Fines for violating the GDPR
The European legislators wanted to clearly declare the importance of the provision by establishing strong administrative pecuniary and / or criminal sanctions in cases of violation of the GDPR.
According to the seriousness of the infringement, the fines are divided into two brackets:
■ Up to 10 million euros or for companies up to 2% of the worldwide annual turnover of the previous year
Fine imposed for the transgression of principles such as privacy by design, or the failure to protect data from their design or the lack of suitable measures to ensure a good standard of security.
■ Up to 20 million euros or for companies up to 4% of the worldwide annual turnover of the previous year
Fine imposed in cases of violation of fundamental principles, such as denial of the right to be forgotten or opacity in the request for data consent.
Such criminal sanctions may also authorize the subtraction of profits obtained through the violation of the Regulations.
However, the imposition of criminal sanctions must never counteract the principle of "ne bis in idem", ie you cannot be tried twice for the same fact but you can be convicted several times.
The corrective sanctions are connected to the powers of the Supervisory Authority which consist of:
- To issue warnings to the data controller or the data processor on the fact that the envisaged treatments may violate the GDPR
- To issue warnings to the owner and to the treatment or to the responsible of the treatment if the treatments have violated the provisions of the GDPR
- To order the data controller or the data processor to satisfy the requests of the interested party to exercise the related rights
- To order the data controller or data processor to comply with the provisions of the GDPR, also specifying how and within what deadline
- To order the data controller to notify the data subject of a personal data breach
- To impose a provisional or definitive restriction on processing, including a prohibition on processing
- Order the rectification, deletion of personal data or limitation of processing and the notification of such measures to the recipients to whom the personal data have been disclosed
- Revoke the certification or order the certification body to withdraw the certification issued pursuant to Articles 42 and 43, or order the certification body not to issue the certification if the requirements for certification are not or are no longer satisfied
- To impose an administrative fine in addition to these measures (see above)
- Order the suspension of data flows to a recipient in a third country or an international organization