Facilités des recours et lourdeurs des sanctions

Ease of appeals and severity of sanctions

Excerpt from Bruno DUMAY's book: GDPR DECRYPTION – For Managers, Strategic Departments and employees of companies and organizations – Preface by Gaëlle MONTEILLER

Despite its intelligence and coherence, despite the unity of all the countries of the European Union in making its provisions known and enforced, the GDPR, like any regulation, would lack credibility, and therefore effectiveness, if it were not accompanied by the possibility of significant sanctions in the event of non-compliance by those who are supposed to apply it.

True to the preeminence they give to individuals over organizations, the drafters have provided for remedies that are simple to implement and likely to trigger convictions and sanctions in the event of proven misconduct. Article 77 is clear in this regard: "... any data subject has the right to lodge a complaint with a supervisory authority... if they consider that the processing of personal data relating to them infringes this Regulation." And if the decision of the supervisory authority, which has three months to process the request, does not satisfy the data subject, they can then file a legal appeal (Article 78).

But the action can also be brought directly against the controller. The title of Article 79 leaves no ambiguity in this regard: "Right to an effective judicial remedy against a controller or processor." Paragraph 1 specifies: "...every data subject has the right to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been violated...".

We can therefore see that it is very easy to initiate action, first administrative, then possibly judicial, against an entity and/or a person who processes data. It is enough for a data subject to "consider" that the processing has not been compliant to act. He or she can act alone or be represented by "a non-profit body, organization or association... whose statutory objectives are of public interest and is active in the field of the protection of the rights and freedoms of data subjects..." (art. 80-1). Better still, "Member States may provide that any body, organization or association, independently of any mandate entrusted by a data subject, has, in the Member State in question, the right to lodge a complaint with the supervisory authority..." (art. 80-2). In other words, the GDPR leaves it up to Member States to give a specialized structure the right to initiate proceedings itself, even if it has not been seized by an individual.

These provisions also leave the door open to class actions, already introduced in France by the Hamon law of 2014 and then by the law of 18 November 2016, known as the "modernisation of justice in the 21st century".e century." This latter law only allows for the cessation of the offense. The GDPR opens up the possibility of compensation, even if this appears more individual than collective.

Indeed, after the right of appeal, the right to compensation is in turn established: "Any person who has suffered material or moral damage as a result of a violation of this regulation has the right to obtain compensation for the damage suffered from the controller or the processor" (art. 82-1).

Who will pay for this compensation? Things are clear: "Any controller involved in the processing shall be liable for damage caused by processing that constitutes a violation of this Regulation. A processor shall be held liable for damage caused by processing only if it has not complied with the obligations laid down in this Regulation" (Art. 82-2). Either party can still demonstrate the absence of fault: "A controller or a processor shall be exempt from liability under paragraph 2 if it proves that the event that caused the damage is in no way attributable to it" (Art. 82-3).

When several actors are involved, "each of the controllers or processors shall be held liable for the damage in its entirety in order to guarantee the data subject effective compensation" (art. 82-4). This does not then prevent compensation: "When a controller or processor has, in accordance with paragraph 4, fully compensated the damage suffered, it is entitled to claim from the other controllers or processors having participated in the same processing the share of compensation corresponding to their share of responsibility for the damage" (art. 82-5).

Now that responsibilities have been established, how can sanctions be imposed? The supervisory authority has all the necessary powers to call a data controller or processor to order, including imposing a limitation or prohibition on processing, ordering the rectification or erasure of personal data, suspending transfers, withdrawing certification, and imposing an administrative fine (Article 58-2).

Article 83 sets out the conditions for administrative fines, which must be "proportionate and dissuasive" (art. 83-1). The 11 criteria listed in paragraph 2 of the article for "deciding whether to impose an administrative fine" show that each penalty will be determined on a case-by-case basis, taking into account, of course, "whether the violation was committed deliberately or negligently." Paragraphs 4 and 5 list the various possible violations and determine the maximum amount of fines; up to €20,000,000 or, for a company, up to €4,% of its annual worldwide turnover, whichever is higher. Suffice it to say that fines of such an amount can seriously undermine the stability of a company (for the record, the maximum penalties applied by the CNIL in recent years amounted to €150,000).

As for the remedies that could be requested, and obtained, in the event of legal action, either against the decision of the supervisory authority or against the data controller or the processor, we can assume that they will also be "proportionate and dissuasive" (these two words together sound like an oxymoron, but clearly they are not in the spirit of the GDPR).

The supervisory authority is therefore all-powerful, which, incidentally, makes this type of body institutions combining three powers – legislative (even if they only suggest the law), executive, judicial – usually separated in large democracies. Failure alone to comply with an injunction issued by the supervisory authority under Article 58-2 may result in the maximum fine (Art. 83-5). In the case of transnational processing, the sanction will be adopted jointly by the supervisory authorities concerned.

Other sanctions, "in particular for violations which are not subject to the administrative fines provided for in Article 83", may be decided by the Member States (Art. 84-1).

Let us once again recall the basic principle: everyone must retain ownership and control of their personal data. Any organization that violates this principle may be sanctioned.

Discover Viqtor®
en_USEN
fr_FRFR de_DE_formalDE es_ESES elEL it_ITIT hrHR pt_PTPT nl_NL_formalNL de_ATDE_AT etET fiFI lvLV lt_LTLT sk_SKSK sl_SISL en_USEN