the seriousness, manner, duration and consequences of the unlawful behaviour and the circumstances under which the unlawful behaviour was committed shall be taken into account.
(3) Liability of the legal person for an administrative delict becomes extinct, if the administrative body has not initiated proceedings within 1 year as of the day when it learned of it, but not later than within 3 years as of the day when the delict was committed.
(4) Administrative delicts pursuant to this act shall be dealt with in the first instance by the Office.
(5) The provisions on the liability of legal person and related sanctions applies on the liability for the behaviour of natural person that occurred when the natural person carried on business activities or in a direct relation to such business activities.
(6) The fine is payable within 30 days as of the day when the decision on imposing the fine came into force.
(7) The fine shall be collected by the Office. The revenue from fines shall be an income of the state budget.

close