The sanctioning regime provided by regulation (EU) 2016/679 on the protection of personal data
| Author | Irina Alexe, PhD |
| Pages | 60-73 |
60 IRINA ALEXE
PERSONAL DATA PROTECTION
THE SANCTIONING REGIME PROVIDED BY REGULATION
(EU) 2016/679 ON THE PROTECTION OF PERSONAL DATA
Irina ALEXE, PhD
Abstract
In the public space and in the debates among professionals, the new general data protection
regulation, which is to be applied from May 25th 2018, is debated more and more conjunctively with
the news brought by this European Union legislative act, but especially regarding the new
sanctioning regime. We analyse the questions that arise concerning the violations to be sanctioned,
the classification of sanctions and their amount, the deliberate nature of the violation and the effective
procedural safeguards, in accordance with the general principles of European Union law and the
CFSP. During the analysis we identify answers to these questions and, last but not least, underline
the competence of the Member States as well as the role of the national supervisory authorities
regarding to the sanctioning regime provided for by the Regulation.
Keywords: Regulation (EU) 2016/679 (GDPR); the protection of personal data; corrective
powers; administrative fines; sanctioning regime; the competence of the Member States; national
supervisory authorities.
I. Short Introduction
Both in the public space and in the discussions amongst professionals, the
subject of the enforcement, starting with 25 May 2018, of the new General Data
Protection Regulation1, hereafter the Regulation, or GDPR, is more and more
pregnant.
Research associate, „Acad. Andrei Rdulescu” Legal Research Institute of Romanian Academy; Doctor of
Juridical Sciences of the University of Bucharest; principal areas o f interest: Administrative Law, Constitutional
Law and European Law; irina_alexe@yahoo.com. This paper was presented in the European Conference on
Financial Services – ECFS 2017, organized in Brasov, 19-20 October, by the Institute for Financial Studie s,
University „Petru Maior” Targu-Mures and the Romanian Society fo r Public and Private Affairs of
Targu-Mureş. The author would like to thank Mr. Bogdan opan for the support offered in translating the
article in English. The article was published in Romanian in Curierul Judiciar, no. 1/2018.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free
Law Review vol. VIII, issue 1, Januar
y
-June 2018, pp. 60-73
It is already widely known that the Regulation does not constitute a novelty in
the field of protection of natural persons with regards to processing of personal
data, nor in the field of free flow of personal data, and that, before 2016, these fields
were regulated at the scale of the European Union through a Directive2, transposed
by the member states in their national legislations. We consider that the main
interest of this new legislative act is given not necessarily by the fact that the
regulation is susceptible to induce significant transformations in the field of
personal data protection, but especially through the main novelties aiming at the
sentencing regime, qualified, from the point of view of the amount of the
administrative penalties, as being very severe.
We hereby analyse the subsequent questions which arose, concerning the
infringements which will be sanctioned, the qualification of the sanctions and their
amount, to the conditions aiming at the individualization of the administrative
fines, as well as to the efficient procedural safeguards, in accordance with the
general principles of the European Union’s law and with the Charter of
Fundamental Rights of the European Union. Within this analysis we will identify
several responses to these questions, and, last but not least, we will underline the
competence of the Member States, as well as the tasks and competences of the
competent independent supervisory authority with regards to the sentencing
regime provided for in the Regulation.
Also, the conclusions of the analysis will make reference both to the necessity
of the knowledge and respect of the new provisions in the field of personal data
protection, particularly in order to avoid new sanctions as those established in the
regulations, as well as to the necessity of the professionalization of such an
important field.
II. General considerations regarding GDPR
Since the enforcement of the Lisbon Treaty3, the right to personal data
protection became a fundamental right within the European Union’s legal order,
inclusively by conferring to the Charter of Fundamental Rights of the European
Union an equal juridical value with that of the treaties, the Charter regulating both
movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ
L119/04.05.2016).
2 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement of
such data (OJ L281/23.11.1995).
3 Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the
European Community, signed at Lisbon, 13 December 2007 (OJ C306/17.12.2007), in force since 1
December 2009. The consolidated versions of TEU and TFEU are published (OJ C326/26.10.2012) and
can be found inclusively online (http://eur-lex.europa.eu/legal-co ntent/EN/TXT/HTML/?uri=CELEX:
C2012/326/01&from=RO).
