Ticket

Practical implications for data controllers and processors

Under the current EU rules on data protection (Directive 95/46/EC), national supervisory authorities have already a number of investigatory powers towards data controllers and processors. They have, for example, the power to access controllers’ data, to issue a warning, to order the blocking, erasure or destruction of data or to impose bans on the processing of data. With regards to fines, however, practice has shown that the number of fines issued by national data protection authorities has been relatively low and high fines were issued only for the more serious offences. It bears mentioning also that the maximum and minimum amount of an administrative fine is at the moment determined by each Member State.

Once the GDPR becomes applicable, the impact of a fine on data controllers and processors, even if not reaching the maximum amount established in Article 83 GDPR, could be significant. Also, in those situations in which a global organisation has only a small establishment in the territory of the European Union, or is completely based in third countries but it targets the processing of personal data of EU citizens, the fine would be based on the total worldwide annual turnover. Thus, following the data protection rules as established by the GDPR should be taken seriously both by EU and foreign organisations.

In addition, the GDPR increases the risks for data controllers and processors of being controlled by supervisory authorities and being the subject of enforcement actions and court proceedings. This is because, in difference from the current situation, individuals will have the right to mandate, for example, a privacy rights association to represent them before supervisory authorities or courts. These associations may also encourage individuals to move forward with claims and actions that otherwise they would have not been following.

Data controllers and processors should be prepared also of the fact that court proceedings may start in the country where the individual has his or her habitual residence, even if their company or organisation does not have any establishment in that country.

Share this article:

This article is from the free online course:

Understanding the General Data Protection Regulation

University of Groningen