Skip main navigation
Home / Business & Management / Big Data & Analytics / Understanding the GDPR / Practical implications for data controllers and processors

Practical implications for data controllers and processors

In this article, Jonida Milaj-Weishaar discusses practical implications of the liability provisions of the GDPR for data controllers and processors
© University of Groningen

Under the previous rules on data protection (Directive 95/46/EC), national supervisory authorities had a number of investigatory powers. They had, for example, the power to access controllers’ data, to issue a warning, to order the blocking, erasure or destruction of data or to impose bans on the processing of data. With regards to fines, however, practice has shown that the number of fines issued by national data protection authorities has been relatively low and high fines were issued only for the more serious offences. It bears mentioning also that the maximum and minimum amount of an administrative fine was determined by each Member State.

With the GDPR , the impact of a fine on data controllers and processors, even if not reaching the maximum amount established in Article 83 GDPR, could be significant. Also, in those situations in which a global organisation has only a small establishment in the territory of the European Union, or is completely based in third countries but it targets the processing of personal data of EU citizens, the fine would be based on the total worldwide annual turnover. Thus, following the data protection rules as established by the GDPR should be taken seriously both by EU and foreign organisations.

In addition, the GDPR increases the risks for data controllers and processors of being controlled by supervisory authorities and being the subject of enforcement actions and court proceedings. This is because, in difference from the current situation, individuals will have the right to mandate, for example, a privacy rights association to represent them before supervisory authorities or courts. These associations may also encourage individuals to move forward with claims and actions that otherwise they would have not been following.

Data controllers and processors should be prepared also of the fact that court proceedings may start in the country where the individual has his or her habitual residence, even if their company or organisation does not have any establishment in that country.

Want to keep
learning?

This content is taken from
University of Groningen online course,

Understanding the GDPR

View Course
© University of Groningen

Want to keep learning?

This content is taken from University of Groningen online course
Understanding the GDPR
View Course
See other articles from this course
This article is from the online course:

Understanding the GDPR

Created by
Join Now
This article is from the free online

Understanding the GDPR

Created by
Join Now
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now

Register to receive updates

  • Create an account to receive our newsletter, course recommendations and promotions.

    Register for free