62 IRINA ALEXE
the Right to respect for private and family life4, as well as the right to protection of
personal data5.
We showed in the introduction that the regulation itself does not constitute a
novelty in this field and that this establishes both provisions concerning protection
of natural persons with regards to personal data protection, and provisions
concerning the free flow of personal data. We should also mention that, from its
very first article, the Regulation institutes the rule according to which it „ protects
fundamental rights and freedoms of natural persons and in particular their right to
the protection of personal data”, but also the rule according to which “The free
movement of personal data within the Union shall be neither restricted nor
prohibited for reasons connected with the protection of natural persons with
regard to the processing of personal data”. The new Regulation has at its core these
two main fields which intertwine and between which it must exist proportionality
and a reasonable balance, in such a manner that the purpose of the Regulation to
be achievable. Besides, the regulation provides expressly in its preamble the fact
that the main goal it is to adapt and to update the principle and objectives
previously set by the directive, so as to put them in accordance with the
technological advancements.
Taking into consideration the fact that the recent doctrine6 analysed the path
taken at the scale of the European Union’s institutions, from the Directive to the
Regulation, in order to regulate the protection of personal data7, we will not
further detail these aspects. We will emphasize nevertheless both general and
specific considerations which differentiate the Directive from the Regulation.
Hence, according to the provisions of art. 288 and 289 of TFEU, both the
directive and the Regulation are legislative acts adopted by the European
Parliament and by the Council of the European Union. Given that the directive is
mandatory for each recipient member state with regards to the expected result,
4 Please refer to the text of art.7 from the Charter of Fundamental Rights of the European Union.
5 Please refer to the text of art.8 from the Charter of Fundamental Rights of the European Union.
6 Please refer to, for example, I. Alexe, C. M. Banu, De la directiv la regulament în reglementarea
proteciei datelor cu caracter personal la nivelul Uniunii Europene, în I. Alexe, N. D. Ploeşteanu, D. M.
Şandru (coord.), Protecia datelor cu caracter personal, Ed. Universitar, Bucureşti, 2017, p. 14-40; N. D.
Ploeşteanu, A. Mariş, Viziunea Regulamentului general privind protecia datelor personale
679/2016(RGDP) într-o societate digital, în I. Alexe, N. D. Ploeşteanu, D. M. Şandru (coord.), op. cit, p.
77-127. For a detailed analysis on the powers and the role of the Data Protection Authorities: P. Schütz,
The Set Up of Data Protection Authorities as a New Regulatory Approach, în vol. S. Gutwirth, R.
Leenes, P. de Hert, Y. Poullet, (Eds.), European Data Protection: In Good Health?, Springer, 2012, p. 125.
7 According to the provisions of art.4 (1) of GDPR, ‘personal data’ means any information relating to
an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person;
leaving to the national authorities of the member states the competence with
regards to the form and the means through which its provisions are transposed in
the national legislation of a member state, multiple interpretation and application
of the national norms have risen, in such a manner that at the level of the Member
States of the European Union it was created an irregular application regime, and
the Court of Justice of the European Union (CJEU) was demanded to verify this
type of aspects.
After a thorough evaluation of the directive and of the jurisprudence of the
CJEU in the matter, after several years of debate, at the level of the institutions of
the European Union was taken the decision to adopt a regulation in the field of
personal data protection, in order to ensure a uniform level of protection for
natural persons, but also in order to prevent discrepancies which were impeding
the free flow of data within the internal market, and in order to realize an efficient
cooperation of the supervisory bodies, as well as for the establishment of
equivalent sanctions across all the member states. The regulation, adopted in 2016,
provides a two-year enforcement term, in order to give to the member states, their
authorities, as well as the controllers the necessary amount of time and the
possibility to have a proper preparation, from all the points of view, for its
enforcement. The term for enforcement was established for the 25 May 2018.
As opposed to the directive, the Regulation has general applicability, it is
mandatory in all its elements and it has direct applicability in all the member
states, hence it does not require national transposition laws.
The main novelties adduced by GDPR make reference to: uniformization of
the rules; fields of application; consolidation of the right to data protection;
extension of the safeguards for some of the existent rights; instituting some new
rights; safeguards for protection of children and for private life online; new
regulations in order to give responsibility in an appropriate manner to the
controllers and the processors; the Data Protection Officer8; the role of the
independent supervisory bodies and the sentencing regime.
