While article 77, 78, 79, 80, 81, and 82 cover the various aspects of the right to lodge a compliant, the right to an effective judicial remedy against respectively a supervisory authority and controller or processor, the representation of a data subject in lodging a compliant, the suspension of potential proceedings and the right to compensation and liability, GDPR Article 83 stipulates the general conditions for imposing administrative fines. In other words: Article 83 specifies the GDPR fines and conditions under which what fines are applied. Article 84 foresees additional penalties stipulations.
The so-called GDPR fines and penalties and their application have been further detailed in October 2017 by the Article 29 Working Party in the form of guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679.
These guidelines serve as guidelines for the actual application and enforcement of the GDPR for supervisory authorities, specifically in the scope of GDPR fines and penalties. They are not part of Chapter 8 of the GDPR, nor of the GDPR text but shed more light on how the application of penalties will happen in practice.
Table of Contents
- Chapter 8 – Remedies, liability and penalties
- Article 77 – Right to lodge a complaint with a supervisory authority
- Article 78 – Right to an effective judicial remedy against a supervisory authority
- Article 79 – Right to an effective judicial remedy against a controller or processor
- Article 80 – Representation of data subjects
- Article 81 – Suspension of proceedings
- Article 82 – Right to compensation and liability
- Article 83 – General conditions for imposing administrative fines
- Article 84 – Penalties
GDPR Article 77 defines the data subject’s right to lodge a complaint with a supervisory authority. He/she can do this in his/her place of normal residence in the EU, where the concerned alleged infringement has taken place or in his/her place of work.
It is then the duty of the supervisory authority where the compliant was lodged to keep the data subject informed on the progress and outcome of that compliant with potential judicial remedy as mentioned in GDPR Article 78.
That GDPR Article 78 then stipulates the right to a judicial remedy which BOTH a data subject AND a legal person (the data subject is a natural person and this is one of the few Articles where legal persons are mentioned in the GDPR) have against a legally binding decision of a supervisory authority regarding them.
In the other paragraphs of Article 78 additional rules regarding, among others the duty of the supervisory authority to inform the complainant or handle the compliant within a specific time frame and the proceedings themselves are established.
As the title already indicates, GDPR Article 79 tackles the right to a judicial remedy against a controller or processor instead of a supervisory authority.
It also looks at the rules regarding proceedings in this case.
GDPR Article 80 sets out rules regarding the right of the data subject to mandate an organization that represents him/her. Such organizations, among others, need to be active in personal data protection.
Article 80 also looks at the other conditions under which such an organization can represent a data subject in lodging a compliant, rights of compensation and more.
GDPR Article 81, among others, states that where a competent court of an EU Member State has information on proceedings, concerning the same subject matter regarding processing by the same controller or processor, which are pending in a court in another Member State, it must contact that court in that other State to confirm the existence of such proceedings.
GDPR Article 82 zooms in on the compensations which any person can have when suffered damage as a result of a GDPR infringement.
Moreover, here the crucial questions regarding liability comes in the picture, one of those debates regarding the GDPR which some fear will be a matter of pointing fingers of controllers and processors over who exactly is liable for what. And if anyone pays compensation, another topic of Article 82, the claiming back from other controllers and processors can start. However, at the end of the day any discussions whatsoever are in the hands of courts (and supervisory authorities and the processors and controllers before that, a court is a last resort).
We’ve added links to GDPR Article 83 so you can easily see when which administrative fines could be applied in several general types of infringement. As also mentioned in our article on GDPR fines and penalties, this depends on numerous factors, which are mentioned in Article 83 but also on the various Articles on, among others essential GDPR rules and data subject rights which are all mentioned in the Article 83.
Here, however, at the end of the day the Member States and their supervisory authorities, as well as courts, do have an important role.
GDPR Article 84 foresees an additional role for Member States in defining the rules on other penalties regarding GDPR infringements in cases these do not fall under the fines (and conditions for them) mentioned in Article 83.
In determining fines in the past (under the predecessor of the GDPR) supervisory authorities in Member States have not often applied maximum fines but always took into account various aspects.
Whether they will much stricter is a question that remains open but the focus is way too much on the fines and not enough on getting as GDPR compliant as possible, knowing that effectiveness of fines and penalties should also be proportionate and of course your level of compliance will play a role.
Top image: Shutterstock – Copyright: Carlos Amarillo. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.