Skip to main content
SpringerLink
Log in
Book cover

The EU General Data Protection Regulation (GDPR) pp 201–217Cite as

Enforcement and Fines Under the GDPR

  • Chapter
  • First Online:

Abstract

As regards enforcement, the GDPR introduces significant changes in comparison to the Data Protection Directive. The Supervisory Authorities have the task to ensure compliance with the GDPR and, to be able to fulfil these tasks, have various investigative and corrective powers. The most severe form of sanctioning from a company perspective will be administrative fines. Their maximum amount has been increased to up to EUR 20,000,000.00 or up to 4% of the total worldwide turnover. Apart from administrative sanctions, entities might have to pay compensation to data subjects. In this regard, it should be noted that, for the first time, the processor will be facing its own civil liability for infringements of the GDPR. This chapter emphasises on the tasks and powers of the Supervisory Authorities, civil liability, administrative sanctions, as well as available judicial remedies.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   159.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Rec. 11 GDPR.

  2. 2.

    For the Supervisory Authorities’ tasks under the former legal framework, see Art. 28 Sec. 1 Data Protection Directive.

  3. 3.

    Nguyen, ZD 2015, 265, 269; Hullen, in: Plath, BDSG/DSGVO, Art. 57 (2016), recs. 1–3.

  4. 4.

    Gierschmann, ZD 2016, 51, 55; Hullen, in: Plath, BDSG/DSGVO, Art. 57 (2016), rec. 2.

  5. 5.

    Art. 28 Sec. 3 Data Protection Directive: ‘Each authority shall in particular be endowed with […] investigative powers, such as powers of access to data […], effective powers of intervention, such as, for example […].’

  6. 6.

    Art. 29 Data Protection Working Party, WP 168 (2009), p. 22; Körffer, in: Paal/Pauly, DSGVO, Art. 58 (2017), rec. 1.

  7. 7.

    Körffer, in: Paal/Pauly, DSGVO, Art. 58 (2017), rec. 5.

  8. 8.

    See also Brink, in: Wolff/Brink, BeckOK, § 38 (2016), rec. 57.

  9. 9.

    Körffer, in: Paal/Pauly, DSGVO, Art. 58 (2017), rec. 7; see also Brink, in: Wolff/Brink, BeckOK, § 38 (2016), rec. 57.

  10. 10.

    See also Plath, in: Plath, BDSG/DSGVO, § 38 (2016), rec. 44.

  11. 11.

    Körffer, in: Paal/Pauly, DSGVO, Art. 58 (2017), rec. 7.

  12. 12.

    Hullen, in: Plath, BDSG/DSGVO, Art. 58 (2016), rec. 9.

  13. 13.

    Körffer, in: Paal/Pauly, DSGVO, Art. 58 (2017), rec. 10.

  14. 14.

    Hullen, in: Plath, BDSG/DSGVO, Art. 58 (2016), rec. 10.

  15. 15.

    Körffer, in: Paal/Pauly, DSGVO, Art. 58 (2017), rec. 12.

  16. 16.

    Nguyen, ZD 2015, 265, 269; Körffer, in: Paal/Pauly, DSGVO, Art. 58 (2017), rec. 15.

  17. 17.

    Rec. 129 GDPR; Nguyen, ZD 2015, 265, 269; Körffer, in: Paal/Pauly, DSGVO, Art. 58 (2017), rec. 15.

  18. 18.

    Nguyen, ZD 2015, 265, 269; Körffer, in: Paal/Pauly, DSGVO, Art. 58 (2017), rec. 15.

  19. 19.

    Rec. 129 GDPR.

  20. 20.

    In this regard, Art. 31 GDPR is a novelty and exception to this principle, see Sect. 3.2.3.

  21. 21.

    Rec. 129 GDPR.

  22. 22.

    Rec. 129 GDPR.

  23. 23.

    Laue/Nink/Kremer, Datenschutzrecht, Aufsichtsbehörden (2016), rec. 19; rec. 129 GDPR.

  24. 24.

    Pursuant to Art. 23 Sec. 1 Data Protection Directive, EU Member States should provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to the Directive is entitled to receive compensation from the controller for the damage suffered. Pursuant to Art. 23 Sec. 2 of the Directive, the controller could be exempted from its liability, in whole or in part, if it proved that it was not responsible for the event giving rise to the damage.

  25. 25.

