Skip main navigation

Introducing GDPR’s liabilities and sanctions

In this video Melania Tudorica introduces the regime of GDPR's liabilities and sanctions for infringements of the regulation.
7.9
You have seen the many obligations for controllers and processors, and the modalities which can help to comply with those obligations. If, in spite of those modalities, controllers and processors fail to comply, there can be negative consequences. Liability and sanctions is an important part of the GDPR which will be addressed in this video. Controllers and processors are legally liable for damages caused by data processing activities which infringe the GDPR. A controller is liable for all damages caused by processing activities. A processor, on the other hand, is liable for not complying with its obligations, or for acting outside or contrary to lawful instructions of a controller.
52.1
A data subject who has suffered material or non-material damages as a result of a violation of the GDPR has the right to receive compensation for damages. It is possible that there are several controllers or processors involved in the same processing activity. In such cases, each and every one of them is responsible for subsequent damages, and liable for the entire damage. After paying the full amount, that controller or processor is entitled to claim back the part of their responsibility for the damage from other controllers or processors. This arrangement ensures effective compensation. If controllers and processors can prove, however, that they are not in any way responsible for the event giving rise to the damage, they can be exempted from liability.
101.3
As mentioned in week three, controllers and processors may face administrative fines imposed by supervisory authorities for infringement of the GDPR. Depending on the circumstances, administrative fines can be heavy indeed– up to 10 or 20 million euro, or 2% or 4% of the undertaking’s total worldwide annual turnover of the previous financial year, whichever is higher. Examples of violations where 10 million euros or 2% can be imposed include processing not requiring the identification of data subjects, and providing information society services to children.
142.8
Examples of violations were higher administrative fines of 20 million euros or 4% of the annual turnover can be imposed include violation of basic principles of processing, conditions for consent, data subjects’ rights, and noncompliance with orders or decisions of supervisory authorities. In addition, member states can make rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in their territory. Member states furthermore have to lay down rules on other penalties applicable to infringements of the GDPR - in particular, the infringements that are not subject to administrative fines. It is therefore relevant to take not only the GDPR into consideration. National laws are equally important.
190.9
And as a final remark, as is generally the case with liability and sanctions, there are always judicial remedies in place to object to decisions which impose liabilities and sanctions. In this video, we briefly discussed the consequences of noncompliance with GDPR provisions. As you may have noticed, noncompliance may lead to serious consequences, which includes compensation for damages and administrative fines that can go sky high.

If controllers and processors fail to comply with the GDPR there can be negative consequences. Liability and sanctions are an important part of the GDPR.

In accordance with the provisions in Chapter VIII, controllers and processors are legally liable for damages caused by data processing activities which infringe the GDPR. A controller is liable for all damages caused by processing activities. A processor is liable for not complying with its obligations or for acting outside or contrary to lawful instructions of a controller. A data subject who has suffered material or non-material damages as a result of a violation of the GDPR has the right to receive compensation for damages, as discussed in the previous week. There are always judicial remedies against decisions which impose liabilities and sanctions. It is however best to avoid such decisions.

In case of infringement of the GDPR controllers and processors may face heavy administrative fines: up to 10 or 20 million euro or 2 or 4% of the undertaking’s total worldwide annual turnover of the previous financial year depending on the circumstances (see Article 83).

In addition, EU Member States can make rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in their territory and lay down rules on other penalties applicable to infringements of the GDPR, in particular the infringements that are not subject to administrative fines. National laws are thus equally important.

This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education