Sanctions and penalties
Article 58 of the Applied GDPR sets out the following corrective powers:
- to issue:
- warnings that intended processing operations are likely to infringe the Applied GDPR;
- reprimands where processing operations have infringed the Applied GDPR;
- to order (enforcement notice):
- compliance with the requests to exercise rights;
- processing operations to be brought into compliance in a specified manner and timeframe;
- communication of a personal data breach to a data subject;
- suspension of data flows to a recipient in a third country;
- rectification, restriction or erasure of data and notify recipients of the data of that action;
- to impose a temporary or definitive limitation including a ban on processing (enforcement notice)
- to withdraw a certification or to order the certification body to withdraw a certification if the requirements for the certification are not or no longer met (enforcement notice).
- to impose a penalty in addition to, or instead of, other measures referred to above (penalty notice).
Regulation 114 of the Implementing Regulations sets the maximum amount of a penalty at £1,000,000 in relation to an infringement of a provision of the Applied GDPR.
This includes non-compliance with any order made by the Commissioner or infringements of
- the principles including conditions for consent;
- the data subjects’ rights;
- the obligations relating to transfers of personal data to a recipient in a third country or an international organisation.
- the accountability requirements
- the data security requirements
An appeal can be made to the Data Protection Tribunal against the imposition of sanctions and penalties by the Commissioner.
Failure to comply with notices - Contempt of court
Failure to comply with an information, enforcement, assessment or penalty notice may be certified to the High Court which will treat the matter as contempt of court. (Regulation 117 of the Implementing Regulations)