menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Denmark) language
Contact our local member in Denmark mail_outline
Visit the website of Integra account_balance

arrow_backPrevious Article
Article 84
Next Articlearrow_forward

Penalties

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 84 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 84 keyboard_arrow_up

Key words related to article 84

Show the recitals of the Regulation related to article 84 keyboard_arrow_down Hide the recitals of the Regulation related to article 84 keyboard_arrow_up

(148) In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.

(149) Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.

(150) In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.

(151) The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the supervisory authority initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.

Show the recitals of the Directive related to article 84 keyboard_arrow_down Hide the recitals of the Directive related to article 84 keyboard_arrow_up

(55) Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;

The GDPR

Article 84 of the Regulation does not bring anything new. It takes the principles already present in the Directive: Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. These penalties must be effective, proportionate and dissuasive.

The only real novelty is that each Member State shall notify the Commission of the measures it adopts under paragraph 1, no later than 2 years after the publication of the Regulation, and without delay of any subsequent amendment affecting them.

The Directive

The Directive contained only a general provision (Art. 24) requiring the states to take appropriate measures to ensure full implementation of its provisions and specify penalties in cases of infringement of the provisions adopted pursuant to this Directive.

Potential issues

The divergences with respect to penalties between the Member States could be damaging to a harmonized protection but the imposition of the system of administrative penalty provided for in Article 83 in each Member State should limit these consequences.

arrow_back Previous ArticleArticle 84Next Article arrow_forward
arrow_back Previous ArticleArticle 84 Next Article arrow_forward

Summary

European Union

European Union

Retour au sommaire

Article 29 Working Party

Guidelines on the application and setting of administrative fines - wp253 (3 October 2017)

(Endorsed by the EDPB)

The EU has completed a comprehensive reform of data protection regulation in Europe. The reform rests on several pillars (key components): coherent rules, simplified procedures, coordinated actions, user involvement, more effective information and stronger enforcement powers.

Data controllers and data processors have increased responsibilities to ensure that personal data of the individuals is protected effectively. Supervisory authorities have powers to ensure that the principles of the General Data Protection Regulation (hereafter ‘the Regulation’) as well as the rights of the individuals concerned are upheld according to the wording and the spirit of the Regulation.

Consistent enforcement of the data protection rules is central to a harmonized data protection regime. Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities together with the other measures provided by article 58.

This document is intended for use by the supervisory authorities to ensure better application and enforcement of the Regulation and expresses their common understanding of the provisions of article 83 of the Regulation as well as its interplay with articles 58 and 70 and their corresponding recitals.

In particular, according to article 70, (1) (e), the European Data Protection Board (hereafter ‘EDPB’) is empowered to issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation and article 70, (1), (k) specifies the provision for guidelines concerning the setting of administrative fines.

These guidelines are not exhaustive, neither will they provide explanations about the differences between administrative, civil or criminal law systems when imposing administrative sanctions in general.

In order to achieve a consistent approach to the imposition of the administrative fines, which adequately reflects all of the principles in these guidelines, the EDPB has agreed on a common understanding of the assessment criteria in article 83 (2) of the Regulation and therefore the EDPB and individual supervisory authorities agree on using this Guideline as a common approach.

Link

Retour au sommaire
arrow_back Previous Article Article 84 Next Article arrow_forward
Retour au sommaire
arrow_back Previous Article Article 84 Next Article arrow_forward
Regulation
1e 2e

Art. 84

1.   Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.

2.   Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
1st proposal close

Art. 78

1. Member States shall lay down the rules on penalties, applicable to infringements of the provisions of this Regulation and shall take all measures necessary to ensure that they are implemented, including where the controller did not comply with the obligation to designate a representative. The penalties provided for must be effective, proportionate and dissuasive.

2. Where the controller has established a representative, any penalties shall be applied to the representative, without prejudice to any penalties which could be initiated against the controller.

3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.
2nd proposal close

Art. 79b

 1. For infringements (…)of this Regulation in particular for infringements which are not subject to administrative fines pursuant to (…) Article 79a Member States shall lay down the rules on penalties applicable to such infringements and shall take all measures necessary to ensure that they are implemented (…). Such penalties shall be effective, proportionate and dissuasive.

2. (…).

3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.
Directive close

Art. 24

The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.
Denmark
compare_arrows

70. -  (1)  In the absence of more severe punishment being prescribed under other legislation, any person who commits any of the following offences in connection with processing carried out on behalf of private individuals or bodies shall be liable to a fine or prison up to 4 months:

  1. violation of section 4 (5), section 5 (2) - (5), section 6, section 7 (1), section 8 (4), (5) and (7), section 9 (2), section 10 (2) and (3) first clause, section 11 (2) and (3), section 12 (1) and (2) first clause, section 13 (1) first clause, sections 20 - 25, section 26 (1), (2) second clause, and (3), section 26 a, section 27 (1), section 28 (1), section 29 (1), section 31, sections 33 and 34, section 35 (2), sections 36 and 37, section 39 (1) and (3), section 41 (1) and (3), section 42, section 48, section 50 (1) and (2), section 51, section 53 or section 54 (2);
  2. failure to comply with the Data Protection Agency’s decision under section 5 (1), section 7 (7), section 13 (1), second clause, section 26 (2), first clause, section 27 (4), sections 28 and 29, section 30 (1) section 31, section 32 (1) and (4), sections 33-37, section 39, section 50 (2) or section 58 (2);
  3. failure to comply with the requirements of the Data Protection Agency under section 62 (1);
  4. obstruction of the Data Protection Agency from access under section 62 (3) and (4);
  5. failure to comply with conditions as referred to in section 7 (7), section 9 (3), section 10 (3), section 13 (1), section 27 (4), section 50 (5) or any terms or conditions stipulated for an authorization in accordance with rules issued by virtue of this Act; or
  6. failure to comply with prohibitory or mandatory orders issued in accordance with section 59 or in accordance with rules issued by virtue of this Act.

(2) In the absence of more severe punishment being prescribed under other legislation, any person who in connection with a processing operation carried out on behalf of public authorities violates section 41 (3) or section 53 or fails to comply with conditions as referred to in section 7 (7), section 9 (3), section 10 (3), section 13 (1), section 27 (4) or any other terms or conditions for an authorization in accordance with rules issued by virtue of this Act shall be liable to a fine or prison up to 4 months.

(3) In the absence of more severe punishment being prescribed under other legislation, any person who in connection with a processing operation governed by another Member State’s legislation fails to comply with the decisions of the Data Protection Agency under section 59 or to fulfil the requirements of the Data Protection Agency under section 62 (1), or obstructs the Data Protection Agency’s right of access under section 62 (3) and (4) shall be liable to a fine or prison up to 4 months.

(4) Any rules issued by virtue of this Act may stipulate punishment in the form of a fine or prison up to 4 months.

(5) Criminal liability may be imposed on companies, etc. (legal persons) pursuant to the rules laid down in Chapter 5 of the Danish Penal Code.
arrow_back Previous ArticleArticle 84 Next Article arrow_forward
close

2016 - www.itiplaw.eu.