General data protection aims to safeguard the interests of natural persons within the European Union relating to privacy issues. The Regulation applies to enterprises dealing with the personal data of natural persons. To safeguard data of natural persons in the European Union, the Commission implemented GDPR Regulation. This Regulation applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which forms part of a filing system or are intended to form part of a filing system.
The unified General Data Protection Regulation protects the rights, privacy and freedoms of natural persons in the EU. It simultaneously reduces barriers to businesses by facilitating the free movement of data throughout the EU. Alongside these objectives, the GDPR Regulation provides the legal framework and regulatory environment to protect and maintain the rights of EU citizens. Supervision is a domestic issue for member states controlled by the local and independent supervisory authority, and at Union level by the European Data Protection Board and Supervisor.
Local supervisory authorities receive complaints from data subjects and investigate their claims. Action is taken when violations of GDPR Regulation is established. Sanctions vary from reprimands to monetary penalties. The maximum penalty is strong enough to discourage indifference and encourage compliance. However, as the GDPR enforcement tracker reveals, most penalties for small businesses and midcap are far below the maximum threshold.
The main concern of the Regulation is the data subject, which is a natural person. As such, the structure of an investigation by the supervisory authorities always starts at the position of the data subject. To avoid regulatory arbitrage and forum shopping, data subjects can only file their complaint with the supervisory authority at their habitual residence. In the event data crosses borders, mutual assistance is provided by foreign supervisory authorities. Controllers and processors may be charged outside their place of corporate residence.
The supervisory authority investigates and potentially corrects in case of a violation of the Regulation. Correction can take different shapes and forms. Warnings, reprimands, orders, limitations, and administrative fines are possible sanctions against wrongdoers. Similar to other Regulatory intervention, sanctions can be appealed by the alleged wrongdoer. Once the sanction is permanent, it must be executed. However, victimized data subjects may also start a civil case for a breach of their fundamental right of data protection. As such, violations of GDPR Regulation may lead to penalties paid to a local regulator and a victimized data subject.