Although the regulation does not presuppose the adoption of national
transposition laws, we underline the fact that, in the case of GDPR, for some
member states, the adoption of some national laws for the particularization of
some norms which will be further detailed within this analysis, on the ground of
some articles from its text, especially with regards to the competence of the
member states and the sentencing regime, will be necessary.
We appreciate that, for a rightful understanding of the regulatory intention,
but also of the Regulation per se, it is important to correlate the articles from the
8 On the obligation of the controller and of the processor to nominate a Data Protection Officer,
as well as concerning its role in the architecture of GDPR, please refer to: I. Alexe, Principalele nouti
privind responsabilul cu protecia datelor, incluse în GDPR, in the process of being published.
64 IRINA ALEXE
regulation with the texts of the considerations included in the preamble. In order to
define just one of their dimensions, we point out that the regulation contains 99
articles, which are based on 173 considerations.
III. Tasks and competences of the supervisory authority, as well as the
competence of the member states with regards to the sentencing regime
The Regulation dedicates a special chapter (chapter VI) to the independent
supervisory authorities, and the texts describing the relationship between the
supervisory authority9 and the sentencing regime are included in art. art. 51, 57
and 58.
In the doctrine it has been opinionated10 that in this field was attempted the
implementation of a similar system with the one in the competition field, both with
regards to the national responsible authorities, but especially with the trespassing
of the general interest protected at the level of the European Union.
We should also mention the fact that in order to understand the text of art. 51,
instituting the rules for the supervisory authority, the text of considerations (117),
(118), (119) and (123) from the preamble are of equal importance. Hence, in every
member state, it is mandatory to exist one or several independent supervisory
authorities, which have as main task the enforcement of the regulation, in order to
protect fundamental rights and liberties of natural persons with regards to use of
personal data and with regards to the facilitation of the free flow of personal data
within the Union. In order to achieve this goal, rules have been instituted
according to which these authorities cooperate both in between them, and with the
Commission, being expressly underlined the need for full independence to the
supervisory authorities of the member states in order to complete all their tasks
and to exercise all their powers. Also, the preamble mentions the requirement of
direct mutual cooperation in between the authorities, as well as with the
Commission, without need of any further agreement between the member states
with regards to the respective cooperation or with regards to granting of mutual
assistance. We hence appreciate that it is important to make this clarification in
order to underline the celerity and flexibility of the procedures, especially in
correlation with the situations in which it is necessary to act urgently in order to
ensure the protection of rights and liberties of natural persons.
Also, with regards to the competency of the member states, the text of the
regulation provides expressly that „Where more than one supervisory authority is
9According to the provisions of art.4 (21) of GDPR, „supervisory authority” means an
independent public authority which is established by a Member State pursuant to Article 51.
10 D. M. Şandru, Regimul juridic al proteciei datelor cu caracter personal este în proces de
regândire, in I. Alexe, N. D. Ploeşteanu, D. M. Şandru (coord.), op. cit, p. 272-278.
established in a Member State, that Member State shall designate the supervisory
authority which is to represent those authorities in the Board and shall set out the
mechanism to ensure compliance by the other authorities with the rules relating to
the consistency mechanism referred to in Article 63.”11. Also, it is provided the
obligation of each member state to notify to the Commission, by the enforcement
of GDPR, the internal provisions adopted following the enforcement, and, without
delay, any subsequent amendment affecting them.
We thus observe that, in this matter, the member states have three categories of
particular competencies: competency in designating the national supervisory
authority, competency in regulating the cooperation mechanism between
supervisory authorities when there are two or more such authorities, as well as the
competency of notification of the Commission.
With regards to the text of art. 57, there are mentioned the task which every
supervisory authority has on its territory. These need to be analysed in correlation
with the consideration (132) of the preamble, regarding the specific measures to be
undertaken by the authorities in order to raise awareness to the public, in
particular in the educational context.
