GDPR enforcement and compliance mechanisms

Naturally any regulation which outlines rights for data subjects and responsibilities for data controllers and processers needs enforcement and compliance mechanisms.

Enforcement & Compliance structure

In each member state there is a national supervisory authority, which is the first port of call in that territory for GDPR enforcement.  These national authorities are assigned specific tasks as well as a number of investigative, corrective and advisory powers when overseeing organisations in their own territory. In addition to their own oversight work, they facilitate the submission of complaints by data subjects.  This includes making available an electronic complaint form and they have an obligation to inform the complainant about the progress and the outcome of any resultant investigation.

When individual national supervisory authorities face a cross-border case, there is the possibility of gridlock, with different authorities taking different approaches.  In Article 56 the GDPR solves that problem with the concept of a lead supervisory authority (LSA) for cross border cases.  The LSA is typically the authority competent to supervise the main establishment of the data controller or processor which spans several Member States.

To ensure the consistent application of the GDPR throughout the EU an important role will be played by the European Data Protection Board (the Board). The Board is composed of the heads of national supervisory authorities and the European Data Protection Supervisor (EDPS) and a non-voting EU commission representative. Its primary role in ensuring the consistent application of the GDPR, to do so impartially it is established as an independent body with its own legal personality.

In addition the Board also has other powers. It advises the Commission, in particular on the level of protection offered by third countries or international organisations and promotes cooperation between national supervisory authorities. So far (December, 2017) the commission has recognised Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection for processing EU citizens data.

Enforcement & Compliance

Chapter VIII of the GDPR outlines how both, controllers and processors are legally liable for activities which infringe the GDPR. Specifically, a controller is liable for all damages caused by processing activities. A processor only liable for not complying with its obligations or for acting outside or contrary to lawful instructions of a controller.

To underline the serious of these liabilities administrative fines: up to 20 million euro or 4{416be57fa161bbc70d468c2594f8d5c208287735b0b3958bde24bc0817fdbb51} of the undertaking’s total worldwide annual turnover of the previous financial year depending on the circumstances  may be levied (Article 83). The concept is penalties would be in each specific case proportionate to the infringement and at the same time also effective and dissuasive.