Sanctions under the GDPR
Currently, compliance with data protection law is treated stepmotherly by many companies because the risk of sanctions is low. Soon, however, the EU’s General Data Protection Regulation (GDPR) will provide for significantly higher fines of up to €20 million or 4% of global annual group sales than previously. It can be assumed that the data protection supervisory authorities will take a stricter approach than in the past and impose significantly higher fines. Since the GDPR provides for significantly more extensive transparency obligations as well as documentation requirements, the risk of detection in the event of non-compliance with the law is significantly higher than at present.
However, the sanction options for data protection violations go far beyond the imposition of fines. The new law also provides for several other measures that could pose a financial threat to companies. These will be described below.
Self-monitoring of data protection implementation
In order to check compliance with data protection requirements and to take stock of the implementation of the GDPR in the company, the supervisory authorities have now published interesting documents. The Bavarian State Office for Data Protection Supervision (BayLDA) recently sent out a questionnaire to 150 companies asking about the current status of GDPR implementation ( to the press release here ). The questionnaire used there – which will probably be asked by other supervisory authorities to a similar extent in the near future – provides a helpful overview of the requirements that will be placed on the data protection organization of every company in the future. You can use this questionnaire to conduct a self-assessment of what your current implementation status is. If you still have any open points, we will of course be happy to assist you.
Possible sanctions for non-compliance with the GDPR
- Warning letters issued by consumer protection associations: Art. 80 para. 2 GDPR, national legislators may provide that consumer protection associations (e.g., the Federation of German Consumer Protection Organizations, VZBV) are granted the rights to prosecute data protection violations. In Germany, this has already been done by the Injunctions Act (Unterlassungsklagegesetz, UKlaG), so that warnings by consumer protection associations are threatened in the event of non-compliance with data protection requirements.
- Warning letters from “data protection associations”: 80 para. 1 GDPR provides that any registered association organized under private law, which according to its articles of association has the task of prosecuting data protection violations, may issue a warning to companies. This regulation was inspired by the group founded by Max Schrems “ Europe vs. Facebook “, which is a civil rights activist campaigning for the enforcement of the European level of data protection. In view of the far-reaching wording of the GDPR, however, it is to be feared that “data protection warning associations” will be formed in the future that work together with law firms to generate costs in the event of data protection violations. Since the risk of detection is significantly higher than in the past, there is a threat of a new warning system, which can be counteracted by a clean external data protection presentation.
- Warning letters and claims for damages for pain and suffering by affected parties:Affected parties will be able to claimdamages more extensively and more easily than in the past pursuant to Art. 79, 82 GDPR allows even warning letters to cease and desist from data protection violations and to claim damages for pain and suffering in case of violations. Due to the GDPR being promoted by consumer protection and civil rights organizations, there is also a higher risk here that significantly more citizens will want to exercise their rights.
- Extended rights of data protection supervisory authorities: In addition to the imposition of fines of up to 4% of global group annual turnover, Art. 58 GDPR provides for extended rights and powers of data protection authorities. For example, there is a significantly higher risk than in the past that e.g. The supervisory authority can request information and thus identify data protection violations. Therefore, a clean documentation of the implementation of data protection is necessary.
- Works councils: The powers of works councils under works constitution law remain unchanged. Art. 88 GDPR allows largely independent national regulations on the processing of employee data. Works councils will therefore continue to be able to check the lawful processing of employee data.
Violations of data protection regulations will mean significantly higher risks in the future. Fines are only a small part of the sanctions provided for by the GDPR. Due to significantly expanded documentation obligations, violations of data protection law are much easier to detect than before – one can speak of a shift in the burden of proof, since in case of doubt, the company must prove that it is working in compliance with the law. In this respect, companies face significantly more risks, as consumer protection associations and associations organized under private law will also be able to pursue data privacy violations much more extensively than before. It is therefore all the more important to implement the basics of the GDPR promptly.