Fines under the GDPR

EasyChair Preprint 582

Abstract

The introduction of substantial fines for infringements in Article 83 GDPR constitutes an important development of European data protection law. This article discusses the innovation in comparison to the previous directive, with a special emphasis on the inspiration the EU rules and practice of fining in Competition law contain for the fining under GDPR. It first sets out thoughts on the purpose of fines and the structure of Article 83 GDPR. Next it demonstrates how competition law is inspiring the fining rules under GDPR and why DPAs are under a general duty to impose fines. It then discusses considerations on the amounts of fines and the special case of Cumulation of infringements as well as the notion of "the undertaking", so important both in competition law and the GDPR. As a reminder of past incoherence rather than as a starting point for future fining practices, the article closes by reviewing the diversity of fines under the previous directive and ends with a call on the Data Protection Board to quickly establish a publicly accessible database on fines imposed by DPAs, in order to create the transparency necessary to ensure a coherent application of the GDPR across the European Union. In the conclusion, this Articles calls on DPAs to learn from Competition law and to acquire the skills necessary for rigorous fining bringing about the necessary deterrent effect.

Keyphrases: Enforcement, GDPR, competition law, data protection law, fines, sanctions

@booklet{EasyChair:582,
  author    = {Paul Nemitz},
  title     = {Fines under the GDPR},
  howpublished = {EasyChair Preprint 582},
  year      = {EasyChair, 2018}}