Given that both the role of the authorities and their tasks are complex, we
chose to emphasize just few of the tasks provided for in the invoked legal act, in
order to understand the role of the supervisory authority through the sentencing
regime, aiming at: monitoring and enforcement of the regulation; promote public
awareness and understanding of the risks, rules, safeguards and rights in relation
to processing, especially in relation with activities addressed specifically to
children; advise, in accordance with Member State law, the national parliament,
the government, and other institutions and bodies on legislative and
administrative measures relating to the protection of natural persons' rights and
freedoms with regard to processing12; promote the awareness of controllers and
processors of their obligations under GDPR; handle complaints lodged by a data
subject, or by a body, organisation or association in accordance with Article 80, and
investigate, to the extent appropriate, the subject matter of the complaint and
inform the complainant of the progress and the outcome of the investigation
within a reasonable period, in particular if further investigation or coordination
with another supervisory authority is necessary; conduct investigations on the
application of this Regulation, including on the basis of information received from
another supervisory authority or other public authority; give advice on the
11 Please refer to the text of art.51 (3) of GDPR.
12 According to the provisions of art.4 (2) of GDPR, ‘processing’ means any operation or set of
operations which is performed on personal data or on sets of p ersonal data, whether or not by automated means,
such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise ma king available, alignment or combination,
restriction, erasure or destruction;
66 IRINA ALEXE
processing operations, when the controller requires it, during the prior
consultation, before the processing; respectively, keeping of internal records of
infringements of the Regulation and of measures take, especially with regards to
the issued warnings and reprimands. Other specific tasks concern the facilitation of
the submission of complaints, inclusively by use of electronic forms, as well as the
gratuity, for the data subject and the data protection officer, of the performance of
tasks by the supervisory authority. Even so, GDPR institutes in the text of art.57 (4)
exceptions according to which the authority may refuse to act on the request or
may charge a reasonable fee, based on the administrative costs.
We therefore observe the myriad of tasks and we emphasize the necessity that,
in order to fulfil them, the supervisory authorities should be allocated by the
Member States the necessary resources, both human, financial, logistical and time.
We consider that, during the two-year term, instituted for the enforcement of the
regulation, the aforementioned resources should have been already allocated,
especially the necessity for a professionalization and specialization not only of the
personnel of the controller or of the processors, but especially of the supervisory
authorities.
The third article of GDPR of a particular importance for our analysis is the
article 58, providing the types of powers of the supervisory authorities and whose
text needs to be analysed in correlation with the consideration (129) of the
preamble. We therefore observe that the supervisory authority has three types of
powers: investigative powers, corrective powers and authorisation and advisory
powers.
A very important power in the definition of the sentencing regime needs to be
emphasized, newly granted to the supervisory authorities, the one of bringing the
infringements of the Regulation to the attention of the judicial authorities or, if
appropriate, to commence or engage in legal proceedings, in order to enforce the
provisions of the Regulation. The consideration (129) of the preamble explains this
new power to be exercised and delimitates it from the powers of the prosecutorial
authorities, under Member State law, in the sense that it does not affect these
powers.
Closely linked to this new power of the supervisory authority, we mention the
texts of paragraphs (5) and (6) of art. 58, concerning the competence of the
Members States to particularize the text of the Regulation and to provide, by
legislative means, this competence, for its own supervisory authority, as well as
other supplementary powers except the investigative powers, corrective powers
and authorisation and advisory powers.13
13 The particularization of these competencies in the Romanian law system is necessary,
especially for the controllers: Bird & Bird, Guide to the General Data Protection Regulation, May 2017,
p. 47-48 (https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird--bird--guide-to-the-general-
data-protection-regulation.pdf?la=en). For the regulation proposal in Ireland, (http://www.justice.ie/
The exercise of all the categories of powers is accompanied by appropriate
safeguards, including effective judicial remedy and due process, in accordance
with the Union law. We will analyse, in the following sections, the qualification of
the sanctions, the corrective powers, which presuppose, in our opinion, a gradual
approach and which make the object of the topic of this study, the general
conditions for imposing administrative fees, as well as efficient procedural
safeguards.
IV. Classification of the sanctions and competence of the Member States
with regards to the establishment of the sentencing regime
The Regulation does not expressly mention a classification of the sanctions, but
this classification results for the analysis of the text of art. 83 – General conditions
for imposing administrative fines and art. 84 – Sanctions, correlated with the texts
of considerations (148), (150) and (151), respectively with considerations (149) and
(150) from the preamble14.