    Laue/Nink/Kremer, Datenschutzrecht, Haftung (2016), rec. 4.

  26. 26.

    Rec. 146 GDPR.

  27. 27.

    See also Quaas, in: Wolff/Brink, BeckOK, § 7 (2016), rec. 56; Laue/Nink/Kremer, Datenschutzrecht, Haftung (2016), rec. 6.

  28. 28.

    Rec. 146 GDPR.

  29. 29.

    Rec. 146 GDPR.

  30. 30.

    Exemplarily ECJ, ruling of 17 December 2015, Arjona Camacho, C-407/14, rec. 31; Schantz, NJW 2016, 1841, 1847; Wybitul, ZD 2016, 253, 253.

  31. 31.

    Schantz, NJW 2016, 1841, 1847.

  32. 32.

    Frenzel, in: Paal/Pauly, DSGVO, Art. 82 (2017), rec. 11.

  33. 33.

    Laue/Nink/Kremer, Datenschutzrecht, Haftung (2016), rec. 7; Frenzel, in: Paal/Pauly, DSGVO, Art. 82 (2017), rec. 7; Quaas, in: Wolff/Brink, BeckOK, Art. 82 (2016), rec. 37; disapprovingly see Becker, in: Plath, BDSG/DSGVO, Art. 82 (2016), rec. 2.

  34. 34.

    Laue/Nink/Kremer, Datenschutzrecht, Haftung (2016), rec. 7.

  35. 35.

    Rec. 146 GDPR.

  36. 36.

    See also Quaas, in: Wolff/Brink, BeckOK, § 7 (2016), rec. 9; Laue/Nink/Kremer, Datenschutzrecht, Haftung (2016), rec. 15.

  37. 37.

    Becker, in: Plath, BDSG/DSGVO, Art. 82 (2016), rec. 6.

  38. 38.

    Frenzel, in: Paal/Pauly, DSGVO, Art. 82 (2017), rec. 12.

  39. 39.

    Becker, in: Plath, BDSG/DSGVO, Art. 82 (2016), rec. 6.

  40. 40.

    Laue/Nink/Kremer, Datenschutzrecht, Haftung (2016), rec. 8.

  41. 41.

    Art. 23 Sec. 2 Data Protection Directive: ‘The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.’

  42. 42.

    Laue/Nink/Kremer, Datenschutzrecht, Haftung (2016), rec. 9; Frenzel, in: Paal/Pauly, DSGVO, Art. 82 (2017), rec. 15.

  43. 43.

    See also Simitis, in: Simitis, BDSG, § 7 (2014), rec. 25; Frenzel, in: Paal/Pauly, DSGVO, Art. 82 (2017), rec. 15.

  44. 44.

    Frenzel, in: Paal/Pauly, DSGVO, Art. 82 (2017), rec. 15.

  45. 45.

    For instance, in Germany, the maximum amount of administrative fines for breaches of data protection law was EUR 300,000.00, § 43 Sec. 3 BDSG. In France, the maximum amount of administrative fines was EUR 3,000,000.00, Art. 47 Loi 78-17 du 6 janvier 1978 (modifiée).

  46. 46.

    Rec. 152 GDPR.

  47. 47.

    Hullen, in: Plath, BDSG/DSGVO, Art. 58 (2016), rec. 12; Körffer, in: Paal/Pauly, DSGVO, Art. 58 (2017), recs. 17–18.

  48. 48.

    von dem Bussche/Zeiter, EDPL 2016, 576, 581; rec. 148 GDPR. Pursuant to the latter, in case of minor infringements of the GDPR, a reprimand may be issued instead of a fine.

  49. 49.

    Frenzel, in: Paal/Pauly, DSGVO, Art. 83 (2017), rec. 16.

  50. 50.

    Becker, in: Plath, BDSG/DSGVO, Art. 83 (2016), rec. 11; Holländer, in: Wolff/Brink, BeckOK, Art. 83 (2016), recs. 17–18; Frenzel, in: Paal/Pauly, DSGVO, Art. 83 (2017), rec. 14.

  51. 51.

    Please note that the legal systems of the EU Member States Denmark and Estonia do not allow for such imposition of administrative fines by the Supervisory Authorities, for details see Recital 151 of the Regulation.

  52. 52.

    Rec. 150 GDPR.

  53. 53.

    Rec. 148 GDPR.

  54. 54.

