The Applicable Sanctions for the Violation of the GDPR and of Law no. 190/2018

Why does the GDPR cause so many headaches? It is most likely because of the severe sanctions that the violation of the General Data Protection Regulation and of the law on the implementation of the Regulation, which prompts managers to comply.

The Regulation establishes two types of sanctions: corrective sanctions and administrative fines.

According to the GDPR, “infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10.000.000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a) the obligations of the controller and the processor pursuant to art. 8, 11, 25 to 39 and 42 and 43;

(b) the obligations of the certification body pursuant to art. 42 and 43”

According to the same Regulation (GDPR), “infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20.000.000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a) the basic principles for processing, including conditions for consent, pursuant to art. 5, 6, 7 and 9;

(b) the data subjects’ rights pursuant to art. 12 to 22;

(c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to art. 44 to 49;

(d) any obligations pursuant to Member State law adopted under Chapter IX;

(e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of art. 58 (1).

Non-compliance with an order by the supervisory authority, as referred to in art. 58 (2) shall, in accordance with paragraph 2 of this article, be subject to administrative fines up to 20.000.000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.”

At the same time, the GDPR allows Member States to establish any other types of sanctions, which will be established through the national law of each Member State (see art. 84 and art. 9, paragraph 4).

In Romania, on Tuesday, July 17, 2018, President Klaus Iohannis passed the law on the implementation of the (EU) 2016/679 regulation of the European Parliament and of the Council of April 27, 2016 for the protection of individuals with regard to the processing of personal data and the free movement of these data, establishing other corrective measures applicable to the public authorities and institutions, namely:

A fine between 10.000 and 100.000 lei is applied for the violation of the provisions of the General Data Protection Regulation by the public authorities / bodies regarding:

  1. a) the obligations of the operator and the person empowered by the operator in accordance with art. 8, 11, 25-39, 42 and 43;
  2. b) the obligations of the certification body according to art. 42 and 43;
  3. c) the obligations of the monitoring body according to art. 41 par. (4).

Moreover, the violation of the provisions of art. 3 to 7 of this law by the authorities / public bodies is considered contravention.

See Article 12, paragraph 2 to 4 of the Law

A fine between 10.000 and 200.000 lei is applied for the violation of the provisions of the General Data Protection Regulation by the public authorities / bodies regarding:

  1. a) the basic principles for processing, including the conditions for consent, in accordance with art. 5, 6, 7 and 9;
  2. b) the rights of the persons concerned in accordance with art. 12-22;
  3. c) transfer of personal data to a recipient from a third country or an international organization in accordance with art. 44-49;
  4. d) any obligations under national law issued based on Chapter IX;
  5. e) failure to comply with a decision or a temporary or final limitation on the processing or suspension of data flows, issued by ANSPDCP according to art. 58 par. (2), or failure to grant access, by violating the provisions of art. 58 par. (1).

See Article 12, paragraph 5 and 6 of the Act.

A fine between 10.000 and 200.000 lei is applied to the violation by the public authorities / bodies of a decision made by the ANSPDCP according to art. 58, par. (2), corroborated with art. 83, par. (2) of the General Data Protection Regulation.

See Article 12, paragraphs 7 and 8 of the Law.

 

 

Sanctiunile care se aplica in cazul incalcarii Regulamentului GDPR si a Legii 190/2018

 

De ce da GDPR-ul atatea batai de cap? Cel mai probabil din cauza sanctiunilor mari pe care le atrage incalcarea Regulamentului general privind protectia datelor si a legii privind masurile de punere in aplicare a Regulamentului, care ii determina pe manageri sa se conformeze.

Regulamentul stabileste doua tipuri de sanctiuni contraventionale: sanctiuni corective și amenzi administrative.

Conform GDPR, pentru “incalcarile dispozitiilor urmatoare, in conformitate cu alineatul (2), se aplica amenzi administrative de pana la 10 000 000 EUR sau, in cazul unei intreprinderi, de pana la 2 % din cifra de afaceri mondiala totala anuala corespunzatoare exercitiului financiar anterior, luandu-se in calcul cea mai mare valoare:

(a) obligatiile operatorului și ale persoanei imputernicite de operator in conformitate cu articolele 8, 11, 25-39, 42 și 43;

(b) obligatiile organismului de certificare in conformitate cu articolele 42 și 43; (c) obligatiile organismului de monitorizare in conformitate cu articolul 41 alineatul (4).”