In order to analyse the classification of the sanctions we take into consideration
several of the arguments invoked in the preamble, as follows:
(149) „Member States should be able to lay down the rules on criminal
penalties for infringements of this Regulation, including for infringements of
national rules adopted pursuant to and within the limits of this Regulation. Those
criminal penalties may also allow for the deprivation of the profits obtained
through infringements of this Regulation. However, the imposition of criminal
penalties for infringements of such national rules and of administrative penalties
should not lead to a breach of the principle of ne bis in idem, as interpreted by the
Court of Justice.
……
(151) The legal systems of Denmark and Estonia do not allow for
administrative fines as set out in this Regulation. The rules on administrative fines
may be applied in such a manner that in Denmark the fine is imposed by
competent national courts as a criminal penalty and in Estonia the fine is imposed
by the supervisory authority in the framework of a misdemeanour procedure,
provided that such an application of the rules in those Member States has an
en/JELR/Pages/PR17000155). Also, please take into consideration the Guidelines on the application
and setting of administrative fines for the purposes of the Regulation 2016/679 (http://ec.europa.eu/
newsroom/article29/item-detail.cfm?item_id=611237).
14 For differences and former regulation, please refer to: S. J. Golla, Is Data Protection Law
Growing Teeth: The Current Lack of Sanctions in Data Protection Law and Administrative Fines
under the GDPR, Journal of Intellectual Property, Information Technology and Electronic Commerce
Law, Vol. 8, 1/2017, p. 70.
68 IRINA ALEXE
equivalent effect to administrative fines imposed by supervisory authorities.
Therefore the competent national courts should take into account the
recommendation by the supervisory authority initiating the fine. In any event, the
fines imposed should be effective, proportionate and dissuasive.
(152) Where this Regulation does not harmonise administrative penalties or
where necessary in other cases, for example in cases of serious infringements of
this Regulation, Member States should implement a system which provides for
effective, proportionate and dissuasive penalties. The nature of such penalties,
criminal or administrative, should be determined by Member State law.”
Concerning the competence of the Member States to particularize the sentencing
regime, the provisions of art. 83 are relevant, according to which, each Member state
can lay down, without prejudice to corrective powers of supervisory authorities, the
rules on whether and to what extent administrative fines may be imposed on public
authorities and bodies established in that Member State, respectively where the legal
system of the Member State does not provide for administrative fines, the rules to be
applicated in such a manner that the fine is initiated by the competent supervisory
authority and imposed by competent national courts, while ensuring that those legal
remedies are effective and have an equivalent effect to the administrative fines
imposed by supervisory authorities, ensuring nevertheless that those legal remedies
are effective and have an equivalent effect to the administrative fines imposed by
supervisory authorities, as well as to the fact that the fines imposed are effective,
proportionate and dissuasive.
In these situations, as well, the Member State shall notify to the Commission
prior to the enforcement of GDPR and subsequently, without delay, any
subsequent amendment affecting them.
As a conclusion for the consideration of the aspects presented therebefore, we
classify the sanctions applicable under GDPR in administrative fines provided
expressly by the Regulation and fines and other applicable sanctions (including of
penal nature) established by the Member States law.
V. Corrective measures, from issuing warnings to imposing administrative
fines or suspension of the data flows
As it was already mentioned, the corrective measures are adopted by the
supervisory authority in exercising the corrective powers provided for expressly
by the regulation in the text of paragraph (2) of the art. 58. We appreciate that it is
not necessary to present the ten corrective measures and that it is far more
important to analyse their gradualness, and whether they can be disposed only
singularly or cumulatively, respectively if they are hierarchized or not with
regards to their enforcement.
It is interesting to observe the verbs and actions used for describing the
corrective measures, to issue warnings, to issue reprimands, to order the controller
or the processor to comply, to order the controller or the processor to
communicate, to impose a limitation, to order the rectification or erasure and the
notification, to withdraw a certification or to order the certification body to
withdraw a certification or not to issue certification, and it terminated with to
impose an administrative fine, and to order the suspension of data flows.
We therefore observe that the Regulation does not realise a hierarchization of
these measures by the chosen wording and topic, arranging the corrective
measures from those which can be applied in the case of minor infringements to
the more severe, in the case of major infringements. Also, it is important to
mention that these measures can be individualized for every case, by analysing the
specific conditions, as well as the fact that an administrative fine constitutes by
itself a corrective measure, may be imposed in addition to or instead of other
measures applicated for the exercise of the other corrective powers provided for in
paragraph (2) of article 58.
