The reality of the number of financial sanctions imposed by European institutions on companies after not even one year of application of the European General Data Protection Regulation has made it clear that EU pays close attention to the respect of its citizens' data security and privacy rights.
The educational approach to GDPR complianceMember States dispose of national data protection cells or independent supervisory bodies (FIU) responsible for ensuring compliance with the fundamental principles of the protection of personal data at a national level.
They can carry out verifications at the organisations' premises or online. Checks are carried out based on annual programs, complaints received, or information in the media. For some countries where data privacy regulation is historically strict, fundamental principles of data protection remain mostly unchanged (data security, fair processing, retention period, etc.), and therefore continue to be rigorously checked by the data protection authorities.
On the other hand, the new obligations and rights resulting from the GDPR are subject to investigation and remediation controls that are commonly non-punitive. The goal is to help organisations understand the issues and operational implementation of the new provisions and the benefits of compliance.
During the first months of the existence of the new legal European privacy framework, the national privacy authorities have accomplished a tremendous pedagogical work. Educating companies and delivering GDPR awareness in the various sectors of activity, publishing concrete fact sheets on privacy rights, guides on safety or impact assessment methodologies.
In Belgium, since 25 May 2018, the Data Protection Authority (DPA) has been the successor to the Commission for the Protection of Privacy (better known as the "Privacy Commission")
What are the latest sanctions and warnings under GDPR ?Except the cases of serious data breaches or deliberate bad faith, national privacy supervisory bodies rather alert, support and accompany companies to GDPR compliance than imposing radical fines up to 4% of the company's turnover.
These additional powers, such as issuing warnings of non-compliance, carrying out audits, requiring specific remediation within a specified time frame, ordering erasure of data, and suspending data transfers to a third country, are easily accessible to the data protection supervisory authorities and supplement the new sets of penalties.
Nonetheless, some precedents have already broke records in the number of fines imposed for transgressing data protection principles. Among the numerous pending national complaints and fine proceedings, sanctions have already been imposed. The following table provides a non-exhaustive regularly updated list of sanctions imposed by national European jurisdictions and authorities against non-compliant organisations.
The up-to-date list of recent GDPR Enforcement Actions
The general obligation of the controller is to always provide appropriate technical and organisational measures to ensure that processing of European individuals' data is carried out in accordance with the GDPR.