 

Conform aceluiasi Regulament (GDPR),  pentru incalcarile dispozitiilor urmatoare, in conformitate cu alineatul (2), se aplica amenzi administrative de pana la 20 000 000 EUR sau, in cazul unei intreprinderi, de pana la 4 % din cifra de afaceri mondiala totala anuala corespunzatoare exercitiului financiar anterior, luandu-se in calcul cea mai mare valoare:

(a) principiile de baza pentru prelucrare, inclusiv conditiile privind consimtamantul, in conformitate cu articolele 5, 6, 7 și 9;

(b) drepturile persoanelor vizate in conformitate cu articolele 12-22;

(c) transferurile de date cu caracter personal catre un destinatar dintr-o tara terta sau o organizatie internationala, in conformitate cu articolele 44-49;

(d) orice obligatii in temeiul legislatiei nationale adoptate in temeiul capitolului IX;

(e) nerespectarea unui ordin sau a unei limitari temporare sau definitive asupra prelucrarii, sau a suspendarii fluxurilor de date, emisa de catre autoritatea de supraveghere in temeiul articolului 58 alineatul (2), sau neacordarea accesului, incalcand articolul 58 alineatul (1).

Pentru incalcarea unui ordin emis de autoritatea de supraveghere in conformitate cu articolul 58 alineatul (2) se aplica, in conformitate cu alineatul (2) din prezentul articol, amenzi administrative de pana la 20 000 000 EUR sau, in cazul unei intreprinderi, de pana la 4 % din cifra de afaceri mondiala totala anuala corespunzatoare exercitiului financiar anterior, luandu-se in calcul cea mai mare valoare.

Totodata, Regulamentul GDPR permite statelor membre sa stabileasca si alte tipuri de sanctiuni, care vor fi stabilite prin dreptul intern al fiecarui stat membru (vezi art 84 si art 9 alin 4)

 

In Romania, Presedintele Klaus Iohannis, a aprobat marti, 17 iulie 2018, legea privind masuri de punere in aplicare a Regulamentului (UE) 2016/679 al Parlamentului European si al Consiliului din 27 aprilie 2016 privind protectia persoanelor fizice in ceea ce priveste prelucrarea datelor cu caracter personal si privind libera circulatie a acestor, prin care se stabilesc alte masurile corective aplicabile autoritatilor si institutiilor publice, si anume:

  1. a) obligatiile operatorului şi ale persoanei imputernicite de operator in conformitate cu art. 8, 11, 25 – 39, 42 şi 43;
  2. b) obligatiile organismului de certificare in conformitate cu art. 42 şi 43;
  3. c) obligatiile organismului de monitorizare in conformitate cu art. 41 alin. (4).

In plus, constituie contraventie (si se aplica aceeasi amenda) incalcarea de catre autoritatle/organismele publice, a dispozitilor art. 3 – 7 din prezenta lege.

Vezi Art 12 alin 2-4 din Lege

  • se sanctioneaza cu amenda de la 10.000 de lei pana la 200.000 lei, incalcarea, de catre autoritatle/organismele publice, a urmatoarelor dispoziti din Regulamentul general privind protecta datelor, referitoare la:
  1. principiile de baza pentru prelucrare, inclusiv conditiile privind consimtamantul, in conformitate cu art. 5, 6, 7 şi 9;
  2. b) drepturile persoanelor vizate in conformitate cu art. 12 – 22;
  3. c) transferurile de date cu caracter personal catre un destinatar dintr-o tara terta sau o organizatie internationala, in conformitate cu art. 44 – 49;
  4. d) orice obligatii in temeiul legislatiei nationale adoptate in temeiul capitolului IX;
  5. e) nerespectarea unei decizii sau a unei limitari temporare sau definitive asupra prelucrarii, sau a suspendarii fluxurilor de date, emisa de catre ANSPDCP in temeiul art. 58 alin. (2), sau neacordarea accesului, prin incalcarea dispozitilor art. 58 alin. (1).

Vezi Art 12 alin 5 si 6 din Lege

  • se sanctioneaza cu amenda de la 10.000 de lei pana la 200.000 lei incalcarea de catre autoritatle/organismele publice a unei decizii emise de ANSPDCP in conformitate cu art. 58 alin. (2) coroborat cu art. 83 alin. (2) din Regulamentul general privind protecta datelor.

Vezi Art 12 alin 7 si 8 din Lege