We will hereby observe both the general conditions for imposing
administrative fees, as well as the safeguards provided by GDPR in the case of the
exercise, by the supervisory authority of the corrective powers.
VI. General conditions for imposing administrative fines
We previously mentioned that art. 83 of the Regulation establishes general
condition for imposing of administrative fines and makes reference to the
following aspects:15
1. imposing of administrative fines is, in every case, effective, proportionate
and dissuasive;
2. administrative fines are imposed in addition to, or instead of, measures
referred to in Art. 58(2);
3. Whether to impose an administrative fine and deciding on the amount of the
administrative fine in each individual case due, paying attention to several aspects
which will be subsequently further detailed;
4. If a controller or processor, for the same or linked processing operations,
infringes several provisions of this Regulation, the total amount of the
administrative fine shall not exceed the amount specified for the gravest
infringement;
15 For a list of the sanctions: GDPR in Context: Remedies and Sanctions, elaborated by
Matheson.com (http://www.matheson.com/images/uploads/documents/GDPR_in_Context_-
_Remedies_and_Sanctions.pdf).
70 IRINA ALEXE
5. The quantum of the administrative fines imposed for certain infringements16
can be subject to administrative fines up to 10 000 000 EUR, or in the case of an
undertaking, up to 2 % of the total worldwide annual turnover of the preceding
financial year, whichever is higher, while for other infringements17, the
administrative fines can be up to 20 000 000 EUR, or in the case of an undertaking,
up to 4 % of the total worldwide annual turnover of the preceding financial year,
whichever is higher;
6. each Member State may lay down the rules on whether and to what extent
administrative fines may be imposed on public authorities and bodies established
in that Member State;
7. the exercise by the supervisory authority of its powers takes place with the
appropriate procedural safeguards in accordance with Union and Member State
law;
8. Where the legal system of the Member State does not provide for
administrative fines, this Article 83 of the Regulation „may be applied in such a
manner that the fine is initiated by the competent supervisory authority and
imposed by competent national courts, while ensuring that those legal remedies
are effective and have an equivalent effect to the administrative fines imposed by
supervisory authorities. In any event, the fines imposed shall be effective,
proportionate and dissuasive. Those Member States shall notify to the Commission
the provisions of their laws which they adopt pursuant to this paragraph by 25
May 2018 and, without delay, any subsequent amendment law or amendment
affecting them.”18
In considering the aforementioned condition, with regards to the aspects to
take into account in taking the decision with regards to imposing an administrative
fee, as well as the decision with regards to the amount of the administrative fee, it
should be emphasized that these are also detailed in the text of art. 83 (2) and
aim at:
„(a) the nature, gravity and duration of the infringement taking into account
the nature scope or purpose of the processing concerned as well as the number of
data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage
suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into
account technical and organisational measures implemented by them pursuant to
Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
16 Provided for in art.83 (4).
17 Provided for in art.83 (5) and (6).
18 Please refer to the conditions provided in art. 83 (9).
(f) the degree of cooperation with the supervisory authority, in order to
remedy the infringement and mitigate the possible adverse effects of the
infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory
authority, in particular whether, and if so to what extent, the controller or
processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered
against the controller or processor concerned with regard to the same
subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved
certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances
of the case, such as financial benefits gained, or losses avoided, directly or
indirectly, from the infringement.”
We chose to quote the text of this paragraph in order to underline that the
individualization of the sanction but also the amount of the administrative fee is
strongly linked with the extent of the deliberate character of the infringement, with
the previous conduct of the person who made the infringement, with the extent of
the negative effects of the infringement and with the amount of the prejudices
suffered by the data subject, as well as by the cooperation degree of the responsible
of the infringement with the supervisory authority.
VII. Procedural safeguards
With regards to ensuring and respecting an efficient procedural safeguard
system, we should firstly reiterate the new competence of the national authority, as
well as the obligation of each member state to provide, by legislative means, the
fact that its supervisory authority has the power to initiate or to engage in judicial
proceedings, in order to enforce the provisions of the Regulation.
We also reiterate the fact that the exercise of the powers linked to imposing
administrative fees takes place with the condition of ensuring of appropriate
procedural safeguards in accordance with Union and Member State law, in
accordance with the Charter of Fundamental Rights of the European Union. These
safeguards, which must be appropriate take into account inclusively effective legal
remedies and fair trials, are provided for in Chapter VIII of GDPR – Remedies,
liability and penalties.
