Public enforcement Flashcards
(10 cards)
Remedies, liability and penalties: Chapter VIII
REMEDIES:
PRIVATE ENFORCEMENT – National courts (Art. 82 GDPR)
PUBLIC ENFORCEMENT – Supervisory Authorities (Art. 51 ff. and 83,84GDPR )
PUBLIC ENFORCEMENT: supervisory authorities
. Each Member State appoints at least one Supervisory Authority (Italy: Garante per la protezione dei dati personali)
- Each Supervisory Authority shall cooperate with each other and the EU Commission
- European Data Protection Board (independent monitoring body for data protection at a European level), composed by the Heads of MS Supervisory Authority (one SA each MS)
→ EDPB issues Guidelines, Recommendations and Best Practices
→ EDPB acts as a Final decision-making body within the cooperation and consistency mechanism (cross-boarder processing activities: one lead SA + other SA concerned can cooperate)
PUBLIC ENFORCEMENT: supervisory authorities
Independence
Independence
(Public body members are appointed by means of a transparent procedure by MS’ Parliament, Government, Head of State, independent body entrusted by the Law)
→ “complete independence” :
Of the body from external influences (from other bodies, other institutions No instructions from anybody!) → Art. 52
- 52(3) Members of each Supervisory Authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation
Of the members of the body (qualification, experience, skills) → Art. 53
- 53(4) A member shall be dismissed only in cases of serious misconduct or if the member no longer fulfils the conditions required for the performance of the duties
PUBLIC ENFORCEMENT: supervisory authorities
Task and powers
Tasks (considerably expanded in comparison with the former EC Directive on data protection)
1) Monitoring and enforcing the application of the Regulation
2) Promoting public awareness for Data protection (indirect enforcing of the Regulation)
POWERS:
- INVESTIGATIVE POWERS
- CORRECTIVE POWES
- AUTHORISATION AND ADVISORY POWERS
PUBLIC ENFORCEMENT: supervisory authorities
Investigative powers
INVESTIGATIVE POWERS
They have been set out in detail by the Regulation (Art. 58)
Thanks to the direct application of the GDPR in all EU Member States, these powers are widely consistent throughout the EU
Each Member State can introduce additional investigative powers in its national legislation
MAIN POWERS
A) To order the controller/the processor to PROVIDE any INFORMATION required for the performance of the Supervisory Authority’s task
-
Scope of application: - Personal Data
- Data processing organization
→ Art. 31 GDPR: Controllers’ Obligation to cooperate with SA!
→ DPO as a contact point
B) To notify the controller/the processor of an alleged infringement of the GDPR
C) To carry out unannounced on-site inspections
→ Each investigative measure shall be appropriate, necessary and proportionate
→ EU Member State procedural laws also apply (national law to which the Supervisory Authority concerned is subject)
EXERCISE OF THE POWERS
→ Each investigative measure shall be appropriate, necessary and proportionate
→ Each legally binding measure should be:
- In writing
- Clear
- Unambiguous - Contents (Supervisory Authority which has issued the measure; the date of the issue; the signature of the Head/Member of the Authority; reasons + additional formal requirements laid down by national law)
PUBLIC ENFORCEMENT: supervisory authorities
CORRECTIVE powers
→ Warnings [in case of an alleged infringement of the GDPR, which has not been proven yet]
Vs.
→ Reprimands
OTHER CORRECTIVE POWERS
→ ORDER:
- the controller/processor to comply with the data subject’s requests to exercise its rights under the GDPR
- the controller/processor to bring processing operations into compliance with the GDPR
- the controller to communicate a personal data breach to the data subject
- the rectification/erasure/restriction of processing of personal data (Art 16, 17, 18 GDPR)
- the suspension of data flows to third country recipients
→ IMPOSE:
- a temporary or a definitive limitation/ a ban on personal data processing
- an administrative fine pursuant to Art. 83 GDPR (in addition to, or instead of other corrective measures)
IMPOSITION OF ADMINISTRATIVE FINES - ART. 83 GDPR
Art. 83 GDPR lays down:
- the general conditions for and
- the amount of administrative fines
IMPOSITION OF ADMINISTRATIVE FINES - ART. 83 GDPR – GROUNDS FOR AND AMOUNTS OF ADMINISTRATIVE FINES
Two categories of infringements of the GDPR:
→ Art. 83 (4) GDPR
(fines up to 10 mln EUR or, in the case of an undertaking, up to 2% of the total worldwide turnover of the preceding financial year, whichever is higher)
E.g. obligations concerning the child’s consent; organizational requirements for data processing; obligations of the monitoring body for Codes of Conduct
→ Art. 83 (5) GDPR
(fines up to 20 mln EUR or, in the case of an undertaking, up to 4% of the total worldwide turnover of the preceding financial year, whichever is higher)
E.g. violation of basic principles including conditions for consent and for processing of special categories of personal data; violation of data subjects’ rights; violation of any obligation pursuant to EU Member State law provisions adopted according to the opening clauses in Chapter IX of the Regulation
MULTIPLE INFRINGEMENTS (Art. 83 [3]):
3.If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
When is a fine actually imposed?
- The basic scheme is the one based on the connection between the legally relevant case (fattispecie) and the legal effects (sanctions)
- It is basically an “if-then” reasoning
If A+B+… then X
where:
A+B+… are the facts that must occur in a case to make it legally relevant
X is the legal effect that the law links to the legally relevant case
One of the infringements enumerated in Art. 83, (4) (5) GDPR
+
intention or negligence of the tortfeasor
→
Administrative fines
What about the infringements that are not included in Art. 83 GDPR?
Art. 84 GDPR: “Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive”
IMPOSITION OF ADMINISTRATIVE FINES - ART. 83 GDPR – AMOUNTS OF ADMINISTRATIVE FINES
The specific amount is to be determined by the competent Supervisory Authority on a CASE-BY-CASE basis
→ Basic principle: Sanctions shall be effective, proportionate, and dissuasive
→ Relevant circumstances and mitigating factors: Art. 83 (2) GDPR:
Remedies of the different parties involved in data processing
A) Data subject (Art. 77, 78, 79 GDPR)
Article 77
Right to lodge a complaint with a supervisory authority
1.Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
2.The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article78.
Article 79
Right to an effective judicial remedy against a controller or processor
1.Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
2.Proceedings against a controller or a processor shall be brought before the courts of the MemberState where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the MemberState where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a MemberState acting in the exercise of its public powers.
B) Data subject/Controller/Processor (Art. 78 GDPR)
Article 78
Right to an effective judicial remedy against a supervisory authority
1.Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
2.Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the supervisory authority which is competent pursuant to Articles55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article77.
3.Proceedings against a supervisory authority shall be brought before the courts of the MemberState where the supervisory authority is established.
4.Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.
