"

13. GDPR – The enforcement mechanism

Outline of the chapter

The aim of this Chapter is to introduce the enforcement mechanism provided for in the GDPR. For the effective exercise of rights as well as compliance with any obligation, the Regulation provides for both public and private enforcement. The first is related with the system of administrative fines. The second with enabling data subjects to claim before courts the violation of their rights. Understanding the role and tasks of Supervisory Authorities becomes very important in this framework.

The topics covered are:

  • Supervisory Authorities (13.1)
  • Lead Supervisory Authorities (13.2)
  • Liability, compliants and remedies (13.3)

(13.1) Supervisory Authorities

Following the GDPR provisions, each Member State has created one or more Supervisory Authorities to supervise upon the enforcement of the Regulation in full autonomy. The Authorities play a major role for the protection of the rights of data subjects. Article 51 GDPR provides the following:

Article 51 GDPR – Supervisory Authority

  1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).
  2. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission in accordance with Chapter VII.
  3. Where more than one supervisory authority is established in a Member State, that Member State shall designate the supervisory authority which is to represent those authorities in the Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 63.

The independence of Supervisory Authorities is a very important characteristic of their functioning. As article 52 GDPR provides for, this independence can be seen both financially as well as with regards to the administrative organisation and position that the Supervisory Authorities have in the internal organisation of the states. The members of the Supervisory Authorities are to remain independent in the performance of their tasks and should neither receive nor request any outside influence or instruction nor should they engage in any other conflicting activities.

Article 52 GDPR – Independence

  1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.
  2. The member or members of each supervisory authority shall, in the performance of their tasks and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.
  3. Member or members of each supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.
  4. Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.
  5. Each Member State shall ensure that each supervisory authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned.
  6. Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.

The Court of Justice of the EU has been going further in reinforcing the independence of the Supervisory Authorities. In the case C-362/14, Schrems I , The Court argued for the independence of Supervisory Authorities from the influence of the Europen Commission, while in case C-518/07, Commission v. Germany, they argued about independence from national public authorities.

Case C-362/14 Schrems I EU:C:2015:650

[41] The guarantee of the independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the monitoring of compliance with the provisions concerning protection of individuals with regard to the processing of personal data and must be interpreted in the light of that aim. It was established in order to strengthen the protection of individuals and bodies affected by the decisions of those authorities. The establishment in Member States of independent supervisory authorities is therefore, as stated in recital 62 in the preamble to Directive 95/46, an essential component of the protection of individuals with regard to the processing of personal data (see judgments in Commission v Germany, C‑518/07EU:C:2010:125, paragraph 25, and Commission v Hungary, C‑288/12EU:C:2014:237, paragraph 48 and the case-law cited).

….

[51] The Commission may adopt, on the basis of Article 25(6) of Directive 95/46, a decision finding that a third country ensures an adequate level of protection. In accordance with the second subparagraph of that provision, such a decision is addressed to the Member States, who must take the measures necessary to comply with it. Pursuant to the fourth paragraph of Article 288 TFEU, it is binding on all the Member States to which it is addressed and is therefore binding on all their organs (see, to this effect, judgments in Albako Margarinefabrik, 249/85EU:C:1987:245, paragraph 17, and Mediaset, C‑69/13EU:C:2014:71, paragraph 23) in so far as it has the effect of authorising transfers of personal data from the Member States to the third country covered by it.

[52] Thus, until such time as the Commission decision is declared invalid by the Court, the Member States and their organs, which include their independent supervisory authorities, admittedly cannot adopt measures contrary to that decision, such as acts intended to determine with binding effect that the third country covered by it does not ensure an adequate level of protection. Measures of the EU institutions are in principle presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality (judgment in Commission v Greece, C‑475/01EU:C:2004:585, paragraph 18 and the case-law cited).

[53] However, a Commission decision adopted pursuant to Article 25(6) of Directive 95/46, such as Decision 2000/520, cannot prevent persons whose personal data has been or could be transferred to a third country from lodging with the national supervisory authorities a claim, within the meaning of Article 28(4) of that directive, concerning the protection of their rights and freedoms in regard to the processing of that data. Likewise, as the Advocate General has observed in particular in points 61, 93 and 116 of his Opinion, a decision of that nature cannot eliminate or reduce the powers expressly accorded to the national supervisory authorities by Article 8(3) of the Charter and Article 28 of the directive.