    Becker, in: Plath, BDSG/DSGVO, Art. 83 (2016), rec. 23.

  55. 55.

    ECJ, ruling of 23 April 1991, Höfner and Elser./.Macrotron, C-41/90, rec. 21; Faust/Spittka/Wybitul, ZD 2016, 120, 120–121.

  56. 56.

    Laue/Nink/Kremer, Datenschutzrecht, Haftung (2016), rec. 27; Faust/Spittka/Wybitul, ZD 2016, 120, 121–124; Bayrisches Landesamt für Datenschutzaufsicht (2016), p. 2.

  57. 57.

    Faust/Spittka/Wybitul, ZD 2016, 120, 124; Laue/Nink/Kremer, Datenschutzrecht, Haftung (2016), rec. 28; disapprovingly Holländer, in: Wolff/Brink, BeckOK, Art. 83 (2016), recs. 12–15; Becker, in: Plath, BDSG/DSGVO, Art. 83 (2016), rec. 23.

  58. 58.

    Laue/Nink/Kremer, Datenschutzrecht, Haftung (2016), rec. 28.

  59. 59.

    Körffer, in: Paal/Pauly, DSGVO, Art. 78 (2017), rec. 3; rec. 143 GDPR.

  60. 60.

    Rec. 143 GDPR.

  61. 61.

    Rec. 143 GDPR.

  62. 62.

    Körffer, in: Paal/Pauly, DSGVO, Art. 78 (2017), rec. 4.

  63. 63.

    Körffer, in: Paal/Pauly, DSGVO, Art. 78 (2017), rec. 4; Mundil, in: Wolff/Brink, BeckOK, Art. 78 (2016), rec. 6.

  64. 64.

    Mundil, in: Wolff/Brink, BeckOK, Art. 78 (2016), rec. 6; Körffer, in: Paal/Pauly, DSGVO, Art. 78 (2017), rec. 4; Laue/Nink/Kremer, Datenschutzrecht, Haftung (2016), rec. 37.

  65. 65.

    Nebel, in: Roßnagel, DSGVO, Rechtswege (2017), rec. 115.

  66. 66.

    Mundil, in: Wolff/Brink, BeckOK, Art. 78 (2016), rec. 10.

  67. 67.

    Körffer, in: Paal/Pauly, DSGVO, Art. 78 (2017), rec. 7; Mundil, in: Wolff/Brink, BeckOK, Art. 78 (2016), rec. 11.

  68. 68.

    In the latter case, this is under the condition that the controller/processor in question is not a public authority of the EU Member State acting in the exercise of its public powers.

  69. 69.

    Laue/Nink/Kremer, Datenschutzrecht, Haftung (2016), rec. 35; Martini, in: Paal/Pauly, DSGVO, Art. 79 (2017), recs. 24–25; Mundil, in: Wolff/Brink, BeckOK, Art. 79 (2016), rec. 16.

  70. 70.

    Martini, in: Paal/Pauly, DSGVO, Art. 79 (2017), recs. 26–28; Mundil, in: Wolff/Brink, BeckOK, Art. 79 (2016), rec. 18.

  71. 71.

    Mundil, in: Wolff/Brink, BeckOK, Art. 79 (2016), rec. 18; Martini, in: Paal/Pauly, DSGVO, Art. 79 (2017), recs. 26–28.

  72. 72.

    According to Art. 80 Sec. 1 GDPR, such not-for-profit body must have been properly constituted in accordance with the law of an EU Member State, have statutory objectives which are in the public interest and be active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data.

  73. 73.

    Gierschmann, ZD 2016, 51, 53.

References

  • Art. 29 Data Protection Working Party (2009) The Future of Privacy – Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data, WP 168

    Google Scholar 

  • Bayrisches Landesamt für Datenschutzaufsicht (2016) Sanktionen nach der DS-GVO. https://www.lda.bayern.de/media/baylda_ds-gvo_7_sanctions.pdf. Accessed 6 Apr 2017

  • Becker T (2016) Arts. 82, 83 DSGVO. In: Plath K-U (ed) BDSG/DSGVO, 2nd edn. Verlag Dr. Otto Schmidt, Cologne

    Google Scholar 

  • Brink S (2016) § 38 BDSG. In: Wolff HA, Brink S (eds) Beck’scher Online-Kommentar Datenschutzrecht, 18th edn. C.H.Beck, Munich