Hence, art. 77 – Right to lodge a complaint with a supervisory authority, which
needs to be analysed in correlation with the text of consideration (141) of the
preamble, established both the rights of the data subject and obligations for the
supervisory authority.
72 IRINA ALEXE
Also, art. 78 - Right to an effective judicial remedy against a supervisory
authority, correlated with the text of consideration (143), institutes both the content
of the right, as well as the measures for its effective enforcement, respectively the
means of action in the case in which the actions are introduced against a decision
of a supervisory authority, preceded by an opinion or a decision of the Board,
within the consistency mechanism19.
The right to an effective judicial remedy against a controller or processor is
regulated by the text of art. 79 and can be correlated with the text of consideration
(145) of the preamble).
Excepting the regulation of these three rights to remedy, we consider relevant
for our matter the text of art 82 from the regulation, correlated with the texts of art.
(146) and (147) from the preamble, according to which it is acknowledged the right
of a person which a material or moral prejudice as a result of processing that
infringes the Regulation, as well as to be entitled for compensation from the
controller or the processor for the damage. Also, the same article institutes the
responsibility of the operator for the damages made by infringements of GDPR, its
conditions and limitations, as well as the actions with regards of compensation.
Another very important aspect, regulated as a novelty under GDPR, is
constituted by the right of the data subject to mandate a not-for-profit body,
organisation or association which has been properly constituted in accordance
with the law of a Member State, has statutory objectives which are in the public
interest, and is active in the field of the protection of data subjects' rights and
freedoms with regard to the protection of their personal data to lodge the
complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78
and 79 on his or her behalf, and to exercise the right to receive compensation
referred to in Article 82 on his or her behalf where provided for by Member State
law”20. Also, the same article established the possibility for the Member States to
provide ex officio anybody, organisation or association of the respective rights
(art.77-79).
VIII. Conclusions
The regulation will be certainly enforced starting with 25 May 2018.
GDPR aimed at the uniformization of the regulation, providing as well as
national specific norms. Are the Member States ready? The answer, at least with
regard to Romania, is not an affirmative one. We failed yet to identify on the
official website21 of the National Supervisory Authority for Personal Data
19 For further details please refer to the procedures provided for in art.63-66 of the Regulation.
20 For further details, please refer to, art. 89 (1) of the Regulation.
21 (http://www.dataprotection.ro/)
Processing or in the Parliamentary procedure any draft law in public debate
procedure and through which are adopted the aforementioned national specific
norms. The time left until the enforcement is short and it should be underlined
that, in our opinion, the adoption, by the Government, of an eventual Government
Emergency Ordinance in this field would not be of opportunity, and it would not
respect the constitutional requirements.
The sentencing regime imposed by GDPR is one of the most severe at the level
of the European Union, and it was imposed specifically for leading to a uniform
compliance with the provisions of the Regulation. We appreciate that the
controllers will have a choice between investing consistent amounts in order to
ensure data protection against unlawful processing and for ensuring the free flow
of data, in accordance with the provisions of the Regulation, or will invest these
amounts for the payment of the eventual administrative fines.
We underline the fact that appropriate procedural safeguards are associated to
the corrective measures, in order for the aim of the Regulation to be achieved. We
underline, in the context, the right of a data subject to mandate a not-for-profit
body, organisation or association to lodge the complaint on his or her behalf and to
exercise the rights referred to in Articles 77-79 and 82 of the Regulation on his or
her behalf.
Given the architecture of the regulation, but also the way in which the national
authorities are enforcing their powers, we appreciate that administrative fees will
not be imposed starting with 25 May 2018, but rather other corrective measures.
Everything depends on the extent of the of the infringement, with the previous
conduct of the person who made the infringement, with the extent of the negative
of those who made the infringement, as well as with the conduct of the
supervisory authority.
Also, taking into consideration the myriad of tasks of the supervisory
authorities, but also of other public organisms, we reiterate the necessity of the
Member States to allocate for them the necessary resources, both human and
material, in order to ensure their functioning, including for the professionalisation
and training of the personnel.
It is not appropriate to tell at this point to what extent the goals of the GDPR
will be fulfilled. The answers are to be identified once the enforcement is made,
and with the eventual help of national courts and with the help of the Court of
Justice of the European Union.
