OneTrust GDPR Deep Dive Series Chapter 8: Remedies, Liability, and Penalties

Chapter 8 of the General Data Protection Regulation (GDPR) outlines the remediation and penalty determination processes if data controllers or processors are found in violation of the Regulation.

According to the chapter’s provisions, data subjects can file complaints against data controllers or processors with the data protection authority (DPA) where they live, work, or where the infringement occurred. Within 90 days of the complaint, the DPA is obligated to notify the data subject the complaint’s status.

An important provision in Chapter 8 is that there cannot be competing cases in multiple Member States in that the same case cannot be heard simultaneously in multiple jurisdictions. And, data subjects can receive compensation for infringements against their rights.

The chapter, most significantly, outlines the administrative fine parameters. Fines must be effective, proportionate, and dissuasive.

Fine determination is based on:

  • Nature, gravity, and duration of the infringement
  • Intentional or negligent character of the infringement
  • Degree of controller or processor responsibility
  • Level of cooperation with data protection authority
  • Type of data involved in the infringement
  • Way the infringement came to be known
  • Data subject notification
  • Controller/Processor notification
  • Other factors relevant to the case

There are two levels of administrative fines that Member States’ data protection authorities can give companies violating the Regulation. The first fine of €10,000,000 or 2% of annual revenue applies to controllers or processors found in violation of the following articles:

 

Article 8: Processing of personal data of a child Article 33: Notification of a personal data breach to the supervisory authority
Article 11: Processing which does not require identification Article 34: Communication of a personal data breach to the data subject
Article 25: Data protection by design and by default Article 35: Data protection impact assessment
Article 26: Joint controllers Article 36: Prior Consultation
Article 27: Representatives of controllers not established in the Union Article 37: Designation of the data protection officer
Article 28: Processor Article 38: Position of the data protection officer
Article 29: Processing under the authority of the controller or processor Article 39: Tasks of the data protection officer
Article 30: Records of processing activities Article 41: Monitoring of approved codes of conduct
Article 31: Cooperation with the supervisory authority Article 42: Certification
Article 32: Security of processing Article 43: Certification Bodies

The second level of administrative fine is €20,000,000 or 4% of annual revenue. This applies to controllers or processors infringing on the following:

 

Article 5: Principles relating to personal data processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 6: Lawfulness of processing Article 20: Right to data portability
Article 7: Conditions for consent Article 21: Right to object
Article 9: Processing of special categories of personal data Article 22: Automated individual decision-making, including profiling
Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 44: General principle for transfers
Article 13: Information to be provided where personal data are collected from the data subject Article 45: Transfers on the basis of an adequacy decision
Article 14: Information to be provided where personal data have not been obtained from the data subject Article 46: Transfers subject to appropriate safeguards
Article 15: Right of access by the data subject Article 47: Binding corporate rules
Article 16: Right to rectification Article 48: Transfers or disclosures not authorised by Union law
Article 17: Right to erasure (“right to be forgotten”) Article 49: Derogations for specific situations
Article 18: Right to restriction of processing Article 58: Powers

Chapter 8 Articles & Descriptions

Article 77: Right to lodge a complaint with a supervisory authority
Article 78: Right to an effective judicial remedy against a supervisory authority
Article 79: Right to an effective judicial remedy against a controller or processor
Article 80: Representation of data subjects
Article 81: Suspension of proceedings
Article 82: Right to compensation and liability
Article 83: General conditions for imposing administrative fines
Article 84: Penalties

GDPR will come into effect on May 25, 2018, and OneTrust believes that every global organization should start considering how to best implement efficient and effective data-handling practices that are replicable and consistent. The GDPR Deep Dive Series delves into each chapter of the GDPR to summarize key takeaways of the new governance in an easy-to-digest format. It is intended to help privacy executives with implementation and operationalization of GDPR regulations, and will be published bi-weekly on our blog.