Article 58 of the GDPR
Consequences of Violation of GDPR
If a company violates the EU’s General Data Protection Regulation, also called GDPR, the company risks major financial consequences. Not only because of possible fines issued by the supervisory authority, or damages to be paid to the data subjects harmed by the breach. Violations of GDPR can also negatively affect the company’s brand if it turns out that the company has not followed the rules. This, in turn, can lead to financial consequences, such as lost revenue and business relationships.
Principle of accountability
Companies have an obligation to demonstrate that they comply with the rules of the GDPR, according to the principle of accountability. This principle is regulated in Article 5(2) of the GDPR. The principle of accountability is one of the seven (7) basic data protection principles of the GDPR that companies must adhere to. In other words, it is not a data subject or data protection authority that needs to show that the company is in breach of GDPR. On the contrary, it is the company that must prove that the company complies with GDPR.
Penalty of several hundred million
One company had to pay over €300 million in penalties for its breaches of the GDPR. This was decided by the Irish Data Protection Authority, following the decision of the European Data Protection Board (EDPB). For example, the information regarding the processing was not clear enough. Note that the requirements for clarity are higher when the data subjects are children.
Examples of different steps companies can take to prove compliance with GDPR
The company needs to take several different measures, in order to be able to prove that the company complies with the rules of GDPR. For example, this can be done by:
Take adequate organisational and technical security measures to protect the personal data processed. The measures taken should be documented in writing and updated where necessary.
Establish and implement written internal procedures to comply with the rights of data subjects.
Establish and keep up-to-date its Records of Processing Activities (ROPA) in accordance with Article 30 of the GDPR.
In addition to these examples, there are many more measures companies can and should implement to meet their responsibilities under the principle of accountability, as well as proving compliance with other parts of the GDPR.
Below you can read about examples of consequences in case of violation of the GDPR
Reprimand
If a supervisory authority deems the breach to be less serious, it may issue a reprimand. It is a type of written warning or remark, and is a milder penalty than a fine. On the other hand, issued reprimands constitute a public document that is published publicly, which can have a negative impact on the company's brand.
Administrative fine
An administrative fine is a fine that supervisory authorities can impose on companies in the event of a breach of the GDPR. In the event of a serious infringement of the GDPR, the administrative fine may amount to a maximum of EUR 20 million or 4% of the total worldwide annual turnover (the highest of the options). Please note that this is not an amount available to data subjects, as the company must pay this fine to the state.
Damages
It may be possible for data subjects to claim damages in the event of a personal data breach. However, the data subject needs to claim the damages separately from the supervision carried out by a supervisory authority. For example, by bringing an action for damages against the company in a general court. In addition, it may be possible to obtain damages for a justified fear if there is a risk that the personal data could possibly be misused in the future. This was stated by the Court of Justice of the European Union (CJEU) after the Supreme Administrative Court of Bulgaria requested a ruling.
Periodic penalty payments
It is also common for agreements to contain penalty clauses. Often they mean that the party who breaks the agreement must pay a predetermined amount of penalty to the other party in the event of breach of the agreement. This type of commercial condition often occurs in agreements between companies. For example, a data processing agreement concluded between a data controller and a data processor may contain a penalty clause that applies in the event of a breach of contract by one of the parties.
Restrict or ban processing
A supervisory authority has the right to impose a temporary or definitive limitation on a specific processing of personal data, including a ban on processing.
Order the company to comply with GDPR within a certain period of time
If a company violates the GDPR, the supervisory authority may order the company to ensure that the processing is carried out in compliance with the provisions of the GDPR, and if necessary in a specific way and within a specific period of time.
Withdraw certification
In the event of a breach of the GDPR, the supervisory authority may, where applicable, withdraw a certification or order the certification body to revoke a certification issued to a company if the requirements for certification are not or are no longer met.
Children are especially worthy of protection
Children deserve extra protection, both under GDPR but also under several other laws. It is permitted under the GDPR to process the personal data of children in certain cases when they give their consent. For example, social media. The age limit for children to give their consent to information society services, such as social media, is 16 years under the GDPR. On the other hand, individual Member States have the right to lower the age through their national legislation, as several countries have done. For example, Sweden has chosen to lower the age to 13 years.
More information about GDPR
Categories and types of personal data according to GDPR
When it is possible to link information to a physical living person, that information is regarded as personal data according to GDPR. For example, names, social security numbers and pictures of a person. These are examples of personal data of an objective nature. In addition, personal data may have a subjective nature. For example, a diagnosis from a doctor. In the GDPR, there are four groups of privacy-sensitive personal data that need to be processed with greater security. Special categories of personal data listed in Article 9 of the GDPR (also known as ‘sensitive personal data’) such as data concerning health, political opinions, religious or philosophical beliefs and a person’s sexual orientation, constitute one of these groups.