Want to keep learning?

This content is taken from the University of Groningen's online course, Understanding the GDPR. Join the course to learn more.

Practical implications for data controllers and processors

Under the previous rules on data protection (Directive 95/46/EC), national supervisory authorities had a number of investigatory powers. They had, for example, the power to access controllers’ data, to issue a warning, to order the blocking, erasure or destruction of data or to impose bans on the processing of data. With regards to fines, however, practice has shown that the number of fines issued by national data protection authorities has been relatively low and high fines were issued only for the more serious offences. It bears mentioning also that the maximum and minimum amount of an administrative fine was determined by each Member State.

With the GDPR , the impact of a fine on data controllers and processors, even if not reaching the maximum amount established in Article 83 GDPR, could be significant. Also, in those situations in which a global organisation has only a small establishment in the territory of the European Union, or is completely based in third countries but it targets the processing of personal data of EU citizens, the fine would be based on the total worldwide annual turnover. Thus, following the data protection rules as established by the GDPR should be taken seriously both by EU and foreign organisations.

In addition, the GDPR increases the risks for data controllers and processors of being controlled by supervisory authorities and being the subject of enforcement actions and court proceedings. This is because, in difference from the current situation, individuals will have the right to mandate, for example, a privacy rights association to represent them before supervisory authorities or courts. These associations may also encourage individuals to move forward with claims and actions that otherwise they would have not been following.

Data controllers and processors should be prepared also of the fact that court proceedings may start in the country where the individual has his or her habitual residence, even if their company or organisation does not have any establishment in that country.

Share this article:

This article is from the free online course:

Understanding the GDPR

University of Groningen

Get a taste of this course

Find out what this course is like by previewing some of the course steps before you join: