Sanctions and penalties
Article 58 of the Applied GDPR sets out the following corrective powers:
- to issue:
- warnings that intended processing operations are likely to infringe the Applied GDPR;
- reprimands where processing operations have infringed the Applied GDPR;
- to order:
- compliance with the requests to exercise rights;
- processing operations to be brought into compliance in a specified manner and timeframe;
- communication of a personal data breach to a data subject;
- suspension of data flows to a recipient in a third country;
- rectification, restriction or erasure of data and notify recipients of the data of that action;
- to impose a temporary or definitive limitation including a ban on processing
- to withdraw a certification or to order the certification body to withdraw a certification if the requirements for the certification are not or no longer met.
- to impose a penalty in addition to, or instead of, other measures referred to above.
Regulation 114 of the Implementing Regulations sets the maximum amount of a penalty at £1,000,000 in relation to an infringement of a provision of the Applied GDPR.
This includes non-compliance with any order made by the Commissioner or infringements of
- the principles including conditions for consent;
- the data subjects’ rights;
- the obligations relating to transfers of personal data to a recipient in a third country or an international organisation.
- the accountability requirements
- the data security requirements
An appeal can be made to the Data Protection Tribunal against the imposition of sanctions and penalties by the Commissioner.