Sanctions are The GDPR Regulation requires all data controllers and processors to protect the personal information and data of EU residents. This means that the location of the data subject prevails where the location of the controller and processor is irrelevant. as such, all data controllers and processors must implement appropriate technical and organisational measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
Online privacy and data protection gained critical importance over the years. Database management and lead generation enrich existing private information to tailor marketing and sales messages. Cases of identity theft and online fraud significantly increase. As such, the rights, privacy and freedoms of natural persons in the EU must be protected, whilst barriers to businesses by facilitating the free movement of data throughout the EU must be reduced. Individuals therewith regain control over their personal data and supervisory authorities enforce compliance with the GDPR Regulation with a straightforward regulatory environment.
The GDPR Regulation provides for rights to compensation and liability and defines general conditions for imposing administrative fines. Alongside the sanctions laid down in the GDPR Regulation, individual EU member states may introduce other penalties as well. Judicial remedies by a court enforce rights or impose penalties. However, the supervisory authority received ample tools to sanction wrongdoers.
Supervisory authorities are responsible for compliance with the GDPR in the designated member states. The independent European Data protection Board has legal personality and is the body of the Union. The Board ensures the consistent application of the GDPR Regulation in the member states by the supervisory authorities. Supervisory authorities have powers to investigate and correct. The corrective powers include warnings, reprimands and administrative fines.
Administrative fines are discussed in Article 83 of the Regulation. These will be imposed in addition to, or instead of, other measures referred to in the Regulation. The amount of the administrative fine depends on for example, the nature, gravity and duration of the infringement; the intentional or negligent character of the infringement; the degree of responsibility; the degree of cooperation; and the possible relevant previous infringements by the controller and processor.
If a controller of processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement. Infringements of several of the provisions shall be subject to administrative fines up to 10 million Euros, or in the case of an undertaking up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The maximum administrative fine is imposed only for significant impacts on the rights and freedoms of many data subjects.