    Google Scholar 

  • Faust S, Spittka J, Wybitul T (2016) Milliardenbußgelder nach der DS-GVO? ZD, pp 120–125

    Google Scholar 

  • Frenzel EM (2017) Arts. 82, 83 DSGVO. In: Paal BP, Pauly DA (eds) Beck’sche Kompaktkommentare Datenschutz-Grundverordnung, 1st edn. C.H.Beck, Munich

    Google Scholar 

  • Gierschmann S (2016) Was ‘bringt’ deutschen Unternehmen die DS-GVO? - Mehr Pflichten, aber die Rechtsunsicherheit bleibt. ZD, pp 51–55

    Google Scholar 

  • Holländer C (2016) Art. 83 DSGVO. In: Wolff HA, Brink S (eds) Beck’scher Online-Kommentar Datenschutzrecht, 18th edn. C.H.Beck, Munich

    Google Scholar 

  • Hullen N (2016) Arts. 57, 58 DSGVO. In: Plath K-U (ed) BDSG/DSGVO, 2nd edn. Verlag Dr. Otto Schmidt, Cologne

    Google Scholar 

  • Körffer B (2017) Arts. 55, 58, 78 DSGVO. In: Paal BP, Pauly DA (eds) Beck’sche Kompaktkommentare Datenschutz-Grundverordnung, 1st edn. C.H.Beck, Munich

    Google Scholar 

  • Laue P, Nink J, Kremer S (eds) (2016) Haftung, Sanktionen und Rechtsbehelfe; Zusammenarbeit mit Aufsichtsbehörden. In: Das neue Datenschutzrecht in der betrieblichen Praxis, 1st edn. Nomos, Baden-Baden

    Google Scholar 

  • Martini M (2017) Art. 79 DSGVO. In: Paal BP, Pauly DA (eds) Beck’sche Kompaktkommentare Datenschutz-Grundverordnung, 1st edn. C.H.Beck, Munich

    Google Scholar 

  • Mundil D (2016) Arts. 78, 79 DSGVO. In: Wolff HA, Brink S (eds) Beck’scher Online-Kommentar Datenschutzrecht, 18th edn. C.H.Beck, Munich

    Google Scholar 

  • Nebel M (2017) Rechtswege und Rechtsbehelfe. In: Roßnagel A (ed) Europäische Datenschutz-Grundverordnung, Vorrang des Unionsrechts – Anwendbarkeit des nationalen Rechts, 1st edn. Nomos, Baden-Baden

    Google Scholar 

  • Nguyen AM (2015) Die zukünftige Datenschutzaufsicht in Europa. ZD, pp 265–270

    Google Scholar 

  • Plath K-U (2016) § 38 BDSG. In: Plath K-U (ed) BDSG/DSGVO, 2nd edn. Verlag Dr. Otto Schmidt, Cologne

    Google Scholar 

  • Quaas S (2016) Art. 82 DSGVO; § 7 BDSG. In: Wolff HA, Brink S (eds) Beck’scher Online-Kommentar Datenschutzrecht, 18th edn. C.H.Beck, Munich

    Google Scholar 

  • Schantz P (2016) Die Datenschutz-Grundverordnung – Beginn einer neuen Zeitrechnung im Datenschutzrecht. NJW, pp 1841–1847

    Google Scholar 

  • Simitis S (2014) § 7 BDSG. In: Simitis S (ed) Bundesdatenschutzgesetz, 8th edn. Nomos, Baden-Baden

    Google Scholar 

  • von dem Bussche AF, Zeiter A (2016) Practitioner’s corner – implementing the EU general data protection regulation: a business perspective. EDPL 4:576–581

    Google Scholar 

  • Wybitul T (2016) DS-GVO veröffentlicht – Was sind die neuen Anforderungen an die Unternehmen? ZD, pp 253–254

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Taylor Wessing, Berlin, Germany

    Paul Voigt

  2. Taylor Wessing, Hamburg, Germany

    Axel von dem Bussche

Authors
  1. Paul Voigt
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Axel von dem Bussche
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Cite this chapter

Voigt, P., von dem Bussche, A. (2017). Enforcement and Fines Under the GDPR. In: The EU General Data Protection Regulation (GDPR). Springer, Cham. https://doi.org/10.1007/978-3-319-57959-7_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-57959-7_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-57958-0

  • Online ISBN: 978-3-319-57959-7

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation