5 questions on GDPR infringement fines

Who oversees compliance with the GDPR? How high are the penalties for breaches? What will be the criteria for determining the amount of the fine? Is it possible to defend against it? And is there any prevention? We sought answers to these questions.


One of the biggest "scares" associated with the entry into force of the General Data Protection Regulation was the high penalties for breaches. How big are they? And is there any way to defend oneself? The following text answers these and other questions.

1. Who oversees compliance with the GDPR?

Compliance with the regulation is supervised by a supervisory authority. In the Czech Republic, this is the Office for Personal Data Protection (the Office).

2. How high are the penalties for breaches?

.

Article 83(4) of the GDPR provides for penalties of up to 10,000,000 euros or, in the case of a company, up to 2% of its worldwide annual turnover. The Office may impose such fines, for example, in the event of a breach of obligations relating to the appointment of a Data Protection Officer (DPO), the performance of his/her activities, but also, for example, in the event of irregularities in contractual relations, in records of personal data processing activities or in the event of non-compliance with the requirements for the security of such data.

In case of violation (or non-compliance) of the basic principles of personal data processing, or in case of violation of rights (such as the right to erasure), the Office may, according to Article 83(5) of the GDPR, impose a fine of up to 20,000,000 euros or, in the case of an enterprise, up to 4% of the worldwide annual turnover.

3. What will be the criteria for determining the amount of the fine?

There is no need to be overly concerned in this respect. According to the official interpretation of the GDPR, penalties should not be liquidating and should always be adequate to the nature and seriousness of the specific breach of the Regulation. The fine should nevertheless be effective, proportionate and dissuasive.

4. Is it possible to defend oneself against a fine?

Yes. In the Czech Republic, it will be possible to file a proper appeal against the decision of the Office for Administrative Offences in accordance with the provisions of Section 152 of Act No. 500/2004 Coll., the Administrative Code, as amended - the so-called appeal. The appeal will be dealt with by the President of the Office. It will no longer be possible to appeal against her decision, but it will be possible to bring an action before an administrative court.

5. Is there prevention?

From the above paragraphs, it is clear that exaggerated fears of sanctions are not out of place, but at the same time the situation should certainly not be underestimated. We recommend taking note of the basic rights and obligations under the new regulation. This should help you avoid a fine.

If there is anything you are not sure about when implementing the new GDPR measures, please do not hesitate to contact us. We will be happy to help you and avert the threat of potential sanctions.