GDPR: It is not just the fines!


Even if a person does not know anything else about the GDPR, it usually knows about the massive potential fines the GDPR will bring about – up to 20 000 000 EUR or 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Leaving compliance for compliance’s sake aside, it should be emphasized more, however, that the fines are not the only elements under the GDPR that should motivate businesses to comply. That especially in Member States where the supervisory authorities have previously not been very fine-oriented and have preferred other means to achieve compliance.

Firstly, as for administrative means, it should be noted that the supervisory authorities have other powers besides that of issuing fines. This includes the power to impose a temporary or definitive limitation, including a ban, on processing. Given the circumstances, a ban on processing may often result in far worse consequences for businesses than a fine, e.g. (temporarily) halt provision of services related to data, invoicing private persons or delivery of items to private persons. 

Secondly, in addition to administrative means, there are civil remedies that both data subjects as well as business partners can use. These will usually include claims for damages, but also contractual penalties in business relationships. 

Under the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage. Parties involved in processing are jointly and severally liable in order to ensure effective compensation of the data subject. Additionally, the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of the GDPR. 

Given the broad-scale economic risks that the GDPR will bring about to anyone involved in the processing of personal data (including, indeed, the fines), it can well be expected that businesses will try to limit or share (depending on their point of view) their liability as much as possible. This will likely result in longer and harder contract negotiations and companies being less likely to sign or “agree” to contracts before carefully studying the “liabilities” section thereof. Also, controllers are more likely to choose processors that can prove compliance with the GDPR and have a better track-record.


Article provided by: Mari-Liis Orav, Lawyer, PwC Legal (Estonia)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.