Chapter VIII of the GDPR Regulation refers to remedies, liability and penalties. There is a clear distinction between the position of the supervisory authority and the individual data subject whose rights are infringed. Supervisory authorities maintain local standards whilst protecting the functioning of the European single market by ensuring harmonization of rules within the member states. GDPR penalties are one of the ways to enforce compliance with the GDPR Regulation.
Penalties outside the scope of the administrative fines as defined in Article 83 of the GDPR Regulation are laid down in domestic rules of the member states. These penalties must be effective, proportionate and dissuasive. To ensure an equal level playing field, member states shall notify the Commission on the implementation of its local rules on data protection breaches and consequential penalties.
Administrative fines are distinct from regulatory penalties. However, both relate to degrees of responsibility, which is measured by the nature, gravity, duration of the infringement, as well as the possible intent of the wrongdoer. Other considerations include the historic degree of compliance with privacy related matters, the internal procedures to comply with the GDPR Regulation, and the cooperation with the supervisory authorities.
Civil claims, administrative fines and penalties may lead to different sanctions. A civil claim is connected with the material and non-material damage suffered by the data subject. The administrative fines are capped in the GDPR Regulation to maximum 10 million Euro or up to 2% of the worldwide annual turnover. Sanctions for GDPR penalties are decided by local laws and domestic legal systems. Yet, it is always better to avoid violations and focus on the core activities of an enterprise.