[57] On the contrary, Article 28 of Directive 95/46 applies, by its very nature, to any processing of personal data. Thus, even if the Commission has adopted a decision pursuant to Article 25(6) of that directive, the national supervisory authorities, when hearing a claim lodged by a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him, must be able to examine, with complete independence, whether the transfer of that data complies with the requirements laid down by the directive.

Case C-518/07 Commission v Germany EU:C:2010:125

[18]  With regard, in the first place, to the wording of the second subparagraph of Article 28(1) of Directive 95/46, because the words ‘with complete independence’ are not defined by that directive, it is necessary to take their usual meaning into account. In relation to a public body, the term ‘independence’ normally means a status which ensures that the body concerned can act completely freely, without taking any instructions or being put under any pressure.

[19] Contrary to the position taken by the Federal Republic of Germany, there is nothing to indicate that the requirement of independence concerns exclusively the relationship between the supervisory authorities and the bodies subject to that supervision. On the contrary, the concept of ‘independence’ is complemented by the adjective ‘complete’, which implies a decision-making power independent of any direct or indirect external influence on the supervisory authority.

….

[25] The guarantee of the independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on protection of individuals with regard to the processing of personal data and must be interpreted in the light of that aim. It was established not to grant a special status to those authorities themselves as well as their agents, but in order to strengthen the protection of individuals and bodies affected by their decisions. It follows that, when carrying out their duties, the supervisory authorities must act objectively and impartially. For that purpose, they must remain free from any external influence, including the direct or indirect influence of the State or the Länder, and not of the influence only of the supervised bodies.

….

[30] In the light of the foregoing, the second subparagraph of Article 28(1) of Directive 95/46 is to be interpreted as meaning that the supervisory authorities responsible for supervising the processing of personal data outside the public sector must enjoy an independence allowing them to perform their duties free from external influence. That independence precludes not only any influence exercised by the supervised bodies, but also any directions or any other external influence, whether direct or indirect, which could call into question the performance by those authorities of their task consisting of establishing a fair balance between the protection of the right to private life and the free movement of personal data.

Supervisory Authorities have a large amount of tasks that extend from monitoring compliance with the data protection rules to giving advise to controllers and promoting the values imbeded in the regulation. The tasks are listed under the first paragraph of article 57 GDPR.

Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:

a) monitor and enforce the application of this Regulation;

b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;

c) advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing;

d) promote the awareness of controllers and processors of their obligations under this Regulation;

e) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;

f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;

g) cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;

h) conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority;

i) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;

j) adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2);

k) establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4);

l) give advice on the processing operations referred to in Article 36(2);

m) encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5);

n) encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5);

o) where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7);

p) draft and publish the requirements for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

q) conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

r) authorise contractual clauses and provisions referred to in Article 46(3);

s) approve binding corporate rules pursuant to Article 47;

t) contribute to the activities of the Board;

u) keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and

v) fulfil any other tasks related to the protection of personal data.

For the performance of these tasks, Article 58 GDPR, in the first three paragraphs, lists the main powers of supervisory authorities. The powers can be grouped into three main groups : i. investigative; ii. corrective; and iii. advisory powers. As regulated under the 4th paragraph of the article, the exercise of the powers conferred on the supervisory authority is subject to appropriate safeguards, including effective judicial remedy and due process.

Article 58 GDPR – Powers

1. Each supervisory authority shall have all of the following investigative powers:

a) to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks;

b) to carry out investigations in the form of data protection audits;

c) to carry out a review on certifications issued pursuant to Article 42(7);

d) to notify the controller or the processor of an alleged infringement of this Regulation;

e) to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;

f) to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

2. Each supervisory authority shall have all of the following corrective powers:

a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;

b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;

c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;

d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

e) to order the controller to communicate a personal data breach to the data subject;

f) to impose a temporary or definitive limitation including a ban on processing;

g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;

h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;

i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

j) to order the suspension of data flows to a recipient in a third country or to an international organisation.

3. Each supervisory authority shall have all of the following authorisation and advisory powers:

a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36;

b) to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;

c) to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation;

d) to issue an opinion and approve draft codes of conduct pursuant to Article 40(5);

e) to accredit certification bodies pursuant to Article 43

f) to issue certifications and approve criteria of certification in accordance with Article 42(5);

g) to adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2);

h) to authorise contractual clauses referred to in point (a) of Article 46(3);

i) to authorise administrative arrangements referred to in point (b) of Article 46(3);

j) to approve binding corporate rules pursuant to Article 47.

