Article 58 GDPR. Powers

[…]

2. Each supervisory authority shall have all of the following corrective powers:

(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;

(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;

(c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;

(d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

(e) to order the controller to communicate a personal data breach to the data subject;

(f) to impose a temporary or definitive limitation including a ban on processing;

(g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;

(h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;

[…]

(j) to order the suspension of data flows to a recipient in a third country or to an international organisation.

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679

Duration of the infringement may be illustrative of, for example:

a) wilful conduct on the data controller’s part, or

b) failure to take appropriate preventive measures, or

c) inability to put in place the required technical and organisational measures.

(b) the intentional or negligent character of the infringement

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679

Circumstances indicative of intentional breaches might be unlawful processing authorised explicitly by the top management hierarchy of the controller, or in spite of advice from the data protection officer or in disregard for existing policies, for example obtaining and processing data about employees at a competitor with an intention to discredit that competitor in the market.

Other examples here might be:

• amending personal data to give a misleading (positive) impression about whether targets have been met – we have seen this in the context of targets for hospital waiting times

• the trade of personal data for marketing purpose ie selling data as ‘opted in’ without checking/disregarding data subjects’ views about how their data should be used

Other circumstances, such as failure to read and abide by existing policies, human error, failure to check for personal data in information published, failure to apply technical updates in a timely manner, failure to adopt policies (rather than simply failure to apply them)may be indicative of negligence.

Article 25 GDPR. Data protection by design and by default

Article 32 GDPR. Security of processing

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679

(e) any relevant previous infringements by the controller or processor;

The supervisory authority should assess:

• Has the controller/processor committed the same infringement earlier?

• Has the controller/ processor committed an infringement of the Regulation in the same manner? (for example as a consequence of insufficient knowledge of existing routines in the organisation, or as a consequence of inappropriate risk assessment, not being responsive to requests from the data subject in a timely manner, unjustified delay in responding to requests and so on).

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679

(g) the categories of the personal data affected by the infringement;

Some examples of key questions that the supervisory authority may find it necessary to answer here, if appropriate to the case, are:

• Does the infringement concern processing of special categories of data set out in articles 9 or 10 of the Regulation?

• Is the data directly identifiable/ indirectly identifiable?

• Does the processing involve data whose dissemination would cause immediate damage/distress to the individual (which falls outside the category of article 9 or 10)?

• Is the data directly available without technical protections, or is it encrypted [13]?

_{[13] It shouldn’t always be considered ‘a bonus’ mitigating factor that the breach only concerns indirectly identifiable or even pseudonymous/encrypted data. For those breaches, an overall assessment of the other criteria might give a moderate or strong indication that a fine should be imposed.}

Article 58 GDPR. Powers

[…]

2. Each supervisory authority shall have all of the following corrective powers:

(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;

(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;

(c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;

(d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

(e) to order the controller to communicate a personal data breach to the data subject;

(f) to impose a temporary or definitive limitation including a ban on processing;

(g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;

(h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;

(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

(j) to order the suspension of data flows to a recipient in a third country or to an international organisation.

[…]

Article 40 GDPR. Codes of conduct

Article 42 GDPR. Certification

Article 11 GDPR. Processing which does not require identification

Article 25 GDPR. Data protection by design and by default

Article 26 GDPR. Joint controllers

Article 27 GDPR. Representatives of controllers or processors not established in the Union

Article 28 GDPR. Processor

Article 29 GDPR. Processing under the authority of the controller or processor

Article 30 GDPR. Records of processing activities

Article 31 GDPR. Cooperation with the supervisory authority

Article 32 GDPR. Security of processing

Article 33 GDPR. Notification of a personal data breach to the supervisory authority

Article 34 GDPR. Communication of a personal data breach to the data subject

Article 35 GDPR. Data protection impact assessment

Article 36 GDPR. Prior consultation

Article 37 GDPR. Designation of the data protection officer

Article 38 GDPR. Position of the data protection officer

Article 39 GDPR. Tasks of the data protection officer

Article 42 GDPR. Certification

Article 43 GDPR. Certification bodies

Article 42 GDPR. Certification

Article 43 GDPR. Certification bodies

Article 41 GDPR. Monitoring of approved codes of conduct

[…]

4. Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.

[…]

Article 5 GDPR. Principles relating to processing of personal data

Article 6 GDPR. Lawfulness of processing

Article 7 GDPR. Conditions for consent

Article 9 GDPR. Processing of special categories of personal data

Article 12 GDPR. Transparent information, communication and modalities for the exercise of the rights of the data subject

Article 13 GDPR. Information to be provided where personal data are collected from the data subject

Article 15 GDPR. Right of access by the data subject

Article 16 GDPR. Right to rectification

Article 17 GDPR. Right to erasure (‘right to be forgotten’)

Article 18 GDPR. Right to restriction of processing

Article 19 GDPR. Notification obligation regarding rectification or erasure of personal data or restriction of processing

Article 20 GDPR. Right to data portability

Article 21 GDPR. Right to object

Article 22 GDPR. Automated individual decision-making, including profiling

Article 44 GDPR. General principle for transfers

Article 45 GDPR. Transfers on the basis of an adequacy decision

Article 46 GDPR. Transfers subject to appropriate safeguards

Article 47 GDPR. Binding corporate rules

Article 48 GDPR. Transfers or disclosures not authorised by Union law

Article 49 GDPR. Derogations for specific situations

Article 58 GDPR. Powers

1. Each supervisory authority shall have all of the following investigative powers:

2. Each supervisory authority shall have all of the following corrective powers:

(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;

(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;

(c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;

(d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

(e) to order the controller to communicate a personal data breach to the data subject;

(f) to impose a temporary or definitive limitation including a ban on processing;

(g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;

(h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;

(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

(j) to order the suspension of data flows to a recipient in a third country or to an international organisation.

[…]

Article 58 GDPR. Powers

2. Each supervisory authority shall have all of the following corrective powers:

(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;

(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;

(c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;

(d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

(e) to order the controller to communicate a personal data breach to the data subject;

(f) to impose a temporary or definitive limitation including a ban on processing;

(g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;

(h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;

(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

(j) to order the suspension of data flows to a recipient in a third country or to an international organisation.

Article 58 GDPR. Powers

[…]

2. Each supervisory authority shall have all of the following corrective powers:

(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;

(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;

(c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;

(d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

(e) to order the controller to communicate a personal data breach to the data subject;

(f) to impose a temporary or definitive limitation including a ban on processing;

(g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;

(h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;

(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

(j) to order the suspension of data flows to a recipient in a third country or to an international organisation.

[…]