Skip to main content

GDPR: It is not just the fines!

|
Mari-Liis Orav, Partner of EuroCloud CPC Network

Even if a person does not know anything else about the GDPR, it usually knows about the massive potential fines the GDPR will bring about – up to 20 000 000 EUR or 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Leaving compliance for compliance’s sake aside, it should be emphasized more, however, that the fines are not the only elements under the GDPR that should motivate businesses to comply. That especially in Member States where the supervisory authorities have previously not been very fine-oriented and have preferred other means to achieve compliance.

Firstly, as for administrative means, it should be noted that the supervisory authorities have other powers besides that of issuing fines. This includes the power to impose a temporary or definitive limitation, including a ban, on processing. Given the circumstances, a ban on processing may often result in far worse consequences for businesses than a fine, e.g. (temporarily) halt provision of services related to data, invoicing private persons or delivery of items to private persons. 

Secondly, in addition to administrative means, there are civil remedies that both data subjects as well as business partners can use. These will usually include claims for damages, but also contractual penalties in business relationships. 

Under the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage. Parties involved in processing are jointly and severally liable in order to ensure effective compensation of the data subject. Additionally, the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of the GDPR. 

Given the broad-scale economic risks that the GDPR will bring about to anyone involved in the processing of personal data (including, indeed, the fines), it can well be expected that businesses will try to limit or share (depending on their point of view) their liability as much as possible. This will likely result in longer and harder contract negotiations and companies being less likely to sign or “agree” to contracts before carefully studying the “liabilities” section thereof. Also, controllers are more likely to choose processors that can prove compliance with the GDPR and have a better track-record.

 

Article provided by: Mari-Liis Orav, Lawyer, PwC Legal (Estonia)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.