The material and territorial jurisdiction of Supervisory Authorities is prescribed by Article 55 GDPR. The territorial jurisdiction is, in principle, limited to the territory of each Member State. There are exceptions to this rule. The first exception can be found in the second paragraph of the article. It refers to those situations when personal data are processed on the bases of legal obligations prescribed by national law (art 6(1)(c) GDPR) and the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (art 6(1)(e) GDPR). Other exceptions are linked to the cross-border nature of data processing and will be discussed below. The material jurisdiction is limited with regards to data processing by national courts acting in their judicial capacity.

Article 55 GDPR – Competence

  1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.
  2. Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.
  3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.

The territorial competence of Supervisory Authorities is also defined in article 4(22) GDPR. This competence can be linked with: i. the territorial establishment of a controller or processor; ii. with the residence of the data subject; or iii. with the place of lodging a complaint.

‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:

a) the controller or processor is established on the territory of the Member State of that supervisory authority;

b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or

c) a complaint has been lodged with that supervisory authority;

How to file a complaint?

Step-by-step information is provided in the webpage of the concerned Supervisory Authority.

Here you can find the information provided by the Dutch Supervisory Authority.

(13.2) Lead Supervisory Authorities

In the EU’s internal market and especially in a digital society, it is clear that processing of data can easily cross the borders. This can be linked to the location of controllers and processors which might also have more than one establishment, or simply to offering of goods and services to data subjects within the territory of the European Union, without any territorial restrictions. The definitions of article 4 GDPR contain also an explanation of ‘cross-border processing’ of personal data:

‘cross-border processing’ means either:

a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

The legitimate doubt in such cross-border situations is linked with the territorial jurisdiction of Supervisory Authorities. If each Supervisory Authority is concerned by processing activities linked to their territory, does this mean that more than one Authorities have jurisdiction in cross-border situations?

The GDPR has addressed these concerns by introducing the concept of Lead Supervisory Authorities in Article 56.

Article 56 GDPR – Competence of the lead supervisory authority

  1. Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.
  2. By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.
  3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.
  4. Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3).
  5. Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62.
  6. The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.

Thus, Lead Supervisory Authority, is a single national Authority that is concerned by the data processing activity and has the competence to deal with the specific cross-border case due to the presence of certain conditions. The other concerned national Supervisory authorities, can assist and collaborate but do not have the competence to decide on such situations.

Article 60 GDPR – Cooperation between the lead supervisory authority and the other supervisory authorities concerned

  1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.
  2. The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.
  3. The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.
  4. Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63.
  5. Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks.
  6. Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.
  7. The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.
  8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.
  9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.
  10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.
  11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.
  12. The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.

In order to ensure the collaboration and consistent application of the GDPR among various Supervisory Authorities, the consistency mechanism is created. This mechanism is especially important where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States.

Article 63 GDPR – Consistency mechanism

In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.

In a case with EU-wide impact, when there is a dispute between the Lead Supervisory Authority and the concerned national Supervisory authorities, or when requested by the Chair of the European Data Protection Board or the European Commission,  the European Data Protection Board can issue a non-binding decision (art 64 GDPR). If the national Supervisory Authority does not follow this decision, the Board can issue a binding decision addressed to the Lead Supervisory Authority and all the other national Supervisory Authorities concerned.

Article 65 GDPR – Dispute resolution by the Board

  1. In order to ensure the correct and consistent application of this Regulation in individual cases, the Board shall adopt a binding decision in the following cases:

a) where, in a case referred to in Article 60(4), a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead supervisory authority and the lead supervisory authority has not followed the objection or has rejected such an objection as being not relevant or reasoned. The binding decision shall concern all the matters which are the subject of the relevant and reasoned objection, in particular whether there is an infringement of this Regulation;

b) where there are conflicting views on which of the supervisory authorities concerned is competent for the main establishment;

c) where a competent supervisory authority does not request the opinion of the Board in the cases referred to in Article 64(1), or does not follow the opinion of the Board issued under Article 64. In that case, any supervisory authority concerned or the Commission may communicate the matter to the Board.

The European Data Protection Board has made use of article 65 GDPR and issued binding decisions in a number of cross-border situations. You can find these decisions here and will not be surprised to see that most of them deal with controllers that offer information communication services, as for example: Meta, TikTok, (previously) Twitter, etc.

