Leaving compliance for compliance’s sake aside, it should be emphasized more, however, that the fines are not the only elements under the GDPR that should motivate businesses to comply. That especially in Member States where the supervisory authorities have previously not been very fine-oriented and have preferred other means to achieve compliance.
Firstly, as for administrative means, it should be noted that the supervisory authorities have other powers besides that of issuing fines. This includes the power to impose a temporary or definitive limitation, including a ban, on processing. Given the circumstances, a ban on processing may often result in far worse consequences for businesses than a fine, e.g. (temporarily) halt provision of services related to data, invoicing private persons or delivery of items to private persons.
Secondly, in addition to administrative means, there are civil remedies that both data subjects as well as business partners can use. These will usually include claims for damages, but also contractual penalties in business relationships.
Under the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage. Parties involved in processing are jointly and severally liable in order to ensure effective compensation of the data subject. Additionally, the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of the GDPR.
Given the broad-scale economic risks that the GDPR will bring about to anyone involved in the processing of personal data (including, indeed, the fines), it can well be expected that businesses will try to limit or share (depending on their point of view) their liability as much as possible. This will likely result in longer and harder contract negotiations and companies being less likely to sign or “agree” to contracts before carefully studying the “liabilities” section thereof. Also, controllers are more likely to choose processors that can prove compliance with the GDPR and have a better track-record.
Article provided by: Mari-Liis Orav, Lawyer, PwC Legal (Estonia)