Personal data of natural persons should be treated with care. To ensure that general data of individuals in the EEA is protected, the European Union launched several initiatives. One of these initiatives is the General Data Protection Regulation (GDPR). This GDPR Regulation has direct effect and member states must comply with its objectives. A common misconception is that violations of EU law instantly result in heavy fines and penalties. Not only is this excessive, it also does not correspond with available public data. In regard to the GDPR, an enforcement tracker reveals GDPR violations and consequently recommendations for improvement. The enforcement tracker also indicates applicable fines. These penalties are thus far below the maximum of 20 million Euro or 4% of the annual worldwide turnover. However, compliance with data protection regulation is more than avoidance of GDPR violations and penalties. Society and in particular data subjects have a critical look at how enterprises handle their personal data.
The free movement of personal data gained territory by technological developments and the economic and social integration of the European Single Market. The GDPR wishes to ensure an equivalent level of protection of natural persons and the free flow of personal data through the European Union. GDPR violations allow regulators to penalize wrongdoers. Such a penalty may trigger a civil liability that can be followed up by a victimized data subject or group of data subjects. Consequently, data breaches that result in GDPR violations can cause a legitimate double liability executed at a civil and regulatory level.
Investigation of a possible data breach begins with a complaint being filed by a data subject, voluntary reporting of a breach by a controller or processor, or by the supervisory authority. Article 58 of the Regulation mandates the authority with corrective powers like warnings, reprimands and monetary penalties. Chapter VIII of the Regulation discusses remedies, liability and penalties. As such, the rules of the GDPR framework are clear and those who take sufficient action to comply with the regulation are refrained from unnecessary distraction and reprimands.
The scope and nature of international business may lead to intervention of GDPR authorities in different member states. Cooperation and mutual assistance is initiated by the lead supervisory authority and provided by supervisory authorities in the relevant member states. Where violations are concluded administrative fines can be imposed in addition to corrective powers such as warnings and reprimands. The amount of the administrative fine depends on factors as the nature, gravity and duration of the infringement, its intentional or negligent character, actions taken to mitigate the damages caused by the data breach.
The independent European Data Protection Board has legal personality as a body of the Union. Its objective is to ensure a consistent application of the GDPR Regulation. Following its mandate, the Board advises the Commission and issues guidelines, recommendations and best practices. As such, the GDPR Regulation is subject to experience driven change and may further advance data and privacy protection in the future.