For better understanding the role of the European Data Protection Board (formerly known as Article 29 Working Party) within the GDPR and distinguishing this role from the European Data Protection Supervisor that is responsible for the processing of data by Union institutions, please read the two Articles below.

Article 68 GDPR – European Data Protection Board

  1. The European Data Protection Board (the ‘Board’) is hereby established as a body of the Union and shall have legal personality.
  2. The Board shall be represented by its Chair.
  3. The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.
  4. Where in a Member State more than one supervisory authority is responsible for monitoring the application of the provisions pursuant to this Regulation, a joint representative shall be appointed in accordance with that Member State’s law.
  5. The Commission shall have the right to participate in the activities and meetings of the Board without voting right. The Commission shall designate a representative. The Chair of the Board shall communicate to the Commission the activities of the Board.
  6. In the cases referred to in Article 65, the European Data Protection Supervisor shall have voting rights only on decisions which concern principles and rules applicable to the Union institutions, bodies, offices and agencies which correspond in substance to those of this Regulation

Article 52 Regulation (EU) 2018/1725 (of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC) – European Data Protection Supervisor

1.   The European Data Protection Supervisor is hereby established.

2.   With respect to the processing of personal data, the European Data Protection Supervisor shall be responsible for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to data protection, are respected by Union institutions and bodies.

3.   The European Data Protection Supervisor shall be responsible for monitoring and ensuring the application of the provisions of this Regulation and of any other Union act relating to the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data by a Union institution or body, and for advising Union institutions and bodies and data subjects on all matters concerning the processing of personal data. To those ends, the European Data Protection Supervisor shall fulfil the tasks set out in Article 57 and exercise the powers granted in Article 58.

….

(13.3) Liability, complaints and remedies 

As it was stated at the start of this chapter, the GDPR provides both for public and for private enforcement.

(13.3.1) Public enforcement

The public enforcement consists in the complaints lodged before Supervisory Authorities. As already seen under article 58 GDPR, such Authorities have both investigative and corrective powers. They can start their investigations ex officio, or on the bases of complaints from data subjects.

Article 77 GDPR – Right to lodge a complaint with a supervisory authority

  1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
  2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.

If the Supervisory Authority finds a breach of the GDPR, they have the power to impose administrative fines. These fines must be effective, proportionate, and dissuasive. The level of the fine depends on several factors, including the nature, gravity and duration of the infringement; whether the violation was committed intentionally or through negligence; the degree of cooperation shown by the organization; and any efforts made to limit harm to the affected individuals.

Please note that not any proved infringement is punished with a fine. The corrective powers of the Supervisory Authorities, as already discussed under Article 58(2) include also advise, reprimands, orders, etc.

The general conditions for imposing a fine are regulated under article 83 GDPR. The article establishes the upper threshold of the fines, leaving it to the Authorities to establish the exact amount in a specific situation. Under paragraph 4, the article lists those infringements that are punished with a low fine (up to 10 million Euros or 2% of the total worldwide annual turnover of the preceding financial year). Under paragraph 5, the article lists those infringements that are punished with a high fine (up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year).

Article 83 GDPR – General conditions for imposing administrative fines

1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

b) the intentional or negligent character of the infringement;

c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;

d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

e) any relevant previous infringements by the controller or processor;

f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;

h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

b) the obligations of the certification body pursuant to Articles 42 and 43;

c) the obligations of the monitoring body pursuant to Article 41(4).

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

b) the data subjects’ rights pursuant to Articles 12 to 22;

c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;

d) any obligations pursuant to Member State law adopted under Chapter IX;

e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

6. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

7. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.

8. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.

(13.3.2) Private enforcement

If an administrative fine is issued agains a controller or processor, the data subject does not receive any direct compensation. However, apart the public enforcement, data subjects have the possibility to bring an infringement case before a national court independently or simultaneously with the procedure before the national Supervisory Authority. The case may be brought either in the courts of the Member State where the controller or processor is established or in the courts of the Member State where the individual resides.

Article 79 GDPR – Right to an effective judicial remedy against a controller or processor

  1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
  2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

Any data subject that was suffering material or imaterial harm due to an infringement of the GDPR can seek compensation before a Court. The burden of prove in such cases is on the data subject and this makes the cases difficult to succeed given the information asymetry between data subjects and controllers and processors. Furthermore, as already seen under the Chapter about the GDPR obligations, most of these are imposed on controllers. Thus, processors have only residual liability in those situations when the infringement can be directly contributed to their actions that go beyond the instuctions received by controllers. When it is not possible to distinguish between the responsibility of controllers or processors or when more controllers and processors are involved, the rules on joint liability established under the 4th paragraph of aticle 82 GDPR apply. This legal regulation ensures that affected data subjects can receive full compensation, even if it is later necessary for the liable parties to settle the final distribution of responsibility among themselves.

