The introduction of far-reaching control and sanctioning powers for the data protection authorities is without a doubt one of the most noteworthy changes to the GDPR (in Belgium, the Privacy Commission). However, how these new powers will be put into practice remains to be seen.
Even though the regulations concerning the processing of personal data of many European countries contain sanctions for non-compliance, their supervisory authorities cannot impose them because they lack sanctioning powers. The GDPR will change this by granting the supervisory authorities sanctioning powers and by providing them with a far-reaching set of sanctions they can impose.
Extension of the supervisory authorities’ powers
First of all, the GDPR awards the supervisory authorities several investigatory powers that will enable them to determine whether an infringement of the GDPR has occurred. More specifically, the supervisory authorities will, among others, be able to:
- order the controller and processor to provide any information they require for the performance of their tasks;
- carry out investigations in the form of data protection audits;
- obtain access to the premises of the controller and the processor.
Additionally, the GDPR grants the supervisory authorities the power to take several corrective measures:
- to issue warnings;
- to order the correction of infringements within a specific period;
- to impose a temporary or definitive limitation including a ban on processing;
- to order the suspension of data flows to a third country.
Each supervisory authority will determine for itself the most appropriate sanction in a specific case.
Moreover, the supervisory authorities will be able to impose administrative fines. These fines can be ordered in combination with or instead of the corrective measures. When assessing whether a fine should be imposed and when determining the amount, the authorities will take into account a range of mitigating and aggravating circumstances, such as the nature, the gravity and the duration of the infringement, the intentional or negligent character of the infringement, the nature of the personal data (whether or not sensitive), previous infringements by the controller or the processor, etc.
For a number of infringements, the fines can amount to EUR 10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher), for example when:
- the controller did not keep a record of the processing activities;
- the controller and processor did not conclude an agreement;
- no data protection officer has been designated, contrary to the regulations.
However, the majority of the infringements of the GDPR can be punished by a fine of up to EUR 20 million or, in the case of an undertaking, of up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher), for example when:
- the controller did not respect the basic principles or does not have a legal basis for processing;
- the data subjects’ rights are not guaranteed;
- the transfers of personal data to a third country are not protected.
The GDPR states that these fines must be “effective, proportionate and dissuasive”. By granting the supervisory authorities the power to impose these heavy penalties, the European legislator aims to strengthen the national ‘watchdogs’ to ensure compliance with the GDPR. The purpose of these heavy penalties is therefore clear: pushing compliance with the GDPR high up on the agenda of the management and the boards of directors in the business community.
At present, how these new powers will be implemented in Member States remains to be seen. In Belgium, the Privacy Commission has in one of its recent advices voiced some criticism against the draft legislation which aims to reform the Privacy Commission in light of the GDPR. The Privacy Commission’s main criticisms pertain to, on the one hand, the fact that the draft legislation provides that the investigation and prosecution of infringements, as well as the judicial authority, will be granted to a single body, namely the Chamber of Disputes (“Geschillenkamer”). The Privacy Commission considers the mixing of these two competences to be contrary to the separation of powers and that this will reduce the quality of the jurisprudence. A second point of criticism concerns the fact that a number of tasks provided for in the GDPR are not attributed to the Privacy Commission in the draft legislation. For instance, the draft legislation does not attribute the tasks concerning the cooperation with other supervisory authorities and the maintenance of an internal record of the infringements of the GDPR and the measures taken to the Privacy Commission. The main point of criticism, however, concerns the procedure as provided for in the draft legislation. According to the Privacy Commission, this procedure is incoherent, rigid, unclear and, to a certain extent, contrary to the provisions of the GDPR.
While it is clear that the GDPR grants to the supervisory authorities extensive powers and a far-reaching set of sanctions, only time will tell how these new powers will be put into practice.