Skip main navigation

Practical implications for data controllers and processors

In this article, Jonida Milaj-Weishaar discusses practical implications of the liability provisions of the GDPR for data controllers and processors
© University of Groningen

Under the previous rules on data protection (Directive 95/46/EC), national supervisory authorities had a number of investigatory powers. They had, for example, the power to access controllers’ data, to issue a warning, to order the blocking, erasure or destruction of data or to impose bans on the processing of data. With regards to fines, however, practice has shown that the number of fines issued by national data protection authorities has been relatively low and high fines were issued only for the more serious offences. It bears mentioning also that the maximum and minimum amount of an administrative fine was determined by each Member State.

With the GDPR , the impact of a fine on data controllers and processors, even if not reaching the maximum amount established in Article 83 GDPR, could be significant. Also, in those situations in which a global organisation has only a small establishment in the territory of the European Union, or is completely based in third countries but it targets the processing of personal data of EU citizens, the fine would be based on the total worldwide annual turnover. Thus, following the data protection rules as established by the GDPR should be taken seriously both by EU and foreign organisations.

In addition, the GDPR increases the risks for data controllers and processors of being controlled by supervisory authorities and being the subject of enforcement actions and court proceedings. This is because, in difference from the current situation, individuals will have the right to mandate, for example, a privacy rights association to represent them before supervisory authorities or courts. These associations may also encourage individuals to move forward with claims and actions that otherwise they would have not been following.

Data controllers and processors should be prepared also of the fact that court proceedings may start in the country where the individual has his or her habitual residence, even if their company or organisation does not have any establishment in that country.

© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education