The GDPR Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. The objective of the GDPR Regulation is to ensure an equivalent level of protection of natural persons and the free flow of personal data throughout the union. This is needed to maintain a proper functioning of the internal market. Alongside the fundamental freedoms derived from the borderless single market that the Union comprises, the movement of personal data within the Union is not restricted either. As a consequence, processing and controlling of personal data must be safeguarded.
Data subjects are most concerned about their privacy. Protection of their personal data begins with transparency by the controller and processor of the vulnerable and sensitive data. As a result, data subjects have the right to information and access to their personal data held by the controller or processor. Data can be enriched by the integration of different databases. Therefore, indirectly obtained personal information is covered by Article 14 of the GDPR Regulation. To ensure transparency data subjects have the right to access, a right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, and the right to object and automated individual decision-making.
Following Chapter VIII and the articles 77, 78 and 79, data subjects have the right to lodge a complaint with their respective supervisory authority, the right to an effective judicial remedy against a supervisory authority, and the right to an effective judicial remedy against a controller or processor. Appeals against judicial decisions are open for data subjects, controllers and processors where they disagree with the initial penalty.
Damage, both material and non-material, suffered by natural persons due to an infringement of the GDPR Regulation results in a right to compensation and civil liability. Controllers and processors therewith have a duty towards their local regulator as well as to data subjects of which they hold and process personal data. The civil liability towards a data subject is distinct from the penalties imposed by the supervisory authority. As a result, wrongdoers may be penalized twice; once for a regulatory violation, and once for the actual damage the infringement caused.
The general conditions for the imposition of administrative fines are laid down in Article 83 of the GDPR Regulation. Such administrative fines are maximized to 10 million Euro, or 2% of the total worldwide annual turnover of the preceding financial year. Not all infringements are punishable by a monetary fine, and cooperation with the supervisory authority mitigates the sanctions. In civil cases where data subjects wish to be compensated for violations of the GDPR and consecutive material or non-material damage, such damage must be demonstratable and cannot be guessed.