Sanctions and penalties

Sanctions

Article 58 of the Applied GDPR sets out the following corrective powers:

• to issue:
  • warnings that intended processing operations are likely to infringe the Applied GDPR;
  • reprimands where processing operations have infringed the Applied GDPR;
• to order:
  • compliance with the requests to exercise rights;
  • processing operations to be brought into compliance in a specified manner and timeframe;
  • communication of a personal data breach to a data subject;
  • suspension of data flows to a recipient in a third country;
  • rectification, restriction or erasure of data and notify recipients of the data of that action;
• to impose a temporary or definitive limitation including a ban on processing
• to withdraw a certification or to order the certification body to withdraw a certification if the requirements for the certification are not or no longer met.
• to impose a penalty in addition to, or instead of, other measures referred to above.

Penalties

Regulation 114 of the Implementing Regulations sets the maximum amount of a penalty at £1,000,000 in relation to an infringement of a provision of the Applied GDPR. 

This includes non-compliance with any order made by the Commissioner or infringements of

• the principles including conditions for consent;
• the data subjects’ rights;
• the obligations relating to transfers of personal data to a recipient in a third country or an international organisation.
• the accountability requirements
• the data security requirements

An appeal can be made to the Data Protection Tribunal against the imposition of sanctions and penalties by the Commissioner.