Contact FutureLearn for Support
Skip main navigation
We use cookies to give you a better experience, if that’s ok you can close this message and carry on browsing. For more info read our cookies policy.
We use cookies to give you a better experience. Carry on browsing if you're happy with this, or read our cookies policy for more information.

Skip to 0 minutes and 8 secondsYou have seen the many obligations for controllers and processors, and the modalities which can help to comply with those obligations. If, in spite of those modalities, controllers and processors fail to comply, there can be negative consequences. Liability and sanctions is an important part of the GDPR which will be addressed in this video. Controllers and processors are legally liable for damages caused by data processing activities which infringe the GDPR. A controller is liable for all damages caused by processing activities. A processor, on the other hand, is liable for not complying with its obligations, or for acting outside or contrary to lawful instructions of a controller.

Skip to 0 minutes and 52 secondsA data subject who has suffered material or non-material damages as a result of a violation of the GDPR has the right to receive compensation for damages. It is possible that there are several controllers or processors involved in the same processing activity. In such cases, each and every one of them is responsible for subsequent damages, and liable for the entire damage. After paying the full amount, that controller or processor is entitled to claim back the part of their responsibility for the damage from other controllers or processors. This arrangement ensures effective compensation. If controllers and processors can prove, however, that they are not in any way responsible for the event giving rise to the damage, they can be exempted from liability.

Skip to 1 minute and 41 secondsAs mentioned in week three, controllers and processors may face administrative fines imposed by supervisory authorities for infringement of the GDPR. Depending on the circumstances, administrative fines can be heavy indeed-- up to 10 or 20 million euro, or 2% or 4% of the undertaking's total worldwide annual turnover of the previous financial year, whichever is higher. Examples of violations where 10 million euros or 2% can be imposed include processing not requiring the identification of data subjects, and providing information society services to children.

Skip to 2 minutes and 23 secondsExamples of violations were higher administrative fines of 20 million euros or 4% of the annual turnover can be imposed include violation of basic principles of processing, conditions for consent, data subjects' rights, and noncompliance with orders or decisions of supervisory authorities. In addition, member states can make rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in their territory. Member states furthermore have to lay down rules on other penalties applicable to infringements of the GDPR - in particular, the infringements that are not subject to administrative fines. It is therefore relevant to take not only the GDPR into consideration. National laws are equally important.

Skip to 3 minutes and 11 secondsAnd as a final remark, as is generally the case with liability and sanctions, there are always judicial remedies in place to object to decisions which impose liabilities and sanctions. In this video, we briefly discussed the consequences of noncompliance with GDPR provisions. As you may have noticed, noncompliance may lead to serious consequences, which includes compensation for damages and administrative fines that can go sky high.

Introducing GDPR's liabilities and sanctions

If controllers and processors fail to comply with the GDPR there can be negative consequences. Liability and sanctions are an important part of the GDPR.

In accordance with the provisions in Chapter VIII, controllers and processors are legally liable for damages caused by data processing activities which infringe the GDPR. A controller is liable for all damages caused by processing activities. A processor is liable for not complying with its obligations or for acting outside or contrary to lawful instructions of a controller. A data subject who has suffered material or non-material damages as a result of a violation of the GDPR has the right to receive compensation for damages, as discussed in the previous week. There are always judicial remedies against decisions which impose liabilities and sanctions. It is however best to avoid such decisions.

In case of infringement of the GDPR controllers and processors may face heavy administrative fines: up to 10 or 20 million euro or 2 or 4% of the undertaking’s total worldwide annual turnover of the previous financial year depending on the circumstances (see Article 83).

In addition, EU Member States can make rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in their territory and lay down rules on other penalties applicable to infringements of the GDPR, in particular the infringements that are not subject to administrative fines. National laws are thus equally important.

Share this video:

This video is from the free online course:

Understanding the General Data Protection Regulation

University of Groningen