Desktop version

Home arrow Law

  • Increase font
  • Decrease font

<<   CONTENTS   >>

: Remedies

One of the 22 tasks of the DPAs discussed above concerns complaint handling: the complaint can be lodged either by an individual data subject, or by a representative organization or association (in accordance with Article 80 GDPR) and needs to be followed up by a procedure of investigation and feedback within a reasonable period, “in particular if further investigation or coordination with another supervisory authority is necessary” (Article 57(l)(f) GDPR). The right is further elaborated in Chapter VIII of the GDPR “Remedies, liabilities and penalties”, Articles 77-84 GDPR) ’’without any prejudice to any other administrative or judicial remedy”. This right to complain can be exercised either before the DPA of the data subject’s or representative organization or association’s country of residence, or before the DPA of the Member State where the alleged infringement occurred (Recital 141, Article 77 GDPR; possible conflict with one-stop-shop concept, see above). It is noteworthy that the remedy before a DPA is not exclusive. [1] Articles 78 and 79 GDPR foresee an additional right to an effective judicial remedy for all natural and legal persons (individual or via a representative organization) against decisions of a DPA concerning them; failures by a DPA to deal with a complaint within three months; and, for data subjects, against any unlawful processing of their personal data by a controller or processor (Recital 143, Articles 78-79 GDPR).

Hence, data protection might go to court, and in fact it does go to all kinds of courts (labour courts, criminal courts, administrative courts, civil courts...), but the onus of GDPR in terms of length, detail and insistence is on the administrative enforcement system controlled by the DPA. This also explains the long provisions on the possible administrative sanctions in the GDPR.

Before the GDPR, under the 1995 Directive, discretion was left to Member States in their choice of sanctions: criminal, administrative, or other (civil or tort law) or a mix. Considering that the 1995 Directive left the choice of the enforcement regime to the discretion of Member States, the use of criminal sanctions varies from one country to another. Whereas some states only criminalized some data protection wrongs and mainly used civil law or administrative sanctions, others opted for an extensive set of data protection crimes or (e.g. Belgium) relied exclusively on criminal law. Most data protection acts entail mixed approaches with both provisions on penal and on administrative sanctions (e.g. Austria).[2] This example is now followed in the GDPR that, contrary to the 1995 Directive, explicitly distinguishes criminal and administrative sanctions, with one very general provision on criminal sanctions (Article 84 GDPR), and one long, very detailed provision on administrative sanctions (Article 83 GDPR). Article 83(1) opens with a duty for states to arm their DPAs with administrative sanctions. The text partly restricts the discretion of Member States under the 1995 Directive to choose between types of sanctions, by setting out guidelines for administrative sanctions that Member States can introduce. The Article reads as a criminal code with provisions about how administrative sanctions should be determined and a list of ‘administrative wrongs’ grouped in paragraphs (Article 83(3) to (6) GDPR) with the amounts of fines going up in relation to the increasing seriousness of the wrong. A quick count of the provisions that are related to fines gives a list of almost 50 administrative data protection wrongs.

Articles 83(4) and 83(5) GDPR introduce two levels of fines: (1) up to 10 million or 2% of the undertaking’s global annual turnover, whichever is higher, for certain infringements, mostly with regard to the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43 GDPR and (2) up to 20 million or 4% of the undertaking’s global annual turnover, for (more severe) infringements of the basic data protection principles for processing, the data subjects’ rights, international transfers and non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority. These fines are generally considered to be “high”, especially in the light of the fines initially proposed by the European Commission and are said to add real “teeth” to data protection enforcement in the EU.

Read together with a number of other sanctions and measures, such as warnings, periodic review, data protection audits, one has the feeling of completeness: the proposed administrative enforcement system is detailed and seems well prepared. Powers of DPAs are thought through, controllers and processors can no longer process data in an unchecked manner, but have to work transparently creating an environment where proof of good behaviour can always be given immediately; and actors and mechanisms, such as certification bodies, data protection officers and binding corporate rules, are organized with precise instructions to add value, rather than to serve as window dressing.

  • [1] See Hijmans, supra note 23, 335; Galetta, De Hert, supra note 1. 2 Tlie GDPR also sets out rules on jurisdiction allowing the data subject to bring a private enforcement action in the Member State where the offending controller or processor has its establishment, or alternatively in the Member State where the data subject has his or her habitual residence. See on these novelties in the context of private international law, L. Lundstedt, 'International Jurisdiction over Crossborder Private Enforcement Actions under the GDPR’, 2018, Faculty of Law, Stockholm University Research Paper No. 57, 45. Available at SSRN: or 3 Critically on the lack of attention for the data protection three layered-remedy system other than the administrative remedies before DPAs and with reference to best practices in Member States that were ignored by the GDPR legislator, see Galetta, De Hert, supra note 1, 125-151.
  • [2] 5,1 More in detail, see P. De Hert, G. Boulet, ‘The Co-existence of Administrative and Criminal Law Approaches to Data Protection Wrongs’, in D. Wright, P. De Hert (eds), Enforcing Privacy. Regulatory, Legal and Technological Approaches (Springer, 2016), 357-394; P. De Hert, ‘The EU Data Protection Reform and the (Forgotten) Use of Criminal Sanctions’, (2014) 4 International Data Privacy Law, 262. 2 Article 84 GDPR (Penalties): “1. Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive. 2. Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1 (...)”. 3 Compare Burton, De Boel, Kuner, Pateraki, Cadiot, Hoffman, supra note 10, 12.
<<   CONTENTS   >>

Related topics