Article 58(2)(f) of the GDPR
Prohibit a company from carrying out a certain processing
A supervisory authority may prohibit a company from carrying out a specific processing operation, by imposing a ban on the processing. In addition, the supervisory authority may issue warnings before the processing is initiated or restrict a processing. These are some of the corrective powers a supervisory authority has under the GDPR.
What does a decision to prohibit a company from carrying out certain processing of personal data mean?
The supervisory authority may, pursuant to Article 58(2)(f) of the GDPR, impose a ban on processing. The prohibition limits the processing in its entirety. The company must comply with the supervisory authority’s decision on the ban.
The supervisory authority may combine the prohibition with an administrative fine in the event of an infringement. This means that the company may be forced to pay an administrative fine if the company violates the ban on processing. In other words, the company must pay a certain predetermined amount if they continue the processing despite the ban.
Can a supervisory authority decide otherwise than to prohibit a company from carrying out a certain processing of personal data?
Yes, a supervisory authority has the possibility to impose various corrective measures on a company, in accordance with Article 58(2) of the GDPR. Instead of imposing a ban, they can choose to impose a limitation on processing instead. Such a limitation may be definitive or may apply for a specified period of time. In such cases, the processing in its entirety is not prohibited, instead it is limited.
Can companies receive a written warning before they start processing personal data?
Yes, the national supervisory authority may issue a written warning before a company starts processing. On the other hand, the written warning is not binding, which means that it is not possible to appeal against it. However, it is good for the company to follow the warning, as it is the same national supervisory authority that can carry out inspections and impose administrative fines on the company that violates the GDPR.
If the supervisory authority considers that this is a prohibited processing, which the supervisory authority has also issued a written warning about, they will most likely come to the same conclusion after a supervision.
Two examples of when the supervisory authority can issue a written warning to a company are:
- At the request of prior consultation,
- During a certification process.
More information about GDPR
Data subjects may be entitled to damages for breaches of the GDPR
A data subject who has been caused damage due to the company’s breach of GDPR may be entitled to damages. However, this is not a demand made by the supervisory authority on the company. Instead, the data subject must bring a separate civil action against the company. Administrative fines and damages are two different things. If a company is fined, they must pay the amount to the state. In other words, the data subject is not allowed to access the money from the administrative fine.