Ir para o conteúdo principal
Logótipo da Comissão Europeia
Comissão Europeia

Enforcement

What is the role of the Data Protection Authority (DPA)?

Each Member State is obliged to establish one or more independent public authorities to monitor and enforce the application of the General Data Protection Regulation (GDPR). Those authorities, called ‘data protection authorities’ (DPAs), should enjoy complete independence when carrying out their tasks and using their powers.

One of the roles of the DPAs is to provide expert advice and promote awareness on data protection issues. They inform the general public and natural or legal persons processing personal data on the rights and obligations related to data protection and in particular the GDPR. 

One example is the task of the DPAs to establish and make public a list of processing operations that require a data protection impact assessment. Some DPAs have also established handbooks and other practical tools to help, for instance, businesses understand their obligations under the GDPR and individuals understand their rights.

In addition, the European Data Protection Board (EDPB), which is DPAs’ cooperation body at EU level, has produced a number of guidelines on the application for EU data protection legislation. The DPAs also advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to data protection.

To monitor the application of the GDPR, DPAs handle complaints on alleged breaches of the GDPR that individuals have submitted. They have powers to investigate the subject matter of a complaint and, in case of non-compliance with data protection rules, apply corrective measures to ensure that those rules are respected. 

The DPAs also have the task to generally follow developments in the society that affect the protection of personal data, and they can launch investigations on the application of data protection rules in individual cases also on their own initiative.

The DPAs have powers to order a company/organisation to provide any information they need to investigate a case where that company/organisation is involved and to obtain access to any premises or to any data processing equipment that the company/organisation uses when processing personal data.

References

Does a company/organisation need to consult or inform the DPA about processing data?

A company/organisation does not need to consult the DPA about the fact that it processes personal data.

However, prior consultation with the DPA is required when a data protection impact assessment (DPIA) indicates that the processing of the data would pose a high risk and residual risks remain despite the implementation of several safeguards.

A company/organisation must also contact the DPA in the case of a data breach. 

For some specific types of data processing, national laws might still require a company/organisation to obtain an authorisation from the DPA.

Example

A shop selling household goods processes client data, such as delivery addresses and billing details required in the nature of business. In this case the shop does not need to inform the DPA of the processing of this personal data as such processing cannot normally be considered resulting in a high risk to the rights of its clients. 

However, if the electronic database where the shop stores its clients’ personal data is compromised and the personal data are leaked to unauthorised users, you need to inform your DPA about that data breach within 72 hours, unless it is unlikely to result in a risk to the rights of its clients.

References

What is the European Data Protection Board (EDPB)?

The EDPB is an EU body in charge of the application of the GDPR. It is made up of the head of each DPA and of the European Data Protection Supervisor (EDPS) or their representatives. The European Commission takes part in the meetings of the EDPB without voting rights. The secretariat of the EDPB is provided by the EDPS.

The EDPB is at the centre of the data protection landscape in the EU. It ensures that the data protection law is applied consistently across the EU and that DPAs cooperate effectively in cross-border cases

The Board issues guidelines on the interpretation of core concepts of the GDPR and also rules by binding decisions on disputes regarding cross-border processing, ensuring therefore a uniform application of EU rules to avoid the same case potentially being dealt with differently across various jurisdictions.

References

What happens if my company processes data in different EU Member States?

The GDPR applies throughout the EU - one set of data protection rules for all EU Member States. In certain limited cases, EU Member States can further specify the application of the rules of the GDPR (for example employment rules; public health sector; rules on reconciliation between the right to freedom of expression and data protection).

The GDPR also introduces the so called ‘one-stop-shop’ mechanism, which ensures cooperation between the Data Protection Authorities (DPAs) in the case of cross-border processing.

If a company/organisation is processing personal data in different countries, the competent DPA – which will be the lead authority in its dealings with other concerned DPAs in the EU - is the DPA of the EU Member State where a company/organisation has its main establishment. 

This is identified as the company/organisation's central administration in the EU, unless decisions about the purposes and means of processing of personal data are taken in another establishment and that establishment has the power to implement those decisions.

If a company/organisation processes data in order to fulfil an obligation under the national law of an EU Member State, only the DPA of that EU Member State is competent.

Example

A textile company’s headquarters is in Italy. It has satellite shops in neighbouring countries, such as Malta, Greece, France and Austria. 

In those neighbouring countries, its satellite shops set up databases which process customers’ personal data for marketing purposes. However, the decisions on ‘how’, ‘when’ and ‘why’ to contact the said customers are taken at the headquarters in Italy. 

Thus, in this case, the decision on the processing of personal data for marketing purposes is deemed to be made in Italy, and the Italian DPA is the competent data protection authority.

References

Sanctions

What if a company/organisation fails to comply with the data protection rules?

The GDPR provides the Data Protection Authorities with different options in case of non-compliance with the data protection rules:

  • If the processing is likely to infringe the GDPR  a warning may be issued;
  • If the processing infringes the GDPR, the possibilities include a reprimand, a temporary or definitive ban on processing and a fine of up to €20 million or 4% of the business’s total annual worldwide turnover.

It is worth noting that in the case of an infringement, the DPA may impose a monetary fine instead of, or in addition to, the reprimand and/or ban on processing. 

Member States must also provide for rules on other penalties, notably criminal penalties, in particular for infringements that are not subject to administrative fines.

The authority must ensure that fines imposed in each individual case are effective, proportionate and dissuasive.

It will take into account a number of factors, such as the nature, gravity and duration of the infringement, its intentional or negligent character, any action a company/organisation has taken to mitigate the damage suffered by individuals, the degree of cooperation of a company/organisation, etc.

Example

A company sells online household material. Through its website, consumers can buy kitchen appliances, tables, chairs and other domestic goods by entering their bank details. 

The website suffered a cyber-attack leading to personal details being rendered available to the attacker. In this case, the lack of appropriate technical measures by the company seems to have been the cause of unauthorised access to customer data.

In this case, various factors will be considered by the DPA before deciding what corrective tool or tools to use, such as: 

  • How serious was the deficiency in the IT system? 
  • How long had the IT infrastructure been exposed to such a risk? 
  • Were tests carried out in the past to prevent such an attack? 
  • How many customers had their data stolen/disclosed? 
  • What type of personal data was affected – did it include sensitive data? 

References

Can a company/organisation be liable for damages?

Individuals can claim compensation if a company/organisation has infringed the GDPR and they have suffered material damages, such as financial loss or non-material damages, such as reputational loss or psychological distress as a direct consequence of such infringement. 

It is for the individual claiming for compensation to prove that a concrete damage has been suffered and that it results from an established breach of the GDPR. 

An infringement of the GDPR alone does not give rise to the right to compensation. Compensation can be claimed before the competent national courts. 

Proceedings are brought before the courts of the EU Member State where the company/organisation has an establishment or where the individual claiming compensation lives (habitual residence), in accordance with the national procedural law of that Member State. 

The rules for assessing the damage and deciding the amount of compensation to be granted are determined by national law.

References