Article 82 GDPR – Right to compensation and liability

  1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
  2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
  3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
  4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
  5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
  6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).

Compensation may be sought for both material damages, such as financial losses, and non-material damages, including emotional distress, reputational harm, or the feeling of loss of control over personal data. Also in favor of the data subject it is established that the claim can be brought before the national courts of the country where the controller or processor is established or alternatively, in the country where the individual normally resides. This flexibility ensures that data subjects do not have to pursue costly or difficult international litigation to enforce their rights.

The issue of compensation for damages, has been discussed by the CJEU in various instances. The establishment of infringement does not in itself give right to compensation. Thus, the burden of proof on the harm suffered stays with the data subject. It is good to know though that the degree of seriousness of the harm is not considered for compensation. A damage should be compensated independent from its amount.

Case C-300/21 UI v Österreichische Post AG EU:C:2023:370

[41] Similarly, Articles 83 and 84 of the GDPR, which permit the imposition of administrative fines and other penalties, have essentially a punitive purpose and are not conditional on the existence of individual damage. The relationship between the rules set out in Article 82 and those set out in Articles 83 and 84 shows that there is a difference between those two categories of provisions, but also complementarity, in terms of encouraging compliance with the GDPR, it being observed that the right of any person to seek compensation for damage reinforces the operational nature of the protection rules laid down by that regulation and is likely to discourage the reoccurrence of unlawful conduct.

[42] Last, it is important to note that the fourth sentence of recital 146 of the GDPR states that the rules laid down by the GDPR apply without prejudice to any claims for damages deriving from the violation of other rules of EU or Member State law.

[43] In the light of all of the foregoing reasons, the answer to Question 1 is that Article 82(1) of the GDPR must be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation

….

[45] In the first place, the GDPR does not define the concept of ‘damage’ for the purposes of the application of this instrument. Article 82 of that regulation confines itself to expressly stating that not only ‘material damage’ but also ‘non-material damage’ may give rise to a right to compensation, without any reference being made to any threshold of seriousness.

[46] In the second place, the context of that provision also tends to indicate that the right to compensation is not subject to the condition that the damage in question has reached a certain threshold of seriousness. The third sentence of recital 146 of the GDPR states that ‘the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation’. It would be contrary to that broad conception of ‘damage’, favoured by the EU legislature, if that concept were limited solely to damage of a certain degree of seriousness.

….

[49] Making compensation for non-material damage subject to a certain threshold of seriousness would risk undermining the coherence of the rules established by the GDPR, since the graduation of such a threshold, on which the possibility or otherwise of obtaining that compensation would depend, would be liable to fluctuate according to the assessment of the courts seised.

….

[59] In the light of all of the foregoing considerations, the answer to Question 2 is that Article 82 of the GDPR must be interpreted as meaning that, for the purposes of determining the amount of damages payable under the right to compensation enshrined in that article, national courts must apply the domestic rules of each Member State relating to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with.

Also in support of data subjects, Article 80 GDPR gives them the right to mandate a non-profit organization or association to act on their behalf in lodging complaints or pursuing legal remedies. This allows for collective representation and support, particularly in complex or large-scale cases involving systemic data protection violations.

NOYB, a non-governmental organisation based in Vienna and founded by Maximilian Schrems, is very active in this field. They have initiated many cases that we study today and that have been fined by Supervisory Authorities. Following the Collective Redress Directive (EU) 2020/1828, they have obtained the right to start class actions in Austria and Ireland for the protection of consumers.

Article 80 – Representation of data subjects

  1. The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.
  2. Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.

Brainstorming exercise

Read the following statement and give your own opinion about the merits and de-merits of it:

“Despite the fact that the GDPR allows public and private enforcement to be initiated independently, private enforcement must follow public enforcement.”

 

License

Icon for the Creative Commons Attribution 4.0 International License

Texts and Materials in Data Protection and Digital Human Rights Copyright © by Mando Rachovitsa, Jonida Milaj is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book

Feedback/Errata

Leave a Reply

Your email address will not be